|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61)
From: Devil Man (nekr0tek
YAHOO.COM)Date: Fri Mar 24 2000 - 18:53:49 CST
- Next message: Robert: "Re: local security workaroudn through IE"
- Previous message: Christopher Rhodes: "Re: redhat 6.1 mail"
- Next in thread: Bluefish: "Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61)"
- Reply: Bluefish: "Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Would love to give it a try but I am not a C or C++ programer just a lowly
shell programer and maybe some perl, anyone want to give a better exploit i'll
try it it is important to me as I ADMIN over 100 redhat servers, we do not use
mail from the linux console so not a real big deal but still interested.
you can e-mail me directly if worried bout posting a full exploit to the list.
nekr0tekyahoo.com
>
> From what I can tell, jan is putting an executable into
> /var/mail/myusername that does:
>
> setgid(6);
> system("/bin/sh");
>
> and is setting it setgid, then redhat comes along and chgrp's it to
> group mail, which then can be executed to gain a shell that has
> mail-group access. Since I don't run RedHat here I couldnt try it, but
> the SuSE system I tried it on has all of the mailbox files's group set
> to the users default group so it obviously doesnt work. Any RedHat
> users want to give it a try?
>
> -HD
>
> http://www.secureaustin.com
>
>
> jan bakker wrote:
> >
> > hello fello root's,
> >
> > one day i found that redhat 6.1 takes not only suid bits but also guid.
> >
> > you are owner of your mail file but it still belongs to the group mail
> >
> > so
> >
> > void(){
> > set suid bit to user;
> > set guid bit to 6;
> > }
> >
> > compile it and move it to
> >
> > /var/mail/user
> > chmod 4700 /var/mail/user
> > ...
> >
> > result:
> > reddoghome$id
> > uid 300(me),gid 40(users)
> > reddoghome$cd /var/mail
> > reddoghome$me
> > reddoghome$id
> > uid(300),gid 6(mail)
> >
> > now you can read other people mail but,
> > 6 is lower than 15 so at some systems you can add new users !!!
> > even a root user !!!
> >
> > red
> >
> > p.s. it is noted verry badly this becouse else newbies and dipshits use it
> > on schools. The good guys get the picture.
>
=====
"I am not lost, I am merely exploring alternative destinations!"
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
- Next message: Robert: "Re: local security workaroudn through IE"
- Previous message: Christopher Rhodes: "Re: redhat 6.1 mail"
- Next in thread: Bluefish: "Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61)"
- Reply: Bluefish: "Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]