Bugtraq mailing list archives
SunOS exploit.
From: blind () SEDATED NET (Trevor Linton)
Date: Sun, 18 May 1997 13:36:00 +0000
On sunos, if you execute a clean bash shell then type, export USER="root" then USER=$LOGNAME, then execute chsh root or chfn root you can change the root information. Why? Well first off chsh and chfn are +s'ed. This is a bad idea in the first Place, Second off chsh and chfn use the function getenv("USER") most programs bother to use this instead of geteuid(); getenv("USER") reports that the user is root (while geteuid(); would report the real userid) and then since chsh and or chfn is +s'ed it'll change root's shell user information or ANYONE on the system's information! On the SunOS system i have i've been able to lock out ANYONES shell using this exploit and locking out root's shell as well as changing anyones NAME info in /etc/passwd etc.. etc.. any program that uses getenv("USER") is vunerable (that's in bash). tcsh and some other shells i remember don't allow USER and LOGNAME modifying. :\ Anyways here's a rough patch: 1) -s the programs that use getenv(); such as chsh and chfn 2) remove getenv() and replace it with geteuid(); 3) possibly get the programmers of bash to fix it so USER and LOGNAME can't be modified unless it's super-user. I'm sure theres a way to get root from this exploit butta.. :) oh well. Trevor Linton (blind) - blind () sedated net support () hax0r org Swingin' Utters. a juvenile product of the working class. "People who are having trouble communicating should just shuttup"
Current thread:
- Irix and WWW Yuri Volobuev (May 16)
- SunOS exploit. Trevor Linton (May 18)
- Re: SunOS exploit. Christopher X. Candreva (May 19)
- Re: SunOS exploit. Austin Schutz (May 19)
- Re: SunOS exploit. Daniel Reish (May 20)
- Re: SunOS exploit. Christopher X. Candreva (May 19)
- Re: Irix and WWW James Bonfield (May 19)
- Re: Irix and WWW Bill Paul (May 19)
- SunOS exploit. Trevor Linton (May 18)