Penetration Testing mailing list archives
Re: solaris root-setuid script to gain root?
From: "Vitalik N." <robert.morris.jr () gmail com>
Date: Sun, 1 Jul 2007 15:53:39 +1000
On 7/1/07, Thomas Pollet <thomas.pollet () gmail com> wrote:
Hello, On 30/06/07, Vitalik N. <robert.morris.jr () gmail com> wrote: > Hi > > I was doing pen testing the other day and I found one root suid script > left by some of the web developers: > > -rwsr-x--x 1 root users /home/web/c.cgi > > which is basically a bash script: > > ------ cut ------------ > #!/bin/sh > > uname > ------ cut ------------ > > And our system was recently compromised. Some local user was able to > gain root access. Could this script be the way of gaining root access? > > According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html > "Because it was not possible to write a secure suid shell script, the concept > of suid shell scripts was removed from Unix." But then it says "Solaris now > supports suid shell" ! > I tried modifying the PATH variable and creating my own "uname" program. > But my uname program runs with local user privs instead of root. I > also tried the did you put a setuid(0) in your uname program? f.i.: cat >uname.c<<EOF #include <unistd.h> int main (int argc, char **argv, char **envp) { setuid(0); setgid(0); execve("/bin/sh",argv,envp); } EOF > other attack described in the link above: "link to -i" but this didn't > work as well. > So could this script be the problem? > > P.S: The machine runs SunOS 5.6 with all updates Regards, Thomas Pollet
Yes, my uname programs was exactly the same. But I used execl call instead of execve (don't think that would make any difference). I also tried setting euid (seteuid(0)). Using a bash script for "uname" program didn't work either: % cat uname #!/bin/sh touch /tmp/test chown root /tmp/test the script complains about privileges and can't execute chown. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------
Current thread:
- Re: solaris root-setuid script to gain root? Vitalik N. (Jul 01)
- Re: solaris root-setuid script to gain root? Nathan Sportsman (Jul 01)
- Re: solaris root-setuid script to gain root? Vitalik N. (Jul 01)
- Re: solaris root-setuid script to gain root? Krugger (Jul 05)
- Re: solaris root-setuid script to gain root? Vitalik N. (Jul 01)
- Re: solaris root-setuid script to gain root? Nathan Sportsman (Jul 01)