Vulnerability Development mailing list archives
Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61)
From: nekr0tek () YAHOO COM (Devil Man)
Date: Fri, 24 Mar 2000 16:53:49 -0800
Would love to give it a try but I am not a C or C++ programer just a lowly shell programer and maybe some perl, anyone want to give a better exploit i'll try it it is important to me as I ADMIN over 100 redhat servers, we do not use mail from the linux console so not a real big deal but still interested. you can e-mail me directly if worried bout posting a full exploit to the list. nekr0tek () yahoo com
From what I can tell, jan is putting an executable into /var/mail/myusername that does: setgid(6); system("/bin/sh"); and is setting it setgid, then redhat comes along and chgrp's it to group mail, which then can be executed to gain a shell that has mail-group access. Since I don't run RedHat here I couldnt try it, but the SuSE system I tried it on has all of the mailbox files's group set to the users default group so it obviously doesnt work. Any RedHat users want to give it a try? -HD http://www.secureaustin.com jan bakker wrote:hello fello root's, one day i found that redhat 6.1 takes not only suid bits but also guid. you are owner of your mail file but it still belongs to the group mail so void(){ set suid bit to user; set guid bit to 6; } compile it and move it to /var/mail/user chmod 4700 /var/mail/user ... result: reddog@home$id uid 300(me),gid 40(users) reddog@home$cd /var/mail reddog@home$me reddog@home$id uid(300),gid 6(mail) now you can read other people mail but, 6 is lower than 15 so at some systems you can add new users !!! even a root user !!! red p.s. it is noted verry badly this becouse else newbies and dipshits use it on schools. The good guys get the picture.
===== "I am not lost, I am merely exploring alternative destinations!" __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61) Devil Man (Mar 24)
- Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61) Bluefish (Mar 26)
- Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61) Michal Zalewski (Mar 09)
- Re: VULN-DEV Digest - 22 Mar 2000 to 23 Mar 2000 (#2000-61) Bluefish (Mar 26)