Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: solaris root-setuid script to gain root?

From: "Vitalik N." <robert.morris.jr () gmail com>
Date: Sun, 1 Jul 2007 15:53:39 +1000
On 7/1/07, Thomas Pollet <thomas.pollet () gmail com> wrote:

Hello,

On 30/06/07, Vitalik N. <robert.morris.jr () gmail com> wrote:
> Hi
>
> I was doing pen testing the other day and I found one root suid script
> left by some of the web developers:
>
> -rwsr-x--x  1 root   users  /home/web/c.cgi
>
> which is basically a bash script:
>
> ------ cut ------------
> #!/bin/sh
>
> uname
> ------ cut ------------
>
> And our system was recently compromised. Some local user was able to
> gain root access. Could this script be the way of gaining root access?
>
> According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html
> "Because it was not possible to write a secure suid shell script, the concept
> of suid shell scripts was removed from Unix." But then it says "Solaris now
> supports suid shell" !
> I tried modifying the PATH variable and creating my own "uname" program.
> But my uname program runs with local user privs instead of root. I
> also tried the
did you put a setuid(0) in your uname program?

f.i.:
cat >uname.c<<EOF
#include <unistd.h>
int main (int argc, char **argv, char **envp) {
setuid(0);
setgid(0);
execve("/bin/sh",argv,envp);
}
EOF

> other attack described in the link above: "link to -i" but this didn't
> work as well.
> So could this script be the problem?
>
> P.S: The machine runs SunOS 5.6 with all updates

Regards,
Thomas Pollet



Yes, my uname programs was exactly the same. But I used execl call instead
of execve (don't think that would make any difference). I also tried
setting euid
(seteuid(0)).
Using a bash script for "uname" program didn't work either:

% cat uname
#!/bin/sh
touch /tmp/test
chown root /tmp/test

the script complains about privileges and can't execute chown.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: