Penetration Testing mailing list archives
Re: solaris root-setuid script to gain root?
From: "Vitalik N." <robert.morris.jr () gmail com>
Date: Mon, 2 Jul 2007 13:44:55 +1000
On 7/2/07, Nathan Sportsman <nsportsman () gmail com> wrote:
Just to be clear...the owner of your uname program is root and the setuid bit is set on it right? chmod u=+s uname try doing setuid(geteuid()) and see what effective user id the program is actually being run as. Thanks Nathan Sportsman On 7/1/07, Vitalik N. <robert.morris.jr () gmail com> wrote: > On 7/1/07, Thomas Pollet <thomas.pollet () gmail com> wrote: > > Hello, > > > > On 30/06/07, Vitalik N. <robert.morris.jr () gmail com> wrote: > > > Hi > > > > > > I was doing pen testing the other day and I found one root suid script > > > left by some of the web developers: > > > > > > -rwsr-x--x 1 root users /home/web/c.cgi > > > > > > which is basically a bash script: > > > > > > ------ cut ------------ > > > #!/bin/sh > > > > > > uname > > > ------ cut ------------ > > > > > > And our system was recently compromised. Some local user was able to > > > gain root access. Could this script be the way of gaining root access? > > > > > > According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html > > > "Because it was not possible to write a secure suid shell script, the concept > > > of suid shell scripts was removed from Unix." But then it says "Solaris now > > > supports suid shell" ! > > > I tried modifying the PATH variable and creating my own "uname" program. > > > But my uname program runs with local user privs instead of root. I > > > also tried the > > did you put a setuid(0) in your uname program? > > > > f.i.: > > cat >uname.c<<EOF > > #include <unistd.h> > > int main (int argc, char **argv, char **envp) { > > setuid(0); > > setgid(0); > > execve("/bin/sh",argv,envp); > > } > > EOF > > > > > other attack described in the link above: "link to -i" but this didn't > > > work as well. > > > So could this script be the problem? > > > > > > P.S: The machine runs SunOS 5.6 with all updates > > > > Regards, > > Thomas Pollet > > > > Yes, my uname programs was exactly the same. But I used execl call instead > of execve (don't think that would make any difference). I also tried > setting euid > (seteuid(0)). > Using a bash script for "uname" program didn't work either: > > % cat uname > #!/bin/sh > touch /tmp/test > chown root /tmp/test > > the script complains about privileges and can't execute chown. > > ------------------------------------------------------------------------ > This List Sponsored by: Cenzic > > Swap Out your SPI or Watchfire app sec solution for > Cenzic's robust, accurate risk assessment and management > solution FREE - limited Time Offer > > http://www.cenzic.com/wf-spi > ------------------------------------------------------------------------ > >
The owner of my uname programs is not root. uname program has 455 permissions set. But c.cgi has the root suid bit set (-rwsr-x--x 1 root users /home/web/c.cgi). getuid and geteuid return id of the user who runs the program. Maybe suid scripts are not vulnerable to this kind of attack? ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------
Current thread:
- Re: solaris root-setuid script to gain root? Vitalik N. (Jul 01)
- Re: solaris root-setuid script to gain root? Nathan Sportsman (Jul 01)
- Re: solaris root-setuid script to gain root? Vitalik N. (Jul 01)
- Re: solaris root-setuid script to gain root? Krugger (Jul 05)
- Re: solaris root-setuid script to gain root? Vitalik N. (Jul 01)
- Re: solaris root-setuid script to gain root? Nathan Sportsman (Jul 01)