Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: solaris root-setuid script to gain root?

from [Thomas Pollet] Network Security [Permanent Link]
Subject: Re: solaris root-setuid script to gain root?
Date: Sat, 30 Jun 2007 16:47:11 +0200 
Hello,

On 30/06/07, Vitalik N. <robert.morris.jr@gmail.com> wrote: 
Hi

I was doing pen testing the other day and I found one root suid script
left by some of the web developers:

-rwsr-x--x  1 root   users  /home/web/c.cgi

which is basically a bash script:

------ cut ------------
#!/bin/sh

uname
------ cut ------------

And our system was recently compromised. Some local user was able to
gain root access. Could this script be the way of gaining root access?

According to 
http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html
"Because it was not possible to write a secure suid shell script, the concept
of suid shell scripts was removed from Unix." But then it says "Solaris now
supports suid shell" !
I tried modifying the PATH variable and creating my own "uname" program.
But my uname program runs with local user privs instead of root. I
also tried the

did you put a setuid(0) in your uname program?

f.i.:
cat >uname.c<<EOF
#include <unistd.h>
int main (int argc, char **argv, char **envp) {
setuid(0);
setgid(0);
execve("/bin/sh",argv,envp);
}
EOF

other attack described in the link above: "link to -i" but this didn't
work as well.
So could this script be the problem?

P.S: The machine runs SunOS 5.6 with all updates 

Regards,
Thomas Pollet

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Advanced Network Infrastructure Assessment Questions...., Joseph McCray
Next by Date:  Re: Extracting information about streams from pcap, Harry Hoffman
Previous by Thread:  solaris root-setuid script to gain root?, Vitalik N.
Next by Thread:  Extracting information about streams from pcap, David
Indexes:  [Date] [Thread] [Top] [All Lists]