From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Sun, 12 Sep 2004 17:56:20 +0600 From: Andrey Rahmatullin To: devel@altlinux.ru Subject: Re: [devel] Q: =?koi8-r?B?0sHCz9TBwN3J?= =?koi8-r?Q?=CA?= local root exploit Message-ID: <20040912115620.GA3140@wrars-comp.wrarsdomain> Mail-Followup-To: devel@altlinux.ru References: <20040912221334.1b89f0e9.dima@sakhalin.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline In-Reply-To: <20040912221334.1b89f0e9.dima@sakhalin.ru> X-Operating-System: ALT Linux Sisyphus User-Agent: Mutt/1.5.6+cvs20040715i X-Spam-Status: No, tests=bogofilter, spamicity=0.500011, version=0.12.3 X-Sagator-Scanner: 0.4.9-0rc1; drop(clamd()) deliver(BogoFilter()) X-BeenThere: devel@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ALT Devel discussion list List-Id: ALT Devel discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Sep 2004 12:07:22 -0000 Archived-At: List-Archive: List-Post: --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=koi8-r; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 12, 2004 at 10:13:34PM +1100, Dmitry Lebkov wrote: >16:44 < dmi> =D0=C5=D2=D7=D9=CA =C5=DD=A3 =D2=C1=C2=CF=D4=C1=C5=D4 :-) >16:46 < dmi> http://www.security.com.vn/details.php?ID=3D215 >16:46 < dmi> instant root# >16:46 < dmi> =C4=C1=D6=C5 =CE=C1 =D3=C9=DA=C9=C6=C5 >=EF=CE=CF =C4=C5=D3=D4=D7=C9=D4=C5=CC=D8=CE=CF =D2=C1=C2=CF=D4=C1=C5=D4 ..= =2E :( =E5=D3=CC=C9 =DA=C1=CB=CF=CD=CD=C5=CE=D4=C9=D2=CF=D7=C1=D4=D8 =D7 =DC=CB=D3= =D0=CC=CF=C9=D4=C5 =CB=D5=D3=CF=CB, =D7=D9=C4=C5=CC=D1=C0=DD=C9=CA =D3=C5= =C2=C5 =D7=D3=C0 =D0=C1=CD=D1=D4=D8, =D0=CF=CC=D5=DE=C1=C5=CD =CF=DE=C5=CE=D8 =D3=D4=D2=C1=CE=CE=D9=CA =DB=C5=CC= =CC: wrar@wrars-comp ~ $ ./a.out sh-2.05b# whoami root sh-2.05b# ls /boot ls: /boot: Permission denied sh-2.05b# id uid=3D0(root) gid=3D0(root) =C7=D2=D5=D0=D0=D9=3D6(disk),10(wheel),14(uucp),16(rpm),36(hashman),80(cdwr= iter),81(audio),111(wine),500(wrar),501(wrar_a),502(wrar_b),503(hashuser) =F4.=C5. =CF=C2=D9=DE=CE=D9=CA =C0=DA=C5=D2 wrar, =CE=CF =D3 uid=3Dgid=3D0,= =C9 =C4=C1=D6=C5 =CE=C5 =D3=CF=D3=D4=CF=D1=DD=C9=CA =D7 =C7=D2=D5=D0=D0=C5= root. =F7=D0=D2=CF=DE=C5=CD, =D7=D3=A3 =D0=CF=CE=D1=D4=CE=CF: $ < /tmp/own.c int getuid() { return 0; } int geteuid() { return 0; } int getgid() { return 0; } int getegid() { return 0; } =F7 =D0=D2=C9=CE=C3=C9=D0=C5, =CE=C9=CB=C1=CB=CF=C7=CF =DC=CB=D3=D0=CC=CF= =C9=D4=C1 =CE=C5 =CE=C1=C4=CF, =CD=CF=D6=CE=CF =D3=CB=CF=CD=D0=C9=CC=C9=D4= =D8 =D0=D2=D1=CD=CF =DC=D4=CF=D4 =CB=CF=C4 =C9 =DA=C1=D0=D5=D3=D4=C9=D4=D8 =DB=C5=CC=CC =D3 LD_PRELOAD =D4=CF=DE=CE=CF =D4= =C1=CB =D6=C5, =CB=C1=CB =D7 =DC=CB=D3=D0=CC=CF=C9=D4=C5. =E5=DD=C5 =DE=D4= =CF =D1 =CE=C5 =D0=CF=CE=D1=CC: =D7 char hellc0de[] =D7 =CB=CF=CE=C3=C5 =D0=CF=D3=CC=C5 = =CE=D5=CC=C5=D7=CF=C7=CF =D3=C9=CD=D7=CF=CC=C1 =D3=D4=CF=C9=D4 /bin/sh, =D4= =C1=CB =CF=CE=CF =CF=C2=D2=C5=DA=C1=C5=D4=D3=D1 =D0=D2=C9 fprintf(). --=20 WBR, wRAR (ALT Linux Team) Powered by the ALT Linux fortune(8): =EF=D0=D9=D4 =D0=CF=CB=C1=DA=D9=D7=C1=C5=D4, =DE=D4=CF =DC=D4=CF =CE=C5 =D4= =C1=CB - =C2=CF=CC=D8=DB=C9=CE=D3=D4=D7=CF =D0=CF=CC=D8=DA=CF=D7=C1=D4=C5= =CC=C5=CA rpm =CE=C5 =DE=C9=D4=C1=CC=C9 Maximum RPM. -- ldv in devel@ --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBRDlkB4Vf7hFmt5URAkGAAKClhQhVmbjOEXriOvDurvTvMc4/wwCgttA1 g1NBzxm74uDjuKy/RkZgMJY= =3654 -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY--