| To: | pen-test@securityfocus.com |
|---|---|
| Subject: | solaris root-setuid script to gain root? |
| From: | "Vitalik N." <robert.morris.jr@gmail.com> |
| Date: | Sat, 30 Jun 2007 21:23:59 +1000 |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | pentest-list2@consult.net |
| Delivered-to: | mailing list pen-test@securityfocus.com |
| Delivered-to: | moderator for pen-test@securityfocus.com |
| Dkim-signature: | a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=lb0bsrEAJV5la1gOq4kXg5d89oBeo2w7fI/AS6HVGrYN9RkDXjxDBGxys+JuZCcP8PfdNUqRGlivJsyA3Km403F1Rvr5EstE5PszGr+5HwmrC2/jtmf7pMYpk2iZNq5VmmbpQCfEDWWLA8xF22T2LvzEPn/affX7lRfhWw1+poA= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Qb65yuQloILYIQ1MLHjFNVUVaEvkkUIX34UXW3fxiZ5lKB8nZNLyeA2Vd6+qSNgGeNOSYH7wqKtqQp8DmbYu+uKoTsldR9hW1vW0riFsDMxe6psWISUzrvhQnnA4pZ72/xJKUaXz9xqb9rRPkIgb/OaWlVGPRJDc013aJrdyc/A= |
| List-help: | <mailto:pen-test-help@securityfocus.com> |
| List-id: | <pen-test.list-id.securityfocus.com> |
| List-post: | <mailto:pen-test@securityfocus.com> |
| List-subscribe: | <mailto:pen-test-subscribe@securityfocus.com> |
| List-unsubscribe: | <mailto:pen-test-unsubscribe@securityfocus.com> |
| Mailing-list: | contact pen-test-help@securityfocus.com; run by ezmlm |
| Resent-date: | Sat, 30 Jun 2007 08:20:44 -0600 (MDT) |
| Resent-from: | pen-test-return-1078484511@securityfocus.com |
| Resent-message-id: | <20070630142044.4CBD5237896@outgoing3.securityfocus.com> |
| Resent-sender: | listbounce@securityfocus.com |
| Sender: | listbounce@securityfocus.com |
Hi I was doing pen testing the other day and I found one root suid script left by some of the web developers: -rwsr-x--x 1 root users /home/web/c.cgi which is basically a bash script: ------ cut ------------ #!/bin/sh uname ------ cut ------------ And our system was recently compromised. Some local user was able to gain root access. Could this script be the way of gaining root access? According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html "Because it was not possible to write a secure suid shell script, the concept of suid shell scripts was removed from Unix." But then it says "Solaris now supports suid shell" ! I tried modifying the PATH variable and creating my own "uname" program. But my uname program runs with local user privs instead of root. I also tried the other attack described in the link above: "link to -i" but this didn't work as well. So could this script be the problem? P.S: The machine runs SunOS 5.6 with all updates ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------ |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | RE: Hardware/software secureIDs - pros and cons., Levenglick, Jeff |
|---|---|
| Next by Date: | Extracting information about streams from pcap, David |
| Previous by Thread: | Scanning for SQL Injection, Ron Johnson - Adhost |
| Next by Thread: | Re: solaris root-setuid script to gain root?, Thomas Pollet |
| Indexes: | [Date] [Thread] [Top] [All Lists] |