[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [cobalt-security] Local Root exploit

Subject: Re: FW: [cobalt-security] Local Root exploit
From: Rene Luria <operator@xxxxxxxxxxxxx>
Date: Mon, 23 Sep 2002 08:58:38 +0200
Organization: Infomaniak Network SA
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good...
Are you just kidding or what???

This is a sever exploit!
I tried it and also managed to make it run from a cgi script!?!
That means someone who has an account on the machine can gain root privileges 
whenever he wants.
then a cgi using sushi may be like #!/.sushi /usr/bin/perl.

Do you understand this?
Now, it is NOT possible to do onyl like it's said in the header of the script.

Turning off suid privileges on /usr/lib/authenticate means apache won't be 
able to authenticate users anymore.
So, you won't be able to access admin console.

Doesn't this mean there is a huge problem now and that Sun should quickly 
propose a relevent security patch for apache? (and if they could provide an 
official patch for openssl too...)

Sincerly yours.

On Sunday 22 September 2002 22:42, Brett Wright wrote:
> At 01:34 20/09/02, you wrote:
> > > -----Original Message-----
> > > From: Sean Chester [mailto:seanc@xxxxxxxxxxxxxxxxxxxxxx]
> > > Sent: 19 September 2002 10:21
> > > To: cobalt-security@xxxxxxxxxxxxxxx
> > > Subject: RE: [cobalt-security] Local Root exploit
> > >
> > > > -----Original Message-----
> > > > Subject: Re: [cobalt-security] Local Root exploit
> > > > Not sure if this has been posted here yet, but i tried it
> > > > on a raq4
> > > > and it worked.
> > > >
> > > > http://www.securiteam.com/exploits/5MP0R0A80K.html
> >
> >  I ran this, it does give me a root shell.
> >
> >  Do I need to clean up after running this?
> >  Any files need deleting to get me back to how I was?
>
> Code on http://www.securiteam.com is normally quite good, then again you
> never know, just patch the server as it states at the start of the script,
> and do not let anyone you do not trust to have shell access to the server.
>
>
> The only thing i found was this
>
> main() { system("cp $tempdir/core/sushi /.sushi ; chmod 6777 /.sushi"); }
>
>
> remove or chmod the file .sushi in the /
>
> Then again i have done this on a test RAQ4 on a internal network, its not a
> good idea to run these types of scripts on a 'real' working machine.
>
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

- -- 
Rene Luria <operator@xxxxxxxxxxxxx>
Unix Administrator - Infomaniak Network SA
PGP key DFE5C340 at keyserver.pgp.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9jrugJ1jvMN/lw0ARAoAFAKDKBzPNxYYgIclsMXJQkdX++jOEJgCg+9RG
TJAk98BWsB2d5RpAN6YJbpI=
=ZqgI
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: FW: [cobalt-security] Local Root exploit
  - From: Michael Stauber

References:
- Re: FW: [cobalt-security] Local Root exploit
  - From: Brett Wright

Prev by Date: Re: FW: [cobalt-security] Local Root exploit
Next by Date: Re: FW: [cobalt-security] Local Root exploit
Previous by thread: Re: FW: [cobalt-security] Local Root exploit
Next by thread: Re: FW: [cobalt-security] Local Root exploit

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index