[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: [cobalt-security] Local Root exploit
- Subject: Re: FW: [cobalt-security] Local Root exploit
- From: Rene Luria <operator@xxxxxxxxxxxxx>
- Date: Mon, 23 Sep 2002 08:58:38 +0200
- Organization: Infomaniak Network SA
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Good...
Are you just kidding or what???
This is a sever exploit!
I tried it and also managed to make it run from a cgi script!?!
That means someone who has an account on the machine can gain root privileges
whenever he wants.
then a cgi using sushi may be like #!/.sushi /usr/bin/perl.
Do you understand this?
Now, it is NOT possible to do onyl like it's said in the header of the script.
Turning off suid privileges on /usr/lib/authenticate means apache won't be
able to authenticate users anymore.
So, you won't be able to access admin console.
Doesn't this mean there is a huge problem now and that Sun should quickly
propose a relevent security patch for apache? (and if they could provide an
official patch for openssl too...)
Sincerly yours.
On Sunday 22 September 2002 22:42, Brett Wright wrote:
> At 01:34 20/09/02, you wrote:
> > > -----Original Message-----
> > > From: Sean Chester [mailto:seanc@xxxxxxxxxxxxxxxxxxxxxx]
> > > Sent: 19 September 2002 10:21
> > > To: cobalt-security@xxxxxxxxxxxxxxx
> > > Subject: RE: [cobalt-security] Local Root exploit
> > >
> > > > -----Original Message-----
> > > > Subject: Re: [cobalt-security] Local Root exploit
> > > > Not sure if this has been posted here yet, but i tried it
> > > > on a raq4
> > > > and it worked.
> > > >
> > > > http://www.securiteam.com/exploits/5MP0R0A80K.html
> >
> > I ran this, it does give me a root shell.
> >
> > Do I need to clean up after running this?
> > Any files need deleting to get me back to how I was?
>
> Code on http://www.securiteam.com is normally quite good, then again you
> never know, just patch the server as it states at the start of the script,
> and do not let anyone you do not trust to have shell access to the server.
>
>
> The only thing i found was this
>
> main() { system("cp $tempdir/core/sushi /.sushi ; chmod 6777 /.sushi"); }
>
>
> remove or chmod the file .sushi in the /
>
> Then again i have done this on a test RAQ4 on a internal network, its not a
> good idea to run these types of scripts on a 'real' working machine.
>
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
- --
Rene Luria <operator@xxxxxxxxxxxxx>
Unix Administrator - Infomaniak Network SA
PGP key DFE5C340 at keyserver.pgp.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9jrugJ1jvMN/lw0ARAoAFAKDKBzPNxYYgIclsMXJQkdX++jOEJgCg+9RG
TJAk98BWsB2d5RpAN6YJbpI=
=ZqgI
-----END PGP SIGNATURE-----