Re: solaris root-setuid script to gain root?

Hello,

On 30/06/07, Vitalik N. <robert.morris.jr@xxxxxxxxx> wrote:
Hi

I was doing pen testing the other day and I found one root suid script
left by some of the web developers:

-rwsr-x--x 1 root users /home/web/c.cgi

which is basically a bash script:

------ cut ------------
#!/bin/sh

uname
------ cut ------------

And our system was recently compromised. Some local user was able to
gain root access. Could this script be the way of gaining root access?

According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html
"Because it was not possible to write a secure suid shell script, the concept
of suid shell scripts was removed from Unix." But then it says "Solaris now
supports suid shell" !
I tried modifying the PATH variable and creating my own "uname" program.
But my uname program runs with local user privs instead of root. I
also tried the
did you put a setuid(0) in your uname program?

f.i.:
cat >uname.c<<EOF
#include <unistd.h>
int main (int argc, char **argv, char **envp) {
setuid(0);
setgid(0);
execve("/bin/sh",argv,envp);
}
EOF

other attack described in the link above: "link to -i" but this didn't
work as well.
So could this script be the problem?

P.S: The machine runs SunOS 5.6 with all updates

Regards,
Thomas Pollet

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------

Relevant Pages

  • Re: root privileges from cgi script?
    ... >'exec' family call to start your script, ... >Compile it, ... >able to use this program to become root on your system. ... Even with permissions of 4775 on the C program, it wasn't running "suid ...
    (comp.unix.shell)
  • Re: solaris root-setuid script to gain root?
    ... Just to be clear...the owner of your uname program is root and the ... >> I was doing pen testing the other day and I found one root suid script ... >> But my uname program runs with local user privs instead of root. ... solution FREE - limited Time Offer ...
    (Pen-Test)
  • solaris root-setuid script to gain root?
    ... I was doing pen testing the other day and I found one root suid script ... "Because it was not possible to write a secure suid shell script, ...
    (Pen-Test)
  • Re: solaris root-setuid script to gain root?
    ... > I was doing pen testing the other day and I found one root suid script ... > gain root access. ... > "Because it was not possible to write a secure suid shell script, ... > I tried modifying the PATH variable and creating my own "uname" program. ...
    (Pen-Test)
  • Re: add user to redhat9 from php web page
    ... Create a suid root script that uses some shell which will exec with ... root privs. ... ksh might work ... Have in your suid script calls to adduser and passwd which will be ...
    (comp.lang.php)