Re: your mail

To: "Pawel Dudek" <paweld@debian.pl-linux.net>, "Michal Niezbecki" <coor@coolnet.com.pl>, <debian-user-polish@lists.debian.org>
Subject: Re: your mail
From: "Michal Trojnara" <Michal.Trojnara@mirt.net>
Date: Fri, 12 Oct 2001 23:20:25 +0200
Message-id: <[🔎] 003b01c15363$e25b8180$0201a8c0@mirt.net.mirt.net>
References: <[🔎] Pine.LNX.4.21.0110121644450.3269-100000@debian.pl-linux.net>

Bardzo Stary Dowcip (TM).  8-)

Zmienna srodowiskowa LD_PRELOAD (zob. manual ld.so(8)) pozwala
wyspecyfikowac dodatkowe biblioteki dynamiczne, ktore sa linkowane przed
bibliotekami, ktorych zyczy sobie binarka (por. "ldd /bin/bash").  Kazdy
program uruchomiony z LD_PRELOAD wskazujaca na ponizsza biblioteke wywoluje
wiec zmodyfikowane wersje get(e)uid() i get(e)gid(), ktore zawsze zwracaja
zero (=root).  Oczywiscie nie ma to wplywu na rzeczywiste prawa.

Pozdrawiam,
    Michal Trojnara

----- Original Message -----
From: "Pawel Dudek" <paweld@debian.pl-linux.net>
To: "Michal Niezbecki" <coor@coolnet.com.pl>
Cc: <debian-user-polish@lists.debian.org>
Sent: Friday, October 12, 2001 4:45 PM
Subject: Re: your mail


> Hm, napisz moze raczej na debian-security@
> Wyglada na zapodawanie jakiegos exploita prawde mowiac.
> Pozdrawiam,
> Pawel
>
> On Fri, 12 Oct 2001, Michal Niezbecki wrote:
>
> > Witam
> > Mam prosbe
> > Znalazlem cos takiego na koncie jednego z userow, w bashhistory widac ze
to
> > uruchamial
> > Co ten sploit dokladnie robi i czy gosc mogl zyskac jakies uprawnienia
> > w logach nic nie ma
> >
> > ----------
> >
> > #!/bin/sh
> > echo "1|nux r007 3xp10|7 by 1c4m7uf"
> > cd /tmp
> > cat >ex.c <<eof
> > int getuid() { return 0; }
> > int geteuid() { return 0; }
> > int getgid() { return 0; }
> > int getegid() { return 0; }
> > eof
> > gcc -shared ex.c -oex.so
> > LD_PRELOAD=/tmp/ex.so sh
> > rm /tmp/ex.so /tmp/ex.c
> >
> > ----------
> >
> > coor@coolnet:~$ ./dupa
> > 1|nux r007 3xp10|7 by 1c4m7uf
> > sh-2.03# whoami
> > root
> > sh-2.03# /usr/sbin/adduser test
> > Adding user test...
> > Adding new group test (1030).
> > Can't exec "groupadd": No such file or directory at /usr/sbin/adduser
line
> > 675.
> > adduser: `groupadd -g 1030 test' returned error code 255. Aborting.
> > Cleaning up.
> > Removing group `test'.
> > Can't exec "groupdel": No such file or directory at /usr/sbin/adduser
line
> > 695.
> > sh-2.03# cat /etc/sudoers
> > cat: /etc/sudoers: Permission denied
> > sh-2.03# ps aux |grep apache
> > root 405 0.0 2.5 5612 3208 ? S Sep29 0:00 /usr/sbin/apache
> > www-data 4210 0.0 3.9 7192 5028 ? S Oct07 0:00 /usr/sbin/apache
> > www-data 4744 0.0 4.0 7216 5096 ? S Oct07 0:00 /usr/sbin/apache
> > www-data 4745 0.0 4.2 7464 5344 ? S Oct07 0:00 /usr/sbin/apache
> > www-data 8993 0.0 3.9 7236 5044 ? S 06:22 0:00 /usr/sbin/apache
> > www-data 9667 0.0 4.1 7552 5236 ? S 07:40 0:00 /usr/sbin/apache
> > www-data 9669 0.0 3.9 7156 4988 ? S 07:40 0:00 /usr/sbin/apache
> > www-data 10087 0.0 2.5 5648 3300 ? S 08:28 0:00 /usr/sbin/apache
> > www-data 10088 0.0 4.0 7316 5176 ? S 08:28 0:00 /usr/sbin/apache
> > www-data 10089 0.0 2.5 5648 3304 ? S 08:28 0:00 /usr/sbin/apache
> > coor 10384 0.0 0.3 1124 452 pts/0 S 08:58 0:00 grep apache
> > sh-2.03# kill -9 405
> > sh: kill: (405) - Not owner
> > sh-2.03#
> >
> > wiec jakbym byl dalej na prawach zwyklego usera
> > na co jeszcze zwrocic uwage?
> > pozdro
> > Michal
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-user-polish-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-user-polish-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>

Reply to:

References:
- Re: your mail
  - From: Pawel Dudek <paweld@debian.pl-linux.net>

Prev by Date: Re: problem z dhelp
Next by Date: Re: Książka
Previous by thread: Re: your mail
Next by thread: Re: your mail
Index(es):
- Date
- Thread