Bugtraq mailing list archives
[Tim Newsham: IRIX Race Conditions]
From: newsham () uhunix uhcc hawaii edu (Tim Newsham)
Date: Sun, 2 Oct 1994 08:06:24 -1000
/*
* Copyright (c) 1983 Regents of the University of California.
* All rights reserved. The Berkeley software License Agreement
* specifies the terms and conditions for redistribution.
*/
#ifndef lint
char copyright[] =
"@(#) Copyright (c) 1983 Regents of the University of California.\n\
All rights reserved\n\n\
adapted 27 April 1994 by ME.\n";
#endif not lint
#ifndef lint
static char sccsid[] = "@(#)rexec.c 1.31, from rsh.c 1.1";
#endif not lint
/* rexec.c
*
* This programm uses the rexec port to execute a command on a remote
* machine. Also supports interactive use.
*
* version 1.01 beta
* tested under sunos 4.1.1 1 December 1992
* version 1.1 blocked signals on client side
* tested under sunos 4.1.1 16 February 1993
* version 1.2 removed blocking, added signal forwarding, childprocess
* to prevent trouble when stoping etc. snarfed lots of code from BSD rsh
* tested under sunos 4.1.1 18 February 1993
* version 1.21 fixed typo. discoverd bug where rexec fails when gethostbyaddr
* fails (not fixed)
* tested under sunos 4.1.1 8 March 1993
* versions 1.31 rewritten on the basis of rsh. rexec now works with numeric
* adresses as well, and sports an rsh type syntax (man rsh)
* tested under sunos 4.1.3 C April 27 1994
*
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/file.h>
#include <netinet/in.h>
#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <pwd.h>
#include <netdb.h>
/*
* rexec - remote shell
*/
/* VARARGS */
int error();
char *index(), *rindex(), *malloc(), *getpass(), *sprintf(), *strcpy();
char *getlogin();
#ifndef S5EMUL
char *sprintf();
#endif
struct passwd *getpwuid();
int errno;
int options;
int rfd2;
int sendsig();
int is_numeric(host,len)
char *host;
int len;
{
int j;
for(j=0;j<len; j++) {
if (!(isdigit(host[j]) || (host[j] == '.')))
return(0);
}
return(1);
}
rexec(ahost, rport, name, pass, cmd, fd2p)
char **ahost;
int rport;
char *name, *pass, *cmd;
int *fd2p;
{
int s, timo = 1, s3;
long iaddr;
struct sockaddr_in sin, sin2, from;
char c;
u_short port;
struct hostent *hp;
if (is_numeric(*ahost,strlen(*ahost)))
iaddr = inet_addr(*ahost);
else {
hp = gethostbyname(*ahost);
if (hp == 0) {
fprintf(stderr, "%s: unknown host\n", *ahost);
return (-1);
}
}
/*
* implementing this garbage properly would take to much time
* It hast two purposes:
* 1: it ask's for a password if necessary (not necessary in
* rexec, since ALLWAYS given.
* 2: it scan's the users netrc's for likely passwords.
*ahost = hp->h_name;
_ruserpass(hp->h_name, &name, &pass);
*/
retry:
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0) {
perror("rexec: socket");
return (-1);
}
if (iaddr) {
sin.sin_family = AF_INET;
bcopy(&iaddr, (caddr_t)&sin.sin_addr,sizeof(iaddr) );
}
else {
sin.sin_family = hp->h_addrtype;
bcopy(hp->h_addr, (caddr_t)&sin.sin_addr, hp->h_length);
}
sin.sin_port = rport;
if (connect(s, &sin, sizeof(sin)) < 0) {
if (errno == ECONNREFUSED && timo <= 16) {
(void) close(s);
sleep(timo);
timo *= 2;
goto retry;
}
perror(hp->h_name);
(void) close(s);
return (-1);
}
if (fd2p == 0) {
(void) write(s, "", 1);
port = 0;
} else {
char num[8];
int s2, sin2len;
s2 = socket(AF_INET, SOCK_STREAM, 0);
if (s2 < 0) {
(void) close(s);
return (-1);
}
listen(s2, 1);
sin2len = sizeof (sin2);
if (getsockname(s2, (char *)&sin2, &sin2len) < 0 ||
sin2len != sizeof (sin2)) {
perror("getsockname");
(void) close(s2);
goto bad;
}
port = ntohs((u_short)sin2.sin_port);
(void) sprintf(num, "%u", port);
(void) write(s, num, strlen(num)+1);
{ int len = sizeof (from);
s3 = accept(s2, &from, &len);
close(s2);
if (s3 < 0) {
perror("accept");
port = 0;
goto bad;
}
}
*fd2p = s3;
}
(void) write(s, name, strlen(name) + 1);
/* should public key encypt the password here */
(void) write(s, pass, strlen(pass) + 1);
(void) write(s, cmd, strlen(cmd) + 1);
if (read(s, &c, 1) != 1) {
perror(*ahost);
goto bad;
}
if (c != 0) {
while (read(s, &c, 1) == 1) {
(void) write(2, &c, 1);
if (c == '\n')
break;
}
goto bad;
}
return (s);
bad:
if (port)
(void) close(*fd2p);
(void) close(s);
return (-1);
}
#define mask(s) (1 << ((s) - 1))
main(argc0, argv0)
int argc0;
char **argv0;
{
int rem, pid, argc = argc0;
char *host, *cp, **ap, buf[BUFSIZ], *args, **argv = argv0, *user = 0;
char *passwd, *a;
register int cc;
int asrexec = 0;
struct passwd *pwd;
int readfrom, ready;
int one = 1;
struct servent *sp;
int omask;
host = rindex(argv[0], '/');
if (host)
host++;
else
host = argv[0];
argv++, --argc;
if (!strcmp(host, "rexec")) {
if (argc == 0)
goto usage;
if (*argv[0] != '-') {
host = *argv++, --argc;
asrexec = 1;
} else
host = 0;
}
another:
if (argc > 0 && !strcmp(*argv, "-l")) {
argv++, argc--;
if (argc > 0)
user = *argv++, argc--;
goto another;
}
if (argc > 0 && !strcmp(*argv, "-n")) {
argv++, argc--;
(void) close(0);
(void) open("/dev/null", 0);
goto another;
}
if (argc > 0 && !strcmp(*argv, "-d")) {
argv++, argc--;
options |= SO_DEBUG;
goto another;
}
if (host == 0) {
if (argc == 0)
goto usage;
host = *argv++, --argc;
asrexec = 1;
}
if (argv[0] == 0)
asrexec = 1;
else
asrexec = 0;
pwd = getpwuid(getuid());
if (pwd == 0) {
fprintf(stderr, "who are you?\n");
exit(1);
}
cc = 0;
for (ap = argv; *ap; ap++)
cc += strlen(*ap) + 1;
cp = args = malloc(cc);
for (ap = argv; *ap; ap++) {
(void) strcpy(cp, *ap);
while (*cp)
cp++;
if (ap[1])
*cp++ = ' ';
}
passwd = getpass("Password: ");
sp = getservbyname("exec", "tcp");
if (sp == 0) {
fprintf(stderr, "rexec: shell/tcp: unknown service\n");
exit(1);
}
if (asrexec)
rem = rexec(&host,sp->s_port, user ? user : pwd->pw_name,passwd,
"/bin/true; exec /bin/sh -i", &rfd2);
else
rem = rexec(&host, sp->s_port,
user ? user : pwd->pw_name,passwd, args, &rfd2);
while(argc0--) {
a=*argv0++;
while(*a) *a++ = '\0';
}
if (rem < 0)
exit(1);
if (rfd2 < 0) {
fprintf(stderr, "rexec: can't establish stderr\n");
exit(2);
}
if (options & SO_DEBUG) {
if (setsockopt(rem, SOL_SOCKET, SO_DEBUG, &one, sizeof (one)) < 0)
perror("rexec: setsockopt (stdin)");
if (setsockopt(rfd2, SOL_SOCKET, SO_DEBUG, &one, sizeof (one)) < 0)
perror("rexec: setsockopt (stderr)");
}
omask = sigblock(mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM));
if (signal(SIGINT, SIG_IGN) != SIG_IGN)
signal(SIGINT, sendsig);
if (signal(SIGQUIT, SIG_IGN) != SIG_IGN)
signal(SIGQUIT, sendsig);
if (signal(SIGTERM, SIG_IGN) != SIG_IGN)
signal(SIGTERM, sendsig);
pid = fork();
if (pid < 0) {
perror("rexec: fork");
exit(1);
}
ioctl(rfd2, FIONBIO, &one);
ioctl(rem, FIONBIO, &one);
if (pid == 0) {
char *bp; int rembits, wc;
(void) close(rfd2);
reread:
errno = 0;
cc = read(0, buf, sizeof buf);
if (cc <= 0)
goto done;
bp = buf;
rewrite:
rembits = 1<<rem;
if (select(sizeof(int)*8, 0, &rembits, 0, 0) < 0) {
if (errno != EINTR) {
perror("rexec: select");
exit(1);
}
goto rewrite;
}
if ((rembits & (1<<rem)) == 0)
goto rewrite;
wc = write(rem, bp, cc);
if (wc < 0) {
if (errno == EWOULDBLOCK)
goto rewrite;
goto done;
}
cc -= wc; bp += wc;
if (cc == 0)
goto reread;
goto rewrite;
done:
(void) shutdown(rem, 1);
exit(0);
}
sigsetmask(omask);
readfrom = (1<<rfd2) | (1<<rem);
do {
ready = readfrom;
if (select(sizeof(int)*8, &ready, 0, 0, 0) < 0) {
if (errno != EINTR) {
perror("rexec: select");
exit(1);
}
continue;
}
if (ready & (1<<rfd2)) {
errno = 0;
cc = read(rfd2, buf, sizeof buf);
if (cc <= 0) {
if (errno != EWOULDBLOCK)
readfrom &= ~(1<<rfd2);
} else
(void) write(2, buf, cc);
}
if (ready & (1<<rem)) {
errno = 0;
cc = read(rem, buf, sizeof buf);
if (cc <= 0) {
if (errno != EWOULDBLOCK)
readfrom &= ~(1<<rem);
} else
(void) write(1, buf, cc);
}
} while (readfrom);
(void) kill(pid, SIGKILL);
exit(0);
usage:
fprintf(stderr,
"usage: rexec [ -l login ] [ -n ] host command\n");
exit(1);
/* NOTREACHED */
}
sendsig(signo)
char signo;
{
(void) write(rfd2, &signo, 1);
}
Current thread:
- [Tim Newsham: IRIX Race Conditions] Tim Newsham (Oct 02)
- <Possible follow-ups>
- [Tim Newsham: IRIX Race Conditions] Tim Newsham (Oct 02)
- Re: your mail Joseph W. Stroup (Oct 02)
- SUMMARY Security Info (root broken) Pat Myrto (Oct 03)
- Re: SUMMARY Security Info (root broken) Luke Mewburn (Oct 03)
- Re: SUMMARY Security Info (root broken) Pat Myrto (Oct 03)
- Re: SUMMARY Security Info (root broken) Casper Dik (Oct 04)
- [Tim Newsham: IRIX Race Conditions] Tim Newsham (Oct 02)
- [Tim Newsham: IRIX Race Conditions] Tim Newsham (Oct 02)
- [Tim Newsham: IRIX Race Conditions] Brent Chapman (Oct 02)