Friday, April 15, 2005

The temporary one!

void main()
FILE *fh = fopen("/tmp/ABC_my_junk_spot", "w+");
fprintf(fh, "hello..what are you looking at?");

Find out what is wrong with this piece of code?
How would you exploit this to gain root access if this code runs as root?

PS: The bar girls are like /tmp because
1. They are public property 2.They talk too much


rzo said...

Well, the problem with the code, is use a static name (non randomic) as temporary file, that could be symbolic link by a ordinary user. Like

$ ln -s /etc/Some-Important-File ABC_my_junk_spot

In this way, without read and output the file to some place it could be hard to exploit.

Anyway if exist some service running that allow remote connections and can estabilish trusted connections, we could create a file with this code. The problem is that we cannot (real cannot ?) control the data that will be inserted into this file.

And you ? :P

Alpha0 said...
This comment has been removed by a blog administrator.
Alpha0 said...

Very true.
It may be a local compromise but not a remote one.


rzo said...

Yes, but if neither service trusted it running, what can you do ?

Are you able to control the behaivor of printf() for hacking ? :)

Alpha0 said...

I dont think we can control the behavior of printf.

You remember an old trick:
(Earlier all cores dumped by applications having suid as root were owned by root.)

$ln -s /.rhosts core

+ +

$export BOB42

Now get the core dumped by killing some suid root process for example 'ping'.
And here is your chocolate:
$rsh -l root localhost /bin/sh -i


Alpha0 said...

In the similar manner you can exploit the code given in problem.

rzo said...


Cool I wasn't aware of this trick, probability it's from Proprietary Unixs (hp-ux, aix, etc) or some unix in general (linux for example) when I doesn't used it yet. hehehe :)

The idea is good of link a existent core to a sensitive file (like .rhosts), so add to a env a malicious entry that will be dumped. But I was thinking...

- How can you generate a core with normal user to write into the core. Since fi you kill a suid app (like ping) it recive a sigkill and NOT a sigsegv (that generate a core). Sigkill doesn't generate core. How deal with it ?

- If the above problem have a solution, it only will work in:

Services that doesn't stop (exit) to parse a invalid entry, because this kind of trick will put a bunch o crap in .rhosts. I don't know if rlogin doesn't care to crap in the .rhosts file.