home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Hacking & Misc
/
bundle of exploits.sit
/
bundle of exploits
/
dumpExploit.txt
< prev
next >
Wrap
Text File
|
1998-07-17
|
2KB
|
41 lines
There is a security hole in RedHat 2.1, which installs /sbin/dump suid
root. The dump program makes no provisions for checking file permissions,
allowing any user on the system to read arbitrary files on the system.
Dump checks permissions only on the directory you specify to backup, and
not on files or subdirectories.
The process to exploit this is to backup the files via dump as if it was
a normal backup to a temporary file, and then restore the temporary file
with /sbin/restore to your own directory. The solution is simple, don't
run dump suid root on your system.
Program: /sbin/dump incorrectly installed
Affected Operating Systems: RedHat 2.1 linux distribution
Requirements: account on system
Patch: chmod -s /sbin/dump
Security Compromise: read arbitrary files on system
Author: Dave M. (davem@cmu.edu)
Synopsis: dump fails to check file permissions against
user running dump, or to give up suid when
backing up a filesystem.
Exploit:
$ /sbin/dump 0uf woot.dump DIRECTORY_FILE_TO_READ_IS_IN
/-------------\
|David Meltzer|
|davem@cmu.edu|
/--------------------------\
|School of Computer Science|
|Carnegie Mellon University|
\--------------------------/
--
infiNity .oOo. Member of the infamous Guild | spreading information
route .oOo. Use strong Cryptography | like it was going
daemon9 .oOo. Finger for info | out of style