DG/UX ospf_monitor vulnerability

Summary
Description:It is suid and contains a command to write to file, which it does w/o dropping privileges. Brilliant.
Author:Brian Mitchell (brian@saturn.net)
Compromise: root (local)
Vulnerable Systems:Tested on DG/UX 5.4r3.10
Date:23 July 1996
Details

Exploit:

From: Brian Mitchell (brian@saturn.net)
Date: Tue, 23 Jul 1996 19:03:07 -0400 


There seems to be a vulnerbility in dg/ux (tested in 5.4r3.10) - it
includes ospf_monitor (from the gated package). Unfortunately, it is a
older version and has a security hole.

It is a suid program, and has a command to write to a file, so something
like this:

umask 0
ospf_monitor
F /tmp/foo
x

This should create a 0 byte world writable file called /tmp/foo, assuming
/tmp/foo does not exist. If it exists, it will be truncated, permissions
obviously will not be modified.


Brian Mitchell                                          brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault