[SOLVED] lsroot local exploit *Old Bug, but still Applied*
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
One of Indonesian Slackware Community mailing list member posted a link in our mailing list and it contains an old bug since 2004 and he asked to be tested on -Current since he is not using -Current.
I tested on -Current and yes it still applies on my machine (32 bit). Does it still applies on 64 bit system as well?
I tried to run as normal user account and i turned into root for few seconds and then my computer hang and i had to turn it off by pressing the power button
Click here to see the post LQ members have rated as the most helpful post in this thread.
Location: Geneva - Switzerland ( Bordeaux - France / Montreal - QC - Canada)
Distribution: Slackware 14.2 - 32/64bit
Posts: 609
Rep:
I had a look at the code, it seems it "simply" creates a shared library named "own.so" which export
Code:
int getuid() { return 0; }
int geteuid() { return 0; }
int getgid() { return 0; }
int getegid() { return 0; }
It's like if it was masking standard system API call forcing a "super user" state... I haven't checked too long...
What I don't understand is that the generated source file is appended with /bin/sh... Dunno if it's really part of the exploit, I would expect gcc to stop on the \0 prefix (as a normal c string)...
That's an old trick for gullible people. It's not a bug, the program does not run as root, it's just a fork bomb.
Amazes me how some people would download, and execute untrusted, unverified code. Acts like this is why other operating systems are a haven for virus, spyware, and malware.
Location: Geneva - Switzerland ( Bordeaux - France / Montreal - QC - Canada)
Distribution: Slackware 14.2 - 32/64bit
Posts: 609
Rep:
Yeah that's what I suspected... I just watch the code (I don't run blindly this kind of shit), and was wondering where the exploit was, as I couldn't understand how this could effectively give any access to anything...
Anyway, "any" executable could be some exploit if you don't trust the source... The best protection against this kind of stuff is not to launch anything you don't know AND trust... As always, the biggest security weakness is the user in front of the machine
And as disturbed1 and Neils said, if it was intended to be an exploit it's quite a cheap stuff or an epic fail for a hacker wannabe...
Yeah, this is "an old trick in the book"...
By preloading the fabricated shared-object (own.so) it replaces the normal system calls to "getuid", "getgid" with a simple "0" - where "0" normally means root.
So the shell that is called asks the UID of the user and receives "0" in return. That's why it displays "root".
But any further system calls will fail, as the user is not really root after all.
Like I said: old and silly...
Willy: Sorry to say, but who sent this is either, eh, a "noob" or has bad intentions...
A real exploit would not be hidden in a silly way and would show how it was done.
And please, don't ever run scripts like this without knowing exactly what you're doing. The next one might contain code to wipe your root partition...
Systems running PAM use other methods, and this can also be set from /etc/limits but then it doesn't always work. Provided your bourne shells support the "ulimit" command, and that your C shell supports the "limit" command, this should restrict the impact of a fork bomb no matter how you log in to the system. I haven't tried with SSH, though.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.