[9fans] a challenge - Plan9

This is a discussion on [9fans] a challenge - Plan9 ; here is a challenge. I realize it's linux but I think this is the right group to ask anyway; I think you'll appreciate the humor in it. So far few I have talked to have gotten it. There is a ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: [9fans] a challenge

  1. [9fans] a challenge

    here is a challenge. I realize it's linux but I think this is the
    right group to ask anyway; I think you'll appreciate the humor in it.
    So far few I have talked to have gotten it.

    There is a file, called /bin/bash.

    You are allowed to do this as root.
    cp this file to /tmp. Do something to it to make it so that, when you
    are not root, you can run the file in /tmp and get a root shell.

    Don't assume the obvious. And please don't post "that's trivial" until
    you have actually done it.

    ron

  2. Re: [9fans] a challenge

    I don't have Linux, but I'll see if Mac OS X has that vulnerability.

    On Feb 22, 2008, at 12:53 PM, ron minnich wrote:

    > here is a challenge. I realize it's linux but I think this is the
    > right group to ask anyway; I think you'll appreciate the humor in it.
    > So far few I have talked to have gotten it.
    >
    > There is a file, called /bin/bash.
    >
    > You are allowed to do this as root.
    > cp this file to /tmp. Do something to it to make it so that, when you
    > are not root, you can run the file in /tmp and get a root shell.
    >
    > Don't assume the obvious. And please don't post "that's trivial" until
    > you have actually done it.
    >
    > ron



  3. Re: [9fans] a challenge

    > here is a challenge. I realize it's linux but I think this is the
    > right group to ask anyway; I think you'll appreciate the humor in it.
    > So far few I have talked to have gotten it.
    >
    > There is a file, called /bin/bash.
    >
    > You are allowed to do this as root.
    > cp this file to /tmp. Do something to it to make it so that, when you
    > are not root, you can run the file in /tmp and get a root shell.
    >
    > Don't assume the obvious. And please don't post "that's trivial" until
    > you have actually done it.
    >
    > ron


    On Debian, all you have to do is this as root:
    cp /bin/bash /tmp/sh
    chmod u+s /tmp/sh

    Then you can run /tmp/sh as any user and get euid root. It seems that
    you can ONLY do this if you rename bash to sh.


    John


  4. Re: [9fans] a challenge

    Nope.

    On Feb 22, 2008, at 12:57 PM, Pietro Gagliardi wrote:

    > I don't have Linux, but I'll see if Mac OS X has that vulnerability.
    >
    > On Feb 22, 2008, at 12:53 PM, ron minnich wrote:
    >
    >> here is a challenge. I realize it's linux but I think this is the
    >> right group to ask anyway; I think you'll appreciate the humor in it.
    >> So far few I have talked to have gotten it.
    >>
    >> There is a file, called /bin/bash.
    >>
    >> You are allowed to do this as root.
    >> cp this file to /tmp. Do something to it to make it so that, when you
    >> are not root, you can run the file in /tmp and get a root shell.
    >>
    >> Don't assume the obvious. And please don't post "that's trivial"
    >> until
    >> you have actually done it.
    >>
    >> ron

    >



  5. Re: [9fans] a challenge

    well, i checked the source. turns out bash 3.2 drops privileges if uid
    != euid and requires the -p flag to allow itself to run in setuid
    mode:

    $ cp /bin/bash .
    $ sudo chown root bash
    $ sudo chmod 4755 bash
    $ ./bash -p
    # id
    uid=500(andrey) gid=500(andrey) euid=0(root) groups=500(andrey)
    # whoami
    root
    #

    that doesn't make me like Plan 9 any less, you know

    On Fri, Feb 22, 2008 at 10:53 AM, ron minnich wrote:
    > here is a challenge. I realize it's linux but I think this is the
    > right group to ask anyway; I think you'll appreciate the humor in it.
    > So far few I have talked to have gotten it.
    >
    > There is a file, called /bin/bash.
    >
    > You are allowed to do this as root.
    > cp this file to /tmp. Do something to it to make it so that, when you
    > are not root, you can run the file in /tmp and get a root shell.
    >
    > Don't assume the obvious. And please don't post "that's trivial" until
    > you have actually done it.
    >
    > ron
    >


  6. Re: [9fans] a challenge

    On Fri, Feb 22, 2008 at 10:23 AM, andrey mirtchovski
    wrote:
    > well, i checked the source. turns out bash 3.2 drops privileges if uid
    > != euid and requires the -p flag to allow itself to run in setuid
    > mode:


    I saw something even more bizarre last night on busy box: it looked
    like some library and/or bash was looking for a file called
    /etc/sudo_test or some such.

    It's just amazing the kind of stuff that the gnu guys are wrapping
    around the kernel to try and bail the boat out.

    ron

  7. Re: [9fans] a challenge

    > It's just amazing the kind of stuff that the gnu guys are wrapping
    > around the kernel to try and bail the boat out.


    I guess when you're sinking you do whatever it takes. Imagine what
    it's like for Microsoft...

    ++L

    PS: MS-DOS didn't have all this trouble, I sometimes wonder if all
    this additional security isn't exactly the opposite of what's needed.
    I feel the same about cars with electronics and air bags, which is
    hardly surprising because there are incredible parallels between the
    car industry and the computer industry. But the issue of security is
    terribly ambiguous.


  8. Re: [9fans] a challenge

    > I saw something even more bizarre last night on busy box: it looked

    the punctuation is wrong there, i think:
    > I saw something even more bizarre last night: busy box

    and you could just stop there


+ Reply to Thread