hp-ux.

txt.

释放双眼,带上耳机,听听看~!

hp-ux.txt,hp ux.txt,

hp-ux:安全概述,第一部分-有关hp-ux安全的优秀白皮书,涵盖许多基础知识。

,=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==hp-ux:安全概述,第一部分修订02 17mar98 http://www.legions.org———————————–目录:1)简介和免责声明5)受信任的系统2)HP-UX:概述6)资源3)默认设置7)利用漏洞4)HP-UX安全措施8)继续—————————————————————————1)简介和免责声明a)本文旨在补充一般Unix知识。所有Unix操作系统本身都是不同的。本文将深入探讨HP-UX特定的领域。这不是Unix教程,而是对基本Unix黑客知识的补充。b) 本文将主要介绍HP-UX版本10.x。具体来说,10.10和10.20将被考虑在内。11.0已经发布了,我还没来得及检查。9.x已经过时,不再受HP支持。因此,最合理的选择(也是最流行的HP-UX版本)是10.x.c)我不是完美的;请通知我文档中的任何错误。此外,如果你看到任何你想添加到这个文件,请随时发送给我。d) 本文仅为教育目的而写。e) 感谢HP、rootshell和其他帮助我撰写本文的黑客。特别感谢Panic上校发现了许多功绩,其中一些我已经作为例子。向我的卢族同胞,草皮和芝加哥船员大声喊叫。—————————————————————————2)HP-UX:主要基于SysV的概述,Hewlett-Packard的Unix版本HP-UX有许多更改和版本更新(当前版本是11.0)。虽然在许多领域(如内存管理、总体性能等)都很健壮,但安全性仍有许多需要改进的地方。惠普对Unix的愿景似乎来自于一个拥有非恶意用户的封闭网络(即,/usr/local是全球可写的);直到最近,互联网才出现了爆炸式增长,惠普似乎在网络和内部安全方面“迎头赶上”。惠普解决安全问题的方法是修补程序。很多补丁。您可以通过键入“swlist-l product”来查看系统上的修补程序(将“fileset”替换为“product”以获取更具体的信息)。修补程序和软件信息存储在/var/adm/sw中;因此您可以在那里查看较旧的预修补二进制文件。与往常一样,系统日志保存在/var/adm(以及btmp、utmp和wtmp)中。—————————————————————————3)默认设置HP-UX非常不安全。是的,大多数Unix都是(默认情况下),但HP-UX更是如此。下面是一些默认情况下不安全的内容:o/usr/local和子目录是全局可写的。默认情况下,许多应用程序都是以全局可写的方式安装的(例如,oracle的measureware数据库模块就是这样安装的)。o根的umask设置为:02。o cue已安装(有关利用漏洞的信息,请参阅第6节)。o系统不受信任。见第4节。o从所有tty直接以根用户身份登录(由于不受“信任”)。o系统日志记录被设置得非常少(见/etc/syslog.conf);这并不重要,因为无论您如何使用系统日志记录,它都是非常少的。O/ETC/Login组不存在。虽然这不是不安全,但值得一提。—————————————————————————4)HP-UX安全措施不可能使用Suid脚本这在较新的Unix操作系统中是一种流行趋势。基本上,如果您有Suid脚本,它将不会以根用户身份运行。二进制文件很重要。o拨号密码您可以为拨号设备设置附加密码。如果您在启用拨号密码的情况下拨入HP-UX服务器,您将输入您的常用登录名和密码,然后输入一个额外的拨号密码。每个拨号密码都依赖于shell;shell用作“登录”字段。前更简单的说,请看/etc/d掼passwd:/bin/sh:qKrbuYLg9B2vU:0:0::/bin/csh:4LcBNqYbmdp3Y:0:0::/bin/ksh:zKanqUcdEzh3Q:0:0:::这里最重要的是前两个字段(显然)。还有两件事需要注意:首先,如果系统相对安全,“login”字段只能有8个字符长。如果您的shell是“/usr/local/bin/tcsh”(19个字符),这会产生问题。因此,要做的是:创建少于8个字符的链接(即/bin/tsh->/usr/local/bin/tcsh),或者不使用拨号密码。其次,要引用的tty拨号所在的文件是/etc/dialups:/dev/ttyd0p7,就是它。这是文件的格式。o lanscan和ioscan只是标准命令ifconfig和netstat的附带说明。lanscan将告诉您系统上有哪些接口卡,这些接口卡是向上或向下的,等等。ioscan与ioscan类似,但它覆盖了整个系统,即硬盘驱动器、I/O适配器、内存等,可能有助于与您的系统更加亲密。—————————————————————————5)可信系统什么是“可信系统”?检查a/tcb目录。A/TCB目录的存在意味着您所使用的系统是一个“可信系统”。通过root用户,通过/UR/SBIN /山姆进行转换。以下是转换为system:o伪影子密码方案(实际上使用“受保护的密码数据库”)的方法。o更严格的密码认证系统。o用户审核。o访问控制列表(acl)[注意:仅在hfs下支持,而不是vxfs][第二个注意:正在逐步淘汰]。终端和基于时间的访问控制。基本上把这些放在一起,在/tcb/files/auth目录中,有许多子目录是按大写字母和小写字母排列的,例如,“e”、“T”等等。这是登录的首字母。在该目录中是每个用户的一个文件。因此,根的文件应该是/tcb/file s/auth/r/root。这个档案里有什么?它基本上就像一个密码输入,有更多的字段。/:/sbin如果不明显,则会显示/etc/passwd的登录名和用户id,以及其他信息。上面的示例只列出了几个字段。HP-UX密码数据库文件的全部内容将包含:登录名和用户id b加密密码c帐户所有者d单用户模式启动标志e审核id和审核标志f密码更改之间的最短时间(不在示例中-u_minchg)g密码最长h密码过期时间(不在示例中-u_maxlen)(不在示例中-u_exp)i password life time j上一次密码更改的时间(不在示例中为-uôlife)(不在示例中为-uôuscchg&uôunschg)k绝对密码过期日期l在登录之间允许的最长时间(不在示例中为-uôacctôexpire)(不在示例中为-uômaxôllogin)在帐户被锁定之前的最长天数内用户或系统将出现警告生成的密码?(不在示例-u_pw_expire_u中(不在示例-u_pickpw中)警告)o用户gen(不在示例-u_genpwd中)(不在示例-u_restrict中)上的sys ten passwords p琐碎性检查类型q是否可以选择空密码?r最后一个更改(不在示例-uúnullpw中)此密码(不在示例-uúpwchanger中)的随机用户的用户ID该用户必须提供t当密码时用户是否可以为(由管理员给他的)生成随机密码?(不在示例中-密码被重置(不在示例uúgenchars中)-u戋pwd戋u admin戋u可以在用户可以登录密码时生成随机字母v时间?(不在示例中(不在示例-u|tod中)-u|genletters中)w上一次成功登录的时间x上一次失败登录的时间(不在示例-u|suclog中)(不在示例-u|unclog中)y term或远程主机从上z次失败登录的数量,成功和不成功登录在成功登录时清除(不在示例-u|suctty和(不在示例中-u}numunsuclog)u}unsuctty)1最大登录次数在/tcb/files中尝试2个account locked标志(不在account被锁定之前的示例中-u_lock)(不在示例中-u_maxtries),除了auth之外,还有两个文件,devassign和ttys。devassign包含设备访问信息,ttys包含术语访问信息。下面是从devassign:console:v_devs=/dev/console:v_type=terminal:chkent:ttyp0:v_devs=/dev/ttyp0:v_type=terminal:chkent:ttyp1:v_devs=/dev/ttyp1:v_type=terminal:chkent:此文件的格式包含:设备名b别名到支持的设备c设备(即,打印机,该设备上允许的d个用户,如果终端,磁带,或者remote)没有指定,所有用户都可以使用它,这里有几行来自ttys:console:tôdevname=console:tômaxtriesô777:chkent:tty:tôdevname=tty:chkent:tty00:tôdevname=tty00:chkent:上面的示例只列出了几个字段。此文件的完整格式包含:设备名b要登录到该tty的最后一个用户(id)(不在示例-t uid中)c最后一次成功登录时间d最后一次不成功登录时间(不在示例-t ulogtime中)(不在示例-t uunsuctime中)e在tty被锁定之前,终端锁定标志的连续登录次数在所有实际情况下,不是很多HP-UX系统设置为可信任。管理密码数据库和调整是比必要的工作更多。此外,远程命令在受信任的系统上是不可能的,除非是从受信任的系统执行的。最后,将文件映射到sync/etc/passwd和/tcb/files/auth包含在/tcb/files/auth/system中。这些称为pw_id_map、gr_id_map和aid_id_map。这些映射文件很可能与数据库文件不同步。解决办法是移除它们,让它们再生。然而,总的来说,拥有一个可信的系统可以证明需要像不可信的系统一样多的维护。真的是管理员的电话。这些天我大概看到了一半。—————————————————————————6)参考资料o如果您对补丁程序有疑问,请查看ftp://us支持。外部hp.com。所有当前的补丁程序都可供您的peruseal使用。o http://www.rootshell.com,http://get.your.exploits.org,http://www.hha。net/hha/exploits,http://www.dhp.com/~fyodor/sploits_HP UX.html:非常好的站点,具有Unix和HP UX特定的漏洞。这里提供了解释和源代码/脚本。o Usenet:comp.os.security.announce和comp.sys.hp.hpux:有时定期更新弱点。不惜一切代价避免alt.2600。哦,当然了,永远都是那么灵巧的人指挥。—————————————————————————7)这些只是众多漏洞中的一小部分。我只添加了一些,因为我想解释一下HP-UX的一般安全性。第2部分将深入研究利用漏洞(以及审计、系统调用和acl)。在获取HPUX系统之后,首先要检查线索是否存在(通常在/UR/BI/CUE)。确保它是suid二进制文件(默认情况下是这样)。只需将umask设置为000。现在开始提示。在主目录中,执行ll。您将看到cue创建的文件名(在我的例子中,它被称为“IDMERROR.ttyp1”)由root拥有。您还将看到umask紧随其后,并且是可写的。现在退出提示。删除cue创建的*ERROR*文件。想想像/etc/passwd或/.rhosts这样的文件。做一个“ln-s/etc/passwd~/IDMERROR.ttyp1”(或者任何适合你需要的东西)。现在重新开始提示。退出它。您将看到,任何人都无法写入的根拥有的文件现在不仅被截断,而且还具有world write权限。用它做你想做的事。o ftp mget bug如果ftp不是suid根目录(很可能不是),这对您没有多大好处,但这仍然有效(虽然不是根目录)。在/tmp中,创建一个单独的目录(我们将使用“test”)。cd到那个目录并执行这个命令:echo“date>/tmp/BLAH”>“| sh”。注意:TMP/BLAH不存在。现在,ftp到本地主机。cd to/tmp/测试并执行“mget*”。ftp文件。现在退出ftp并检查a/tmp/BLAH。它存在!猫它。现在,如果ftp是suid root,并且使用echo命令吃“| sh”是不是:echo“chmod 777/etc/passwd”>“| sh”?o旧的SAM bug通常,当管理员运行SAM(系统管理管理器)时,会在/var/tmp中创建一个临时文件。较新的、已修补的sam使用任意文件名,如OBAMDBAa01687或aaaa01990等。但较旧的sam在写入此临时文件时使用一致的文件名。它被称为:outdata。因为SAM通常是以根用户身份运行的,所以您将看到我在这里得到的结果(duh,临时文件是由根用户拥有的)。只需创建一个指向某个文件的链接,比如指向该临时文件的/etc/passwd(即,ln-s/etc/passwd/var/tmp/outdata)。现在,如果根的umask设置为000,那么下次管理员运行SAM时,您将拥有/etc/passwd。现在不太可能使用这个技巧,因为大多数SAM都已修补,而且大多数管理员不在根上使用umask 000。o旧版SAM上的旧SAM错误2,使用uid 0创建了名为SAM_exec的用户。10.x上的默认密码是:x7vpa5jh,只需以sam_exec的身份登录,然后立即点击control-c获取shell。ppl bug另一个符号链接漏洞。ppl的日志文件是/var/ppl/log。现在,您可以简单地删除或移动这个(因此,/VAR/PPL/log是不存在的;//VAR/PPL是默认的世界可写的,因此您可以做到这一点)。此日志文件归root所有(ppl是suid程序)。接下来,想一个你想拥有的文件(如果你不想被抓到,试试/.rhosts,而不是像/etc/passwd这样的东西;另外,把旧的/var/ppl/log保存到某个地方,在完成后放回去)。现在做一个:ln-s/.rhosts/var/ppl/log。然后键入:ppl-o’\++’或任何您想放入/.rhosts中的内容。你明白了。现在您可以删除/var/ppl/log并将旧的放回原位。你现在可以以根用户身份登录。o教育中心惠普的教育中心主要由防火墙保护。但如果您碰巧进入,几乎所有机器上的根密码都很简单:hp。—————————————————————————8)接下来的第二部分将深入研究可信系统,特别是覆盖审计和ACL。还将更详细地介绍漏洞攻击。—————————————————————————(c)1998年地下军团提示http://www.Legions.org=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==查看地下军团-http://www.Legions.org,网络安全教程hp-ux.txt,

HP-UX: A Security Overview, Part One – Excellent whitepaper on HP-UX security, covering many of the basics.

,=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
HP-UX: A Security Overview, Part One revision02 17mar98
http://www.legions.org
---------------------------------------------------------------------------
Table of Contents:

1) Intro and Disclaimer 5) The Trusted System
2) HP-UX: an Overview 6) Resources
3) The Setup by Default 7) Exploits
4) HP-UX Security Measures 8) To Be Continued
---------------------------------------------------------------------------
1) Intro and Disclaimer

a) This text is designed to complement to general Unix knowledge. All Unix
OS's are different in their own right. This text will delve into HP-UX-
specific areas. This is not a Unix tutorial, rather a supplement to
fundamental Unix hacking knowledge.
b) This text will cover HP-UX version 10.x primarily. Specifically, 10.10
and 10.20 will be in mind. 11.0 has been released and I haven't gotten
to checking it out yet. 9.x is old, and no longer supported by HP. Thus,
the most logical choice (and most popular version of HP-UX) is 10.x.
c) I'm not perfect; please notify me of any errors in the document. Also,
if you see anything you want added to this file, feel free to send them
to me.
d) This text was written for educational purposes only.
e) Thanks to HP, rootshell, and the various other hacker folks that have
helped me write this article. Special thanks to Colonel Panic for find-
ing many exploits, some of which I have used as examples. Shouts out to
my fellow LoU members, the SOD, and the Chicago crew.
---------------------------------------------------------------------------
2) HP-UX: an Overview

Largely based on SysV, Hewlett Packard's version of Unix, HP-UX, has un-
dergone many changes and many version updates (current version is 11.0).
While robust in many areas (ie, memory management, overall performance,
etc), security leaves much to be desired. HP's vision of Unix seems to
come from that of a closed network with non-malicious users (ie, /usr/local
being world-writeable); only recently has the Internet been an explosion,
and HP seems to be playing "catch up" to network and internal security.
HP's solution to security problems have been patches. Lots of patches. You
can see the patches on a system by typing "swlist -l product" (substitute
"fileset" instead of "product" for more specific information. Patch and
software information is stored in /var/adm/sw; so you can check out older
pre-patched binaries there. As usual, system logs are kept in /var/adm
(along with btmp, utmp, and wtmp).
---------------------------------------------------------------------------
3) The Setup by Default

By default, HP-UX is VERY insecure. Yes, most Unixes are (by default),
but HP-UX even more so. Here is a brief following of what is insecure by
default:
o /usr/local and subdirectories are world writeable.
o Many applications by default are installed as world writeable (ie,
measureware database module for oracle installs this way.
o root's umask is set to: 02.
o cue is installed (see section 6 for the exploit).
o System is un-"Trusted." See section 4.
o Direct login as root possible from all ttys (as result of being un-
"Trusted").
o System logging is set pretty minimal (see /etc/syslog.conf); not that it
matters, as system logging is pretty minimal no matter how you have it.
o /etc/logingroup non-existent. While this is not an insecurity, it's worth
mentioning.
---------------------------------------------------------------------------
4) HP-UX Security Measures

o Suid scripts not possible
This is a popular trend in newer Unix OS's. Basically, if you have a
suid script, it will not be run as root. Binaries are what's important.
o Dialup passwords
You can set an additional password for a dialin device. If you dialed
into an HP-UX server with dialup passwords enabled, you would enter your
usual login and password, then an _additional_ dialup password. Each
dialup password is dependant of the shell; the shell is used as the "login"
field. To explain further, look at /etc/d_passwd:

/bin/sh:qKrbuYLg9B2vU:0:0:::
/bin/csh:4LcBNqYbmdp3Y:0:0:::
/bin/ksh:zKanqUcdEzh3Q:0:0:::

What's important here are the first two fields (obviously). Two other
things to note; Firstly, if the system is relatively secure, the "login"
field can only be eight characters long. This creates a problem if your
shell is "/usr/local/bin/tcsh" (19 chars). Thus, what's done is either: a
link is created that is less than eight characters (ie, /bin/tsh -> /usr
/local/bin/tcsh) or dialup passwords just aren't used. Secondly, the file
to reference which tty the dialin is located is /etc/dialups:

/dev/ttyd0p7

That's it. That's the format of the file.

o lanscan and ioscan
Just a side note to the standard commands, ifconfig and netstat.
lanscan will tell you what interface cards you have on the system, which
are up or down, etc, etc. ioscan is similar, but covers the entire system,
ie, hard drives, I/O adapters, memory, etc. Might be useful in getting more
intimate with your system.
---------------------------------------------------------------------------
5) The Trusted System

What is a "Trusted System"? Check for a /tcb directory. The existence of
a /tcb directory signifies that the system you're on is a "Trusted System."
The conversion to this is done through /usr/sbin/sam by root. Here is what
converting does to a system:
o Pseudo-shadow password scheme (actually uses a "protected password
database").
o A stricter password authentication system.
o User auditing.
o Access control lists (acls) [note: only supported under hfs, not vxfs]
[second note: being phased out].
o Terminal and time-based access control.

Basically to put this all together, in the /tcb/files/auth directory,
there are a number of subdirectories by capital and lowercase letters, ie,
"e," "T," and so forth. This is the initial of the login. In that directory
is a file per user. Thus, root's file would be /tcb/files/auth/r/root.
What's in this file? It's basically like a password entry, with more
fields. ie, /tcb/files/auth/r/root:

root:u_name=root:u_id#0:\
:u_pwd=Z1Po84UVyBbGE:\
:u_bootauth:u_auditid#0:\
:u_auditflag#1:\
:u_pswduser=root:u_suclog#8895646615:u_lock@:chkent

root's entry in /etc/passwd would then be:
root:*:0:3:root:/:/sbin

If it isn't obvious, the login and user id of an /etc/passwd are there,
along with additional information. The above example has only a few fields
listed.

The full contents of an HP-UX password database file would contain:
a login and user id b encrypted password
c account owner d single user mode boot flag
e audit id and audit flag f minimum time between password change
(not in example - u_minchg)
g password max length h password expiration time
(not in example - u_maxlen) (not in example - u_exp)
i password lifetime j time of last password change
(not in example - u_life) (not in example - u_usucchg &
u_unsucchg)
k absolute password expiration date l max time allowed between logins
(not in example - u_acct_expire) (not in example - u_max_llogin)
m max days before expiration when before acct is locked
warning will appear n user or system generated password?
(not in example - u_pw_expire_ (not in example - u_pickpw)
warning)
o type of sys-ten passwords p triviality check on user-gen
(not in example - u_genpwd) (not in example - u_restrict)
q can pick null password? r userid of last person who changed
(not in example - u_nullpw) this password (not in example -
u_pwchanger)
s random # that user must supply t can user generate random # for a
(given to him by the admin) when password? (not in example -
password is reset (not in example u_genchars)
- u_pwd_admin_num)
u can user generate random letters v time of day when user can login
for a password? (not in example (not in example - u_tod)
- u_genletters)
w time of last successful login x time of last unsuccessful login
(not in example - u_suclog) (not in example - u_unsuclog)
y term or remote hosts from last z number of unsuccessful logins, this
successful and unsuccessful logins # clears upon a successful login
(not in example - u_suctty & (not in example - u_numunsuclog)
u_unsuctty)
1 max number of login attempts 2 account locked flag (not in example
before account is locked - u_lock)
(not in example - u_maxtries)

In /tcb/files, in addition to auth, there are two files, devassign and
ttys. devassign contains device access info and ttys contains term access
info.

Here are a few lines from devassign:
console:v_devs=/dev/console:v_type=terminal:chkent:
ttyp0:v_devs=/dev/ttyp0:v_type=terminal:chkent:
ttyp1:v_devs=/dev/ttyp1:v_type=terminal:chkent:

The format of this file contains:
a device name b aliases to that device
c device supported (ie, printer, d users permitted on that device, if
terminal, tape, or remote) not specified, all users may use it

Here are a few lines from ttys:
console:t_devname=console:t_maxtries#777:chkent:
tty:t_devname=tty:chkent:
tty00:t_devname=tty00:chkent:

The above example only has a few fields listed. The full format of this
file contains:
a device name b last user (id) to log into that tty
(not in example - t_uid)
c last successful login time d last unsuccessful login time
(not in example - t_logtime) (not in example - t_unsuctime)
e number of consecutive logins f terminal lock flag
before tty is locked

In all actuality, not many HP-UX systems are setup to be Trusted.
Managing a password database and tweaking is more work than neccessary.
In addition, remote commands are not possible on a Trusted System, unless
it is done _from_ a Trusted System. Lastly, mapping files to sync /etc
/passwd with /tcb/files/auth are contained in /tcb/files/auth/system.
These are called pw_id_map, gr_id_map, and aid_id_map. It is very likely
that these mapping files will get out of sync with the database files. The
solution is removing them and letting them regenerate. However, all in all,
having a Trusted System can prove to take as much maintanence as an un-
Trusted System. It's really the admin's call. I've seen maybe about half
and half these days.
---------------------------------------------------------------------------
6) Resources

o If you have a question about a patch, check out ftp://us-support.
external.hp.com. All the current patches are available there for your
peruseal.

o http://www.rootshell.com, http://get.your.exploits.org, http://www.hha.
net/hha/exploits, http://www.dhp.com/~fyodor/sploits_hpux.html: Very good
sites with Unix and HP-UX-specific exploits. Both explanations and source
code/scripts are available here.

o Usenet: comp.os.security.announce and comp.sys.hp.hpux: Sometimes
regular updates of weaknesses. Avoid alt.2600 at all costs.

o And of course, the ever-so-handy man command.
---------------------------------------------------------------------------
7) Exploits

These are only a few of many. I only added a few, as I wanted to explain
about HP-UX security in general. Part 2 will delve deeper into exploits
(as well as auditing, system calls, and acls).

o cue bug
The first thing after gaining access to an HP-UX system is to check if
cue exists (typically in /usr/bin/cue). Make sure it's an suid binary
(which it is by default). Simply set your umask to 000. Now start cue. In
your home directory, do an ll. You'll see that the name of the file created
by cue (in my case, it's called "IDMERROR.ttyp1") is owned by root. You'll
also see that the umask follows and is world-writeable. Now exit cue.
Remove the *ERROR* file created by cue. Think of a file like /etc/passwd or
/.rhosts. Do an "ln -s /etc/passwd ~/IDMERROR.ttyp1" (or whatever suits
your needs). Now start cue again. Exit it. You'll see that the root owned
file that wasn't writeable by anyone not only is now truncated, but it has
world write permission. Do whatever you want with it.

o ftp mget bug
This won't do you much good if ftp isn't suid root (most likely it
won't be), but this still works (not as root though). In /tmp, create a
separate directory (we'll use "test"). cd to that directory and execute
this command: echo "date > /tmp/BLAH" > "|sh". Notice that /tmp/BLAH does
not exist. Now, ftp to localhost. cd to /tmp/test and do a "mget *".
ftp that file. Now quit ftp and check for a /tmp/BLAH. It exists! cat it.
Now what if ftp was suid root, and the echo command you used to create
"|sh" was this: echo "chmod 777 /etc/passwd" > "|sh"?

o Old SAM bug
Typically, when SAM (System Administration Manager) is being run by
an admin, a temp file is created in /var/tmp. Newer, patched SAMs use
arbitrary file names, ie OBAMDBAa01687 or aaaa01990, etc. But older SAMs
used a consistent file name when writing this temp file. It was called:
outdata. Since SAM is typically run as root, you'll see what I'm getting
at here (duh, the temp file is owned by root). Simply create a link to a
file, such as /etc/passwd to that temp file (ie, ln -s /etc/passwd /var
/tmp/outdata). Now if root's umask is set to 000, then you'll own /etc
/passwd next time the admin runs SAM. This trick is unlikely these days,
as most SAMs are patched and most admins don't use umask 000 on root.

o Old SAM bug 2
On older versions of SAM, a user named sam_exec was created with uid 0.
The default password for this on 10.x is: x7vpa5jh
Simply login as sam_exec, and hit control-c right away for a shell.

o ppl bug
Another symbolic link exploit. ppl's log file is: /var/ppl/log. Now,
you can simply remove or move this (so that /var/ppl/log is non-existent;
also /var/ppl is world-writeable on default, thus you can do this). This
log file is owned by root (ppl is an suid program). Next, think of a file
that you'd like to nuke and own (if you don't want to get caught, try
/.rhosts instead of something like /etc/passwd; in addition, save the old
/var/ppl/log somewhere to put back when you're done). Now do a: ln -s
/.rhosts /var/ppl/log. Then type:
ppl -o '\
+ +
'
or whatever you want to place in /.rhosts. You get the drift. Now you can
remove /var/ppl/log and put the old one back in place. You can now rlogin
as root.

o Educational Centers
HP's educational centers are protected mainly by firewalls. But if you
happen to get in, the root password on nearly all machines is simply: hp.
---------------------------------------------------------------------------
8) To Be Continued
Part Two will delve deeper into the Trusted System, specifically cover-
ing auditing and acls. Exploits will also be covered in greater detail.
---------------------------------------------------------------------------
(c) 1998 tip of Legions of the Underground http://www.legions.org
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

check out the underground - http://www.legions.org

人已赞赏
安全工具

<p>ietf.<p>idmep.<p>txt文件.</p>

2020-2-6 3:16:57

安全工具

hack101.html

2020-2-6 3:16:59

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索