What exactly is this about? I recently (in a hackers contest) made a bash script that exploited a weakness like that, but I still don't understand how it works. Here's the code I used:
A guy helped me on how to do it, but he didn't explain what it did. Can anyone help? Here are some indications:
rm -f /var/tmp2/ps2.tmp
ln -s /bin/pass /var/tmp2/ps2.tmp
- /usr/bin/ps2 is setuid level9 and group level8 has execute permissions.
- /bin/pass gives the password of our effective ID. So, since /usr/bin/ps2 is setuided, we wanted to run /bin/pass at the same time.
- /usr/bin/ps2 makes a tmp file: /var/tmp2/ps2.tmp
I don't have the source code of ps2, but can anyone tell me what happens? Why when I link /bin/pass after the file is removed, it executes /bin/pass?