Comment I still don't understand (Score 1) 130
That command is a riddle and, forgive me, but I think your explanation is wrong.
the final sudo -s is not there to create an error. it's a perfectly fine command and is that to just make you root on the spot.
I think a partial explanation of what goes on is this:
the first bin just creates the text you want to shove into the sudoers file. that's clear enough.
the pass to >&3 is saying send this text to file descriptor 3. This doesn't exist..yet...but it will shortly.
So how does the file open happen? Well if you put an environment variable definition in front of a command, what happens is the command runs with that environment variable temporarily set for the duration of the command. thus
DYLD_PRINT_TO_FILE=/etc/sudoers newgrp
says create the env DYLD_PRINT_TO_FILE temporarily and set it to
newgrp doesn't actually do anything at all here other than launch a new shell which promptly quits. However it does run with setuid root privilege.
guessing here: And while it's running but not doing anything the system goes, oh, I better open a stream to the DYLD_ file because there might be some output to log there. So it opens that file pre-emptively and duly assigns it to file descriptor 3 for input.
unfortunately DYLD has inherited the permission of newgrp to do that, so its doing a file open as root too.
So we can now write to 3 and DYLD_ redirects that into the file.
at this point I'm not sure what happens exactly. One possibility is the obvious which is that what we write to file descitor 3 goes into the file represent file descriptor 3. that's simple if that's what bash would do. However the explanation of the exploit notes that DYLD_ also fails to close it's file descriptors. In which case what happens is that the newgrp command just exits but because the pipe made it a child, it's parent inherits the dangling filedesciptor. and then that's why we can write to that. I really don't know my bash well enough to say which of those might be the right mechanism here. if either.
anyone alse want to explain?
Another point I'm fuzzy on here is whether the writer needs to have the same setuid as the reader.