Re: Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux

[up201407890 () alunos dcc fc up pt]

Quoting Noryungi <noryungi () gmail com>:

The PTY slave must be root owned to get root obviously, for example  
when root logs in via ssh.

> Does not work on centos 7.1 (unpatched) running stock openssh.
>
> TTY capture works, /tmp/sh is created but user is unprivileged.
>
> On Jan 26, 2017 5:52 PM, <up201407890 () alunos dcc fc up pt> wrote:
>
> > Hi list,
> >
> > I know I'm late to the party, but I was bored, so I decided to write an
> > exploit for CVE-2015-6565 which affects OpenSSH 6.8-6.9
> > It is mostly considered to be a "DoS", even though Jann Horn publicly told
> > how it could be exploited for local privilege escalation, but I guess its
> > either PoC||GTFO for users to update.
> >
> > From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565
> >
> > "sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY
> > devices, which allows local users to cause a denial of service (terminal
> > disruption) or possibly have unspecified other impact by writing to a
> > device, as demonstrated by writing an escape sequence."
> >
> > I think the description should be updated.
> >
> > $ gcc not_an_sshnuke.c -o not_an_sshnuke
> > $ ./not_an_sshnuke /dev/pts/3
> > [*] Waiting for slave device /dev/pts/3
> > [+] Got PTY slave /dev/pts/3
> > [+] Making PTY slave the controlling terminal
> > [+] SUID shell at /tmp/sh
> > $ /tmp/sh --norc --noprofile -p
> > # id
> > euid=0(root) groups=0(root)
> >
> > Thanks,
> > Federico Bento.
> >
> >
> >
> > ----------------------------------------------------------------
> > This message was sent using IMP, the Internet Messaging Program.



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.