Bienvenidos al nuevo foro de hackplayers. En caso de encontrarse cualquier tipo de error, contacte con cualquier administrador por mensaje privado.
Recuerda que, para incrementar tu privacidad, tambien puedes acceder al foro usando el dominio forohpysho2t5mjs.onion de la red tor.
Recuerda que, para incrementar tu privacidad, tambien puedes acceder al foro usando el dominio forohpysho2t5mjs.onion de la red tor.
Vulnerabilidad en SUDO priv escalation CVE-2017-1000367
Buenos días niños os traigo caramelos...
historia corta, nueva cve que permite la escalada de privilegios debido a un fallo en la funcion get_process_ttyname()
os dejo un ejmplo y el link de la publicación, que aproveche!!
historia corta, nueva cve que permite la escalada de privilegios debido a un fallo en la funcion get_process_ttyname()
os dejo un ejmplo y el link de la publicación, que aproveche!!
========================================================================
Exploitation
========================================================================
To exploit this vulnerability, we:
- create a directory "/dev/shm/_tmp" (to work around
/proc/sys/fs/protected_symlinks), and a symlink "/dev/shm/_tmp/_tty"
to a non-existent pty "/dev/pts/57", whose device number is 34873;
- run Sudo through a symlink "/dev/shm/_tmp/ 34873 " that spoofs the
device number of this non-existent pty;
- set the flag CD_RBAC_ENABLED through the command-line option "-r role"
(where "role" can be our current role, for example "unconfined_r");
- monitor our directory "/dev/shm/_tmp" (for an IN_OPEN inotify event)
and wait until Sudo opendir()s it (because sudo_ttyname_dev() cannot
find our non-existent pty in "/dev/pts/");
- SIGSTOP Sudo, call openpty() until it creates our non-existent pty,
and SIGCONT Sudo;
- monitor our directory "/dev/shm/_tmp" (for an IN_CLOSE_NOWRITE inotify
event) and wait until Sudo closedir()s it;
- SIGSTOP Sudo, replace the symlink "/dev/shm/_tmp/_tty" to our
now-existent pty with a symlink to the file that we want to overwrite
(for example "/etc/passwd"), and SIGCONT Sudo;
- control the output of the command executed by Sudo (the output that
overwrites "/etc/passwd"):
. either through a command-specific method;
. or through a general method such as "--\nHELLO\nWORLD\n" (by
default, getopt() prints an error message to stderr if it does not
recognize an option character).
To reliably win the two SIGSTOP races, we preempt the Sudo process: we
setpriority() it to the lowest priority, sched_setscheduler() it to
SCHED_IDLE, and sched_setaffinity() it to the same CPU as our exploit.
LINK --> http://www.openwall.com/lists/oss-security/2017/05/30/16
Etiquetado:
Accede o Regístrate para comentar.