Tutorial Permissions abuse -> root, with real-world example

Reiko · 10-02-2013, 02:42 AM

This is a tutorial in the form of a short Skype conversation, because it's easier to write them in Skype and then put them here.
The exploit in question: http://en.1337day.com/exploit/20763

Oh, and ignore that shit about -funroll-loops. That guy's just being silly.

Quote:[21:15:13] Starfall: heres something a lot of people dont know
[21:15:20] Starfall: and this actually ties into the kloxo any->root thing
[21:15:32] Oni | SL: kloxo is shit >_>
[21:15:44] Misaka Mikoto | Judgement Leader: hai
[21:15:44] Starfall: lets say you have a directory owned by randomuser1
[21:15:51] Starfall: its permissions: rwxrwxrwx
[21:15:57] Misaka Mikoto | Judgement Leader: thanks for inviting me Oni
[21:15:58] Starfall: randomuser2 can do what in this directory?
[21:16:05] federal informant | autism 2k13: anyone who uses kloxo deserves to get rooted 1x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2x2
[21:16:11] Oni | SL: rwx
[21:16:17] Starfall: agreed
[21:16:26] Oni | SL: and yeah
[21:16:28] Oni | SL: kloxo blows
[21:16:35] Starfall: oni, there's a bit of strangeness about what "writing to a directory" actually means
[21:16:45] Starfall: lets say theres a root-owned file in this directory
[21:16:55] Starfall: perms: rw-r--r--
[21:17:15] Starfall: what can we do to that file?
[21:17:23] Oni | SL: read at least...
[21:17:29] Starfall: oh yes, we can read it, surely
[21:17:35] Starfall: but we can also move it and unlink it
[21:17:41] Starfall: because we can write to its parent directory
[21:18:06] Starfall: see how this may become a problem?
[21:18:10] federal informant | autism 2k13: did you know that if you compile an exploit with funroll-loops it works on any kernel
[21:18:16] Starfall: lol
[21:18:30] Oni | SL: I hate to sound like a retard, but you can move a file owned by root if you have rwx access to the directory?
[21:18:35] Starfall: yup
[21:18:36] Starfall: you sure can
[21:18:38] Oni | SL: Maybe I'm just thinking stupid currently.
[21:19:39] Starfall: user@dt:~$ sudo bash
[sudo] password for user:
root@dt:~# mkdir shitcock
root@dt:~# chmod 777 shitcock/
root@dt:~# touch shitcock/SUPERIMPORTANTCONFIGFILE
root@dt:~# exit
exit
user@dt:~$ cd shitcock/
user@dt:~/shitcock$ ls -al
total 68
drwxrwxrwx 2 root root 4096 Oct 1 21:19 .
drwxr-xr-x 94 user user 57344 Oct 1 21:18 ..
-rw-r--r-- 1 root root 0 Oct 1 21:19 SUPERIMPORTANTCONFIGFILE
user@dt:~/shitcock$ mv SUPERIMPORTANTCONFIGFILE lol
user@dt:~/shitcock$ echo "do evil stuff" > SUPERIMPORTANTCONFIGFILE
user@dt:~/shitcock$ cat SUPERIMPORTANTCONFIGFILE
do evil stuff
[21:20:36] Starfall: now, in Kloxo, we have a setup kinda like this
[21:20:38] Starfall: its not a 777 dir
[21:20:39] federal informant | autism 2k13: [9:20:05 PM] Starfall: echo "do evil stuff" > SUPERIMPORTANTCONFIGFILE

<<< sounds really fucking diabolical
[21:20:45] Starfall: but its a dir we own, with root-owned files inside
[21:20:50] Starfall: same effect can happen
[21:21:00] Starfall: there's 3 pretty damn important scripts in there
[21:21:17] Starfall: one instructs apache to change its uid before running a CGI Perl script
[21:21:27] Starfall: we can move that file, copy it back under our ownership and edit it
[21:21:33] Starfall: remove the setuid entirely (because it won't setuid to root), upload some random lame CGI shell
[21:21:37] Starfall: and then we're apache
[21:21:42] Starfall: and can run the other, public exploit