Add to Technorati Favorites

Getting root Remotely

The following has been taken from Bugtraq, this exploit is supposed to get you root. However, it has not been tested or verified by me. So give me the feedback.

___________________________________________

From: ron1n -

Subject: Redhat Linux 6.x remote root exploit

To: BUGTRAQ@SECURITYFOCUS.COM

X-UIDL: ad2856edbbc97d8db5d468ce6eb1f600

Hi,

Included below is an exploit for the recently exposed linux rpc.statd

format string vulnerability[0]. I have tailored it towards current Redhat

Linux 6.x installations. It can easily be incorporated into attacks against

the other vulnerable Linux distributions.

I am not a security expert, but I'll offer my two cents worth: this format

string issue, while drawing upon elements of straightforward buffer overflow

exploitation, is more insidious and will probably take some time to instill

itself in the minds of even security-conscious programmers. Programs like

ITS4[1], pscan[2], and grep (heh!) do offer valuable assistance when trying

to isolate weak portions of code in a phase one search. However, one thing

I've

learnt during my short time researching these things is that the complex

interaction between code and data introduces the need for a more extensive

line by line audit[3].

This "new" problem will (if it hasn't already) spark a new wave of code

reviews

of critical applications, especially those networking daemons and privileged

programs which were given the "all clear" in the first sweep (although

history

shows us that a lot of programs somehow slipped through the cracks.) Someone

else sent an excellent post about the possibility of "remote debugging" with

these format string vulnerabilities. Once again, I'm not speaking out of any

authority, but I can say that such an aid to otherwise blind exploitation

is indeed a godsend when a host is being probed by a skilled intruder.

You must understand that this particular vulnerability is much harder to

exploit than the buffer overflow vulnerabilities that you're probably

accustomed to. The problem which will bite you is that if the calculations

are not precise, statd crashes with a SIGSEGV. As you've realized by now,

brute forcing won't cut it. Also, a successful exploitation will render

subsequent attacks fruitless.

I have seen statd running on a great number of linux systems and if you can

simulate an attack against a remote system on one of your own boxes, it is

*trivial* to exploit that remote system. Despite the shortcoming with

the single attempt restriction, it was possible to reduce the exploitation

variables down to a SINGLE address for most attacks. The default values

for Redhat Linux 6.x work fine for me, so I'm probably fussing over nothing.

Anyway, enjoy the exploit.

ron1n

shellcode@hotmail.com

Sydney, Australia

McDonalds drive-thru guy

Add to My AOL Add to Google Reader or Homepage Add to netomat Hub I heart FeedBurner Subscribe in NewsGator Online Subscribe in a reader

0 comments