Une nouvelle faille 0day vient d'être découverte dans le noyau Linux et elle permet à un simple utilisateur de passer root sur une machine. Cette vulnérabilité affecte les distributions Linux basées sur des versions du kernel comprises entre la 2.6.32 et la à 3.8.8.
[*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xf7d2e518 [+] Resolved rds_ioctl to 0xf7d29000 [+] Resolved commit_creds to 0xc0450a6f [+] Resolved prepare_kernel_cred to 0xc045097a [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root!
From the output above, we will note that /usr/sbin/exim-4.84-3 is vulnerable to manipulating its perl environment and it also has its own CVE: 2016-1531. A local privilege escalation exploit matching this version of exim can be found on the Debian VM at /home/user/tools/suid/exim/cve-2016-1531.sh.
We will copy the key over to our local machine and give it the correct permissions, otherwise our SSH client will refuse to use it. Then we can use the key to login to the Debian VM as the root account
-rwxr-xr-x 1 root root 84 Dec 23 17:16 /usr/local/bin/pydoc*-rwxr-xr-x 1 root root 9760 Dec 23 17:47 /usr/local/bin/python2.7*-rwxr-xr-x 1 root root 1687 Dec 23 17:47 /usr/local/bin/python2.7-config*
If /usr/local/bin is mounted from a remote machine, that could cause problems, too; remote root write access is often disabled on exported filesystems. Does /usr/local/bin/python2.7 already exist If so, who owns it, and what are the permissions If not, then same questions for /usr/local/bin, then /usr/local.
Version information==================hostname = localhost.localdomainuname -m = i686uname -r = 2.6.32-358.el6.i686uname -s = Linuxuname -v = #1 SMP Thu Feb 21 21:50:49 UTC 2013/usr/bin/uname -p = unknown/bin/uname -X = unknown
As a result, making these changes does not add more security for the end user, because these attacks rely on the client being exploited first. To fully mitigate these attacks, it is necessary to run endpoint security software, such as Symantec Endpoint Protection, which would protect against clients being compromised. Etracks: 3838822, 3984326, 3949226, 4201304, 4202454Additional References:
CVE-2007-1742Description: suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized operations on incorrect directories, as demonstrated using \"html_backup\" and \"htmleditor\" under an \"html\" directory. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"Conclusion: Symantec Encryption Management Server does not configure local users by default, and must be configured manually by a Super User Administrator in order to have access. No external access to the operating system is provided to users in this way.Etrack: n/aAdditional References: _bug.cgiid=CVE-2007-1742 -bin/cvename.cginame=CVE-2007-1742 =CVE-2007-1742
CVE-2011-4415Description: The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service.Conclusion: This requires local (command line) access to Symantec Encryption Management Server in order to run this, which is not allowed by Symantec Encryption Management Server by default and is actually locked down. There are no methods reported to be able to exploit this w/out having local access to the server. In order to exploit this, \"the attacker needs to be able to place a crafted .htaccess file on the server\", something Symantec Encryption Management Server does not allow to anyone, unless local access to the server is obtained, which is configured only via the Symantec Encryption Management Server Superuser Admin account.Etrack: n/aAdditional References: _bug.cgiid=CVE-2011-4415 -bin/cvename.cginame=CVE-2011-4415 =CVE-2011-4415
CVE-2013-4483Description: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of serviceEtrack: n/aConclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable. External users do not have access to this part of the OS.Additional References: _bug.cgiid=CVE-2013-4483 -bin/cvename.cginame=CVE-2013-4483 =CVE-2013-4483
CVE-2013-4554Description: Xen 3.0.3 through 4.1.x (possibly 184.108.40.206), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privilegesConclusion: This applies only to the xen kernel. Symantec Encryption Management Server does not run the xen kernel does not run guest operating systems.Etrack: n/aAdditional References: _bug.cgiid=CVE-2013-4554 -bin/cvename.cginame=CVE-2013-4554 =CVE-2013-4554
CVE-2013-6381Description: Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of serviceConclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable. External users do not have access to this part of the OS.Etrack: n/aAdditional References: _bug.cgiid=CVE-2013-6381 -bin/cvename.cginame=CVE-2013-6381 =CVE-2013-6381
CVE-2013-6383Description: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable. External users do not have access to this part of the OS. Furthermore, Symantec includes a hardware compatibility list in which QA tests each hardware configuration as listed in the Release Notes of each major version, and undergo testing specifically for the hardware. Many customers choose to install in VMware, which would make this non-applicable.Etrack: n/aAdditional References: _bug.cgiid=CVE-2013-6383 -bin/cvename.cginame=CVE-2013-6383 =CVE-2013-6383 1e1e36bf2d