Quote:
Originally Posted by STDOUBT
Forgive me, but in this context, does "PASSES" mean the exploit does not work?
|
My bad for not being more clear
PASS means the exploit does not exist or to be more precise, my test program which uses the exploit to attempt to overwrite a file, fails to overwrite the file. As an example, I tried this on one of my AWS instances which is patched current as of... yesterday I think ... and I am unable to overwrite the test file.
FAIL means it can be exploited. I tried a Slackware 14.1 box and a couple of 14.2 boxes, current patch level, and on both of them I as a non-root user successfully over wrote files that I, a non-root user, have read-only access.
As an example, I just now tested this against httpd (how many of use have apache web server running?) and I, as a non-root user, replaced the contents of httpd with my own file. When I restart my web server, it is going to run my program that will do whatever I want within the realm of permissions normally given to the web server daemon.
There are limitations to what you can do with this. As a non-root user, I normally do not have read access into /root or other user directories, so I can't mess with other user data. I could not, for example, overwrite /etc/shadow with my own version and take root control of your system (because default perms on /etc/shadow is 640 - 'others' don't even have read access). I can, however, overwrite fstab, so what happens when I reboot my system and fstab is wiped? I can rampage through /usr/bin, /usr/lib64, etc., wreaking havoc as I go. I could probably replace executables with my own program. So I'm going to replace some common executable with my own executable, and when the program gets run, my program runs instead.
Do you see what kind of damage you can do, and how easily you can do it? I admittedly don't know how far you can go with this or what the limitations are, but so far I can easily render my system non bootable, or compromise executable files.
The only saving grace here is that one has to have access to the system to start with. There may be other ways to do this, but I'm not a researcher and I really haven't spent that much time with this. On the other hand, it took me less than an hour to figure out how to render a system unbootable and compromise my web server executable. And all of this as a normal non-root user.
Default Slackware installs with today's patch level are vulnerable. All it takes is one brighter than average (and that doesn't take much) kid to test this to see if he can wipe your server. He probably can.
EDIT: DISCLAIMER!!!
Just so that the FBI does not come knocking on my door
- the test program I used was one I found on the Internet that was designed to demonstrate how to see if your system is vulnerable or not. It was a simple c program that I had to compile myself. All it does is overwrite a test file with the contents of your choice. A sucessful over write indicates that the system is vulnerable to this exploit.
- I have tested this ONLY on systems I OWN.
- I have not released or otherwise uploaded or displayed the program or made it available in any form anywhere at all (seriously, you can find it yourself with google in 60 seconds, and if you know anything about c programming and memory and threading, you can write your own fairly quickly).
- I do not advocate or suggest or recommend anyone use this exploit at all for any reason at any time....
