Flag execution for easy local privilege escalation

The PDF version can be found here

This paper will show a new way to get local root escalation through the creation of flag looking filenames and letting privileged processes use them as arguments.

Summary:
0x01 Introduction
Deals with the basic theory of how to exploit the trick.
0x02 Exploitation
A practical approach to the exploit
0x03 Reproduction
Explanation where to look

== 0x01 Introduction ==

With this exploit it is possible to do local privilege escalation if you find a vulnerable program, cronjob or process, the basic exploit consists of the problem that Linux will use filenames which look like flags as flags.
In some cases you have to wait until a privileged user will execute the targeted program so he will execute your flags but the idea is to find a vulnerable cronjob or process so you don't need user interaction in order to make this trick work.
To be honest; i don't know exactly where in Linux this bug comes from but i know it's working, i sent this trick to the bash team in 2009 but they gave no clear reaction to the exploit.

== 0x02 exploitation ==

Here is a little program i just wrote which can create and remove files which look like flags which we will need in order to handle the files because you can not simply create flag looking files with something like bash for as far as I tried it.

#!/usr/bin/python
import sys,os

## Written by Jelmer de Hen for h.ackack.net blog on 25-04-2010
## This program can be used to easy create and remove flag looking filenames 

def flags(todo, filename):
	if todo=="mk":
		try:
			flagFile=open(filename, "w").close()
			return "[+] "+filename+" created"
		except:
			return "[-] Could not create file, check your permissions or something"
	elif todo=="rm":
		try:
			os.remove(filename)
			return "[+] "+filename+" deleted"
		except:
			return "[-] File does not exist or not enough rights to delete this file."
	else:
		instructions() 

def instructions():
	print sys.argv[0]+" [mk | rm] [filename]"
	print "example: \""+sys.argv[0]+" mk -n\""
	sys.exit(1) 

def main():
	if len(sys.argv)==3:
		print flags(sys.argv[1], sys.argv[2])
	else:
		instructions() 

if __name__ == "__main__":
	sys.exit(main())

Run the program:
# python flagHandler.py mk -n
[+] -n created

Now we have a file named -n in the same directory, opening it from the command line would obviously fail because it is a flag and would be seen as a flag.
Here is an example when you try to cat the file:

# cat -n
test
1 test

You will come in a mode which would reply everything you type but; because -n is used it will show numbers in front of every line i wrote test to make clear that the line numbers come in front of the output.
The system will try to use this as a flag as if it would try in the normal execution of a process, nothing special happened here yet.

Now the tricky part, you are not able to open it as a file but you should be able to open it by opening all files in the folder.

# cat *
1 #!/usr/bin/python
2 import sys,os
3

What we see here is filename flag execution. It looks at the file and sees "-n" and thinks it is a flag, now it will drag this flag in the process as an argument and will try to do something with it defined in the program source code.

== 0x03 Reproduction ==

Search for a program/cronjob/process which will do things in a for you writable directory like /tmp and inject the preferred flags to make the process do what you wish it to do.
Hint: As there are a lot of home made backup scripts out there i noticed they have a high rating for being vulnerable for this trick.

Have fun becoming root with this universal linux flaw :)

Hello, I am Jelmer born in 1991 and I live in Holland. I met Fredrik and Mathias through the internet. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.

17 Comments

  1. Fredrik Nordberg Almroth says:

    The script Jelmer provided can be found here:
    http://downloads.ackack.net/flagHandler.py

  2. Tweets that mention Flag execution for easy local privilege escalation -- Topsy.com says:

    [...] This post was mentioned on Twitter by Jelmer de Hen, AckAck. AckAck said: Flag execution for easy local privilege escalation, updated ( http://cli.gs/vBUMH ): The PDF version can be found h... [...]

  3. emt training says:

    found your site on del.icio.us today and really liked it.. i bookmarked it and will be back to check it out some more later

  4. seomoz says:

    Hi, colleague! I love your blog, it's so friendly! I think it's pretty popular, isn't it? I would like to invite you to my favorite Pay-Per-Click system, I believe you can earn with your blog a lot here. My crazy russian friend earns $3.000 per day here! Look, it doesn't obligate you to anything http://klikvip.com/landings/en/landing2/index.php?aff=35357

  5. Diogo says:

    You could have created and deleted the files preceding them with ./ as in these examples:

    touch ./-n
    rm ./-n

    Or even separating the command from its file list with -- as in:

    touch -- -n
    cat -- -n
    rm -- -n

    Although I'm not really sure who is responsible for handling this. If Bash, you're safe. But if each program parses the -- then some program might be vulnerable.

    And I'm no guru but I don't think it has anything to do with the kernel. It seems that the shell just doesn't handle it properly, so when you do "cat *" the wildcard is expanded to "cat -n" which gives the result you described.

    Converting -n to ./-n from the wildcard would solve the issue but I don't know if it would be desired - given it'd break BC. Actually there might be some sort of Bash option to avoid this, I didn't even checked it.

    Nice trick anyway.

  6. Jelmer de Hen says:

    Hi Diogo,
    Since /bin/bash and /bin/sh and other shells all support this trick i really was puzzled who was to blame for this trick so i chose the kernel :D .
    I know, you can't directory hop which is pretty lame as you described with the "-n" and "./n" example but still a lot of programs do calls by first changing to the desired working directory and then calling a program with the "*" which still makes it vulnerable.

  7. medical assistant says:

    My cousin recommended this blog and she was totally right keep up the fantastic work!

  8. steel golfclubs says:

    I just book marked your blog on Digg and StumbleUpon.I enjoy reading your commentaries.

  9. the love calculator says:

    I’ve been visiting your blog for a while now and I always find a gem in your new posts. Thanks for sharing.

  10. forex robot says:

    Wow this is a great resource.. I’m enjoying it.. good article

  11. tahitian noni says:

    You certainly deserve a round of applause for your post and more specifically, your blog in general. Very high quality material

  12. kredyty says:

    I just sent this post to a bunch of my friends as I agree with most of what you’re saying here and the way you’ve presented it is awesome.

  13. noni says:

    I find myself coming to your blog more and more often to the point where my visits are almost daily now!

  14. inheritance tax says:

    Terrific work! This is the type of information that should be shared around the web. Shame on the search engines for not positioning this post higher!

  15. Alveo says:

    Very informative post. Thanks for taking the time to share your view with us.

  16. Collier says:

    I've got read a few of the posts on your website now, and I adore your style of writing a blog. I added it to my favorites website collection and will also be checking back soon.

  17. Rahat says:

    Instead of using your python script, I used nano to create a file named -n and the same trick worked.

Leave a Comment