2.6.32 May 2013 Local Root Exploit ! High Quality

Download ===== https://fancli.com/2toZnf

Une nouvelle faille 0day vient d'être découverte dans le noyau Linux et elle permet à un simple utilisateur de passer root sur une machine. Cette vulnérabilité affecte les distributions Linux basées sur des versions du kernel comprises entre la 2.6.32 et la à 3.8.8.

$ cat /etc/redhat-releaseCentOS release 6.3 (Final)$ uname -aLinux test1.hq.company.com 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux$ iduid=503(user) gid=503(user) groups=503(user)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023$ sestatusSELinux status: enabledSELinuxfs mount: /selinuxCurrent mode: enforcingMode from config file: enforcingPolicy version: 24Policy from config file: targeted$ ./a.out2.6.37-3.x x86_64sd@fucksheep.org 2010-sh-4.1# iduid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xf7d2e518 [+] Resolved rds_ioctl to 0xf7d29000 [+] Resolved commit_creds to 0xc0450a6f [+] Resolved prepare_kernel_cred to 0xc045097a [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root!

From the output above, we will note that /usr/sbin/exim-4.84-3 is vulnerable to manipulating its perl environment and it also has its own CVE: 2016-1531. A local privilege escalation exploit matching this version of exim can be found on the Debian VM at /home/user/tools/suid/exim/cve-2016-1531.sh.

We will copy the key over to our local machine and give it the correct permissions, otherwise our SSH client will refuse to use it. Then we can use the key to login to the Debian VM as the root account

-rwxr-xr-x 1 root root 84 Dec 23 17:16 /usr/local/bin/pydoc*-rwxr-xr-x 1 root root 9760 Dec 23 17:47 /usr/local/bin/python2.7*-rwxr-xr-x 1 root root 1687 Dec 23 17:47 /usr/local/bin/python2.7-config*

If /usr/local/bin is mounted from a remote machine, that could cause problems, too; remote root write access is often disabled on exported filesystems. Does /usr/local/bin/python2.7 already exist If so, who owns it, and what are the permissions If not, then same questions for /usr/local/bin, then /usr/local.

Version information==================hostname = localhost.localdomainuname -m = i686uname -r = 2.6.32-358.el6.i686uname -s = Linuxuname -v = #1 SMP Thu Feb 21 21:50:49 UTC 2013/usr/bin/uname -p = unknown/bin/uname -X = unknown

As a result, making these changes does not add more security for the end user, because these attacks rely on the client being exploited first. To fully mitigate these attacks, it is necessary to run endpoint security software, such as Symantec Endpoint Protection, which would protect against clients being compromised. Etracks: 3838822, 3984326, 3949226, 4201304, 4202454Additional References:

CVE-2007-1742Description: suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized operations on incorrect directories, as demonstrated using \"html_backup\" and \"htmleditor\" under an \"html\" directory. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because \"the attacks described rely on an insecure server configuration\" in which the user \"has write access to the document root.\"Conclusion: Symantec Encryption Management Server does not configure local users by default, and must be configured manually by a Super User Administrator in order to have access. No external access to the operating system is provided to users in this way.Etrack: n/aAdditional References: _bug.cgiid=CVE-2007-1742 -bin/cvename.cginame=CVE-2007-1742 =CVE-2007-1742

CVE-2011-4415Description: The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service.Conclusion: This requires local (command line) access to Symantec Encryption Management Server in order to run this, which is not allowed by Symantec Encryption Management Server by default and is actually locked down. There are no methods reported to be able to exploit this w/out having local access to the server. In order to exploit this, \"the attacker needs to be able to place a crafted .htaccess file on the server\", something Symantec Encryption Management Server does not allow to anyone, unless local access to the server is obtained, which is configured only via the Symantec Encryption Management Server Superuser Admin account.Etrack: n/aAdditional References: _bug.cgiid=CVE-2011-4415 -bin/cvename.cginame=CVE-2011-4415 =CVE-2011-4415

CVE-2013-2566Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks.Conclusion: This is a known concern that is currently under review by Symantec Development for final resolution. RC4 as it exists on Symantec Encryption Management Server is not easily exploited. An attacker must record and analyze 1 billion connections to find one weak key (one chance per billion connections) and then it starts over.BEAST, CRIME, and POODLE, require the browser to run the attacker's JavaScript so that the attacker knows what the content is before it gets encrypted by the browser. Symantec Encryption Management Server does not use any external content by default, so these attacks are not feasible against users connecting to the Symantec Encryption Management Server. These attacks require an attacker to know the exact bytes and location of those bytes *before* the client sends them to the server. Due to the Symantec Encryption Management Server architecture, there is no possibility of putting a client in a compromising position unless introduced by custom content. Customers should take extra precaution when customizing UI or templates to ensure external JavaScript is not used. Although audits detect these false positives for BEAST, CRIME, and POODLE, exploiting these vulnerabilities on the server is not possible by default.Starting with Symantec Encryption Management Server 3.3.2 MP11, the RC4 cipher has been removed.Etrack: 3362451Additional References: _bug.cgiid=CVE-2013-2566 -bin/cvename.cginame=CVE-2013-2566 =CVE-2013-2566

CVE-2013-4483Description: The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of serviceEtrack: n/aConclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable. External users do not have access to this part of the OS.Additional References: _bug.cgiid=CVE-2013-4483 -bin/cvename.cginame=CVE-2013-4483 =CVE-2013-4483

CVE-2013-4554Description: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privilegesConclusion: This applies only to the xen kernel. Symantec Encryption Management Server does not run the xen kernel does not run guest operating systems.Etrack: n/aAdditional References: _bug.cgiid=CVE-2013-4554 -bin/cvename.cginame=CVE-2013-4554 =CVE-2013-4554

CVE-2013-6381Description: Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of serviceConclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable. External users do not have access to this part of the OS.Etrack: n/aAdditional References: _bug.cgiid=CVE-2013-6381 -bin/cvename.cginame=CVE-2013-6381 =CVE-2013-6381

CVE-2013-6383Description: The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable. External users do not have access to this part of the OS. Furthermore, Symantec includes a hardware compatibility list in which QA tests each hardware configuration as listed in the Release Notes of each major version, and undergo testing specifically for the hardware. Many customers choose to install in VMware, which would make this non-applicable.Etrack: n/aAdditional References: _bug.cgiid=CVE-2013-6383 -bin/cvename.cginame=CVE-2013-6383 =CVE-2013-6383 1e1e36bf2d