Saturday, July 18, 2015

'NIX: Possibly New Local Root Exploit


a faustian collage, based on a photo by Aaron Escobar (CC BY 2.0)


Not that I think anyone will care, or even notice this post, but today I found a root access vulnerability in OS X... (and so far you think, hey cool, that's relevant) ...10.4.11.

Click for relevant sound effect.

(Or here if you don't parse HTML5, and if you don't like data URI's, well, one day I will figure out how to construct the long bridge across the abyss that lies between us. Maybe.)(. Until then go to this page and hit play; hopefully my timing being absolutely awkward will only enhance the entertainment value.)

*ahem.*

What follows is a reenactment of the scene in my virtual world.

Walking in a freshly built room in the Terminal, I wave hello to my UNIX, who waves back, cheery as always.
UNIX: "This is faust's UNIX representative. Can I help you, faust?"
Me: "Who am I?"
UNIX: "This is faust's UNIX representative.  You are faust, of course."
Me: "Hey, I want you to do something for me, it will be fun.  Actually its two things, and you have to do them at the same time. Make this official business, so you can pretend I have top-level clearances. Start a transcript as if I were the 'boss,' even though we both know you know I am not, and we both also know you will be recording this conversation to tell anyone who wants to know. Make the transcript a plain text file, call it 'transcript' -- and, at the same time, wink this whole room out of existence by destroying the spacetime in which it resides."
UNIX: "This is faust's UNIX representative.  That requires authorization.  What is your password?"
Me: "'Friend, and Enter.'"
UNIX: "This is faust's UNIX representative.  OK.  I started a transcript, it will be called 'transcript.txt.'"
Me: "Who am I?"
UNIX: "This is The Boss's UNIX representative. You are the Boss, of course."

What? 

Here's what this actually looked like in Terminal -- well, as actually as I am comfortable with:



It works with both the commands 'kill' (using the process identification number for 'login,' the process logging me into UNIX via terminal) and 'killall' (using the name of that process, which is 'login' ).  It works if you use a chain of && commands, as long as killing login is the last.  It may even work if killing login isn't the last.  When the prompt comes back, you are still logged in -- as root.

What I want to know is: does this work on any other flavors of UNIX?  

Please leave a comment if you try it and it does.  I love comments.  That's why I blog.

Be seeing you.

2 comments:

  1. This also works with su -c "script type.txt && kill login" or another command like df after the && seems to do the same. Since I heard about this, I been messing around with them on a VM.

    This will work with su or sudo. SCO UNIX doesn't come with Sudo installed so I had to try it with su.

    I tried it on FreeBSD, OpenBSD, Solaris 11.3 and SCO Open Server 6

    ReplyDelete
  2. o m g! a comment! wish i had seen it sooner -- i detest google plus & so cannot comment on your video -- was watching it and (am ashamed to say) is how i saw this here (how metatwisted).

    also i note that it does *not* work in /dev/ -- not from within it, though it does from above it.have to try df. thx, w/sincerity, again 4 the props, the mention from chat, &c.

    ReplyDelete