Username: 
Password: 
Restrict session to IP 

Warchall got rooted again

Global Rank: 252
Totalscore: 87267
Posts: 1635
Thanks: 1337
UpVotes: 886
Registered: 16y 43d




Last Seen: 20h 35m
The User is Offline
Warchall got rooted again
Google/translate1Thank You!0Good Post!1Bad Post! link
g00ber did it again and got root on the warchall box.

The flaw was another race condition and he also reported a few more problems, as you can read in the advisory he left in the /root folder:

Quote from /root/g00ber_was_here_again

Hey roots,

A few more thingies this time:

1) /opt/php/gwf3/core/module/Audit/ruth/allchalls.sh contains the plaintext password of "blackzero" user.

2) /opt/php/gwf3/core/module/Audit/ruth/config.php contains the database password for warchall database (I haven't figured out how to cause any mischief with it yet, though; the sanitization performed in the user-adding scripts seems to be paranoid enough).

3) There is still (at least) one more race condition in the challenge-preparing scripts, though -- this time, it's the install_user.php in kwisatz/4/ module, which chowns/chgrps $filename which could have been replaced in the meantime (again, making it a symlink and pointing it at /etc/passwd yields the desired result after a few tries... /etc/sudoers could work too, if sudo wasn't too paranoid Smile ). This problem can be triggered by requesting account-reset from the web-interface (or abusing the known database password from point 2).

4) It seems the same can be done with the directory-creation code in the same script too. The same problem plagues also the directory-creation for level 5 and 6 (same piece of code); in that case, the file-code looks harmless, since it sets ownership to root:root.

That's it for now... And yes, the temporary changes (the new root account in /etc/passwd, named g00hack) should be gone now.

g00bER, 2012-06-26, 15:55 GMT

Big thanks to him from my side for reporting the flaws and playing nice.
All the flaws have been adressed with the changesets 2193, 2194 and 2195. (testing is quite a pain)

Well owned and played Smile
I owe you one

gizmore
The geeks shall inherit the properties and methods of object earth.
Totalscore: 364672
Posts: 13
Thanks: 25
UpVotes: 12
Registered: 14y 34d







Last Seen: 208d 19h
The User is Offline
RE: Warchall got rooted again
Google/translate1Thank You!0Good Post!1Bad Post! link
r00t w00t !
can haz g00ber skillz ?
Global Rank: 252
Totalscore: 87267
Posts: 1635
Thanks: 1337
UpVotes: 886
Registered: 16y 43d




Last Seen: 20h 35m
The User is Offline
RE: Warchall got rooted again
Google/translate1Thank You!0Good Post!1Bad Post! link
Not that hard when you know where to look. The source is open as well.

Now you have been shown another door, but you still have to walk yourself.

Reporting the flaws was a nice move when it comes to have special and unique knowledge of a system Smile

I really appreciate the reports!

gizmore
The geeks shall inherit the properties and methods of object earth.
tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 3010 times.