More Linux Privilege Escalation – Yum/RPM/DNF NOPASSWD .rpm Payloads

Thanks to the help of @neoice and Joseph Dicarlo for helping me put this together. There is a download link for the PoC .RPM AND .DEB files at the bottom!  (Please stop putting NOPASSWD in sudoers for package managers! I truly actually run into this a lot and there’s just not that many safe ways to do it. This isn’t exactly news however, but y’know, these are nifty techniques you don’t really see documented on package management software.)

In my last post about abusing sudo NOPASSWD permissions on Linux, it detailed escalating privileges via the aptitude/dpkg package manager. Today, we’ll look at the same misconfiguration and how it can affect ANY package manager. Observe the following;

%logan       ALL= NOPASSWD: /usr/bin/yum

So what happens if we sudo yum localinstall a malicious .rpm file that creates a root setUID executable? Ladies and gentlemen, I present to you: YumSploit.rpm

Notice the “#” in the shell, indicating we are now the root user.

So, what exactly happened here? It’s not too incredibly complex!
Consider the following C code:

So, our malicious .rpm file will do a few things. It will take this compiled C code (using gcc) and create a setUID root binary in /usr/local/bin/ under the name “pop”. This pop binary simply is binary that executes a bash prompt when loaded.
Since it inherits the permissions of that process, and the .rpm script code actually executes and runs as the root user, you can simply call /usr/local/bin/pop and obtain a root shell immediately without any sort of privileges.

Here’s some other possible payloads as well. Get creative.

Much like the previous vulnerability, this hones in on poor configuration in the /etc/sudoers file. This screenshot should explain a bit more what exactly is going on.

This line will make dnf vulnerable as well.

User logan may run the following commands on localhost: (ALL : ALL) NOPASSWD: /usr/bin/yum, /usr/bin/dnf

Here’s an example of this working on RedHat Enterprise Linux 7.6

(The package did not install as I had already installed it prior to this – however, it installs like any other package normally would)
Okay, we’ve dropped our file…all we have to do is call the path and achieve victory!

If you don’t get it at this point – I’ll just be very explicitly clear. Do NOT add the NOPASSWD value to your package manager for /etc/sudoers!  Enjoy.

Here’s neoice’s dirty .rpm PoC via GitHub! Download and test this yourself!

(You’ll need to save it as a .txt, then run cat *.txt |base64 -d|gzip -d > yumsploit.rpm)

https://pastebin.com/RtsmaQvL

(Again, be sure to save as .txt – cat *.txt |base64 -d|gzip -d > debsploit.deb)

Happy hacking!

Leave a Reply

Your email address will not be published. Required fields are marked *