Warchall got rooted again
Global Rank: 229
Totalscore: 93001
Posts: 1680
Thanks: 1358
UpVotes: 920
Registered: 16y 281d
Last Seen: 23s
The User is Online
Warchall got rooted again
Jun 27, 2012 - 17:08:25 (12y 150d)
Jun 27, 2012 - 17:08:25 (12y 150d)
g00ber did it again and got root on the warchall box.
The flaw was another race condition and he also reported a few more problems, as you can read in the advisory he left in the /root folder:
Big thanks to him from my side for reporting the flaws and playing nice.
All the flaws have been adressed with the changesets 2193, 2194 and 2195. (testing is quite a pain)
Well owned and played
I owe you one
gizmore
The flaw was another race condition and he also reported a few more problems, as you can read in the advisory he left in the /root folder:
Quote from /root/g00ber_was_here_again
Hey roots,
A few more thingies this time:
1) /opt/php/gwf3/core/module/Audit/ruth/allchalls.sh contains the plaintext password of "blackzero" user.
2) /opt/php/gwf3/core/module/Audit/ruth/config.php contains the database password for warchall database (I haven't figured out how to cause any mischief with it yet, though; the sanitization performed in the user-adding scripts seems to be paranoid enough).
3) There is still (at least) one more race condition in the challenge-preparing scripts, though -- this time, it's the install_user.php in kwisatz/4/ module, which chowns/chgrps $filename which could have been replaced in the meantime (again, making it a symlink and pointing it at /etc/passwd yields the desired result after a few tries... /etc/sudoers could work too, if sudo wasn't too paranoid
4) It seems the same can be done with the directory-creation code in the same script too. The same problem plagues also the directory-creation for level 5 and 6 (same piece of code); in that case, the file-code looks harmless, since it sets ownership to root:root.
That's it for now... And yes, the temporary changes (the new root account in /etc/passwd, named g00hack) should be gone now.
g00bER, 2012-06-26, 15:55 GMT
Big thanks to him from my side for reporting the flaws and playing nice.
All the flaws have been adressed with the changesets 2193, 2194 and 2195. (testing is quite a pain)
Well owned and played
I owe you one
gizmore
The geeks shall inherit the properties and methods of object earth.
Totalscore: 364643
Posts: 13
Thanks: 25
UpVotes: 12
Registered: 14y 272d
Last Seen: 1y 81d
The User is Offline
RE: Warchall got rooted again
Jun 27, 2012 - 20:53:40 (12y 150d)
Jun 27, 2012 - 20:53:40 (12y 150d)
r00t w00t !
can haz g00ber skillz ?
can haz g00ber skillz ?
Global Rank: 229
Totalscore: 93001
Posts: 1680
Thanks: 1358
UpVotes: 920
Registered: 16y 281d
Last Seen: 23s
The User is Online
RE: Warchall got rooted again
Jul 01, 2012 - 02:10:26 (12y 147d)
Jul 01, 2012 - 02:10:26 (12y 147d)
Not that hard when you know where to look. The source is open as well.
Now you have been shown another door, but you still have to walk yourself.
Reporting the flaws was a nice move when it comes to have special and unique knowledge of a system
I really appreciate the reports!
gizmore
Now you have been shown another door, but you still have to walk yourself.
Reporting the flaws was a nice move when it comes to have special and unique knowledge of a system
I really appreciate the reports!
gizmore
The geeks shall inherit the properties and methods of object earth.
tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, csuquvq have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 3198 times.
1 people are watching the thread at the moment.
This thread has been viewed 3198 times.