tRewrite C code and add SHA256 support. - sup - small tool for privilege escalation HTML git clone https://git.parazyd.org/sup DIR Log DIR Files DIR Refs DIR README DIR LICENSE --- DIR commit cec5f362b273867f23126ccb7a756905c640c856 DIR parent 96b227c7bf3acc15c0de695b074f2b32fcabe21e HTML Author: parazyd <parazyd@dyne.org> Date: Tue, 2 Jul 2019 13:00:38 +0200 Rewrite C code and add SHA256 support. Diffstat: M config.def.h | 33 +++++++++++++++++++------------ M sup.c | 158 ++++++++++++++++--------------- 2 files changed, 103 insertions(+), 88 deletions(-) --- DIR diff --git a/config.def.h b/config.def.h t@@ -1,20 +1,27 @@ -#define USER 1000 -#define GROUP -1 +/* See LICENSE file for copyright and license details. */ +/* User and group to run as */ #define SETUID 0 #define SETGID 0 -#define CHROOT "" -#define CHRDIR "" +/* sup authorizations + * + * The format is as follows: + * - UID allowed to run the command (-1 means anyone) + * - Alias/command used to call the executable + * - Path to the executable to run + * - SHA256 checksum of the executable + */ +static struct rule_t rules[] = { + { 1000, "ls", "/bin/ls", + "87e8fd7d813c135875aca43a4da43d3ced41d325ed2931906444471b4e93e017" }, -#define ENFORCE 1 + { -1, "grep", "/bin/grep", + "fedeb344d1be24f4a340591cd25ed81f7e46ea12772f563c9c9f43773028e23a" }, -static struct rule_t rules[] = { - { USER, GROUP, "whoami", "/usr/bin/whoami" }, - { USER, GROUP, "ifconfig", "/sbin/ifconfig" }, - { USER, GROUP, "ls", "/bin/ls" }, - { USER, GROUP, "wifi", "/root/wifi.sh" }, - { USER, GROUP, "cp", "*"}, // allow to run this program in PATH - { USER, GROUP, "*", "*"}, // allow to run any program in PATH - { 0 }, + { 1000, "tar", "/bin/tar", + "fedeb344d1be24f4a340591cd25ed81f7e46ea12772f563c9c9f43773028e23a" }, + + { 1001, "test", "./a.out", + "254260b676a44f1529f7c855f0126a57a3fbd7ec8a74de08835f08e8e6ed21be" }, }; DIR diff --git a/sup.c b/sup.c t@@ -1,103 +1,111 @@ -/* pancake <nopcode.org> -- Copyleft 2009-2011 */ +/* See LICENSE file for copyright and license details. */ -#include <errno.h> -#include <unistd.h> #include <stdio.h> -#include <string.h> #include <stdlib.h> +#include <string.h> #include <sys/stat.h> +#include <unistd.h> + +#include "arg.h" +#include "sha256.h" -#define HELP "sup [-hlv] [cmd ..]" -#define VERSION "sup 0.1 pancake <nopcode.org> copyleft 2011" +#define nelem(x) (sizeof (x) / sizeof *(x)) struct rule_t { - int uid; - int gid; + const int uid; const char *cmd; const char *path; + const char *hash; }; #include "config.h" -static int die(int ret, const char *org, const char *str) { - fprintf (stderr, "%s%s%s\n", org?org:"", org?": ":"", str); - return ret; +char *argv0; + +void die(char *msg) { + fprintf(stderr, "%s\n", msg); + exit(1); } -static char *getpath(const char *str) { - struct stat st; - static char file[4096]; - char *p, *path = getenv ("PATH"); - if (path) - for (p = path; *p; p++) { - if (*p==':' && (p>path&&*(p-1)!='\\')) { - *p = 0; - snprintf (file, sizeof (file)-1, "%s/%s", path, str); - if (!lstat (file, &st)) - return file; - *p = ':'; - path = p+1; - } +#define CHUNK 1048576 /* 1MiB */ +static uint32 getsha(const char *path, unsigned char *dest) { + static sha256_context sha; + + unsigned char buf[CHUNK]; + uint32 len, tot = 0; + FILE *fd; + + fd = fopen(path, "r"); + if (!fd) + die("Can not read binary file."); + + sha256_starts(&sha); + + while ((len = fread(buf, 1, CHUNK, fd))) { + sha256_update(&sha, buf, len); + tot += len; } - return NULL; + fclose(fd); + + sha256_finish(&sha, dest); + return tot; } -int main(int argc, char **argv) { - const char *cmd; - int i, uid, gid, ret; +int main(int argc, char *argv[]) { + unsigned int c, i, lflag = 0; + unsigned char digest[32]; + char output[65]; + struct stat st; - if (argc < 2 || !strcmp (argv[1], "-h")) - return die (1, NULL, HELP); + ARGBEGIN { + case 'l': + lflag = 1; + break; + default: + die("Usage: sup [-l] command [ args ... ]"); + } ARGEND; - if (!strcmp (argv[1], "-v")) - return die (1, NULL, VERSION); + if (lflag) { + printf("List of compiled authorizations:\n"); + for (i = 0; i < nelem(rules); i++) + printf("\nuser: %d\ncmd: %s\nbinary: %s\nsha256: %s\n", + rules[i].uid, rules[i].cmd, rules[i].path, rules[i].hash); - if (!strcmp (argv[1], "-l")) { - for (i = 0; rules[i].cmd != NULL; i++) - printf ("%d %d %10s %s\n", rules[i].uid, rules[i].gid, - rules[i].cmd, rules[i].path); return 0; } - uid = getuid (); - gid = getgid (); - - for (i = 0; rules[i].cmd != NULL; i++) { - if (*rules[i].cmd=='*' || !strcmp (argv[1], rules[i].cmd)) { -#if ENFORCE - struct stat st; - if (*rules[i].path=='*') { - if (*argv[1]=='.' || *argv[1]=='/') - cmd = argv[1]; - else if (!(cmd = getpath (argv[1]))) - return die (1, "execv", "cannot find program"); - } else cmd = rules[i].path; - if (lstat (cmd, &st) == -1) - return die (1, "lstat", "cannot stat program"); - if (st.st_mode & 0222) - return die (1, "stat", "cannot run writable binaries."); -#endif - if (uid != SETUID && rules[i].uid != -1 && rules[i].uid != uid) - return die (1, "urule", "user does not match"); - - if (gid != SETGID && rules[i].gid != -1 && rules[i].gid != gid) - return die (1, "grule", "group id does not match"); - - if (setuid (SETUID) == -1 || setgid (SETGID) == -1 || - seteuid (SETUID) == -1 || setegid (SETGID) == -1) - return die (1, "set[e][ug]id", strerror (errno)); -#ifdef CHROOT - if (*CHROOT) - if (chdir (CHROOT) == -1 || chroot (".") == -1) - return die (1, "chroot", strerror (errno)); - if (*CHRDIR) - if (chdir (CHRDIR) == -1) - return die (1, "chdir", strerror (errno)); -#endif - ret = execv (cmd, argv+1); - return die (ret, "execv", strerror (errno)); + if (argc < 1) + die("Usage: sup [-l] command [ args ... ]"); + + for (i = 0; i < nelem(rules); i++) { + if (!strcmp(argv[0], rules[i].cmd)) { + + if (rules[i].uid != getuid() && rules[i].uid != -1) + die("Unauthorized user."); + + if (stat(rules[i].path, &st) == -1) + die("Can not stat program."); + + if (st.st_mode & 0022) + die("Can not run binaries others can write."); + + if (getsha(rules[i].path, digest) != st.st_size) + die("Binary file differs from size read."); + + for (c = 0; c < 32; c++) + sprintf(output + (c*2), "%02x", digest[c]); + output[64] = '\0'; + + if (strncmp(rules[i].hash, output, 64)) + die("Checksums do not match."); + + if (setgid(SETGID) < 0) die("setgid failed"); + if (setuid(SETUID) < 0) die("setuid failed"); + + if (execv(rules[i].path, argv) < 0) + die("execv failed."); } } - return die (1, NULL, "Sorry"); + die("Unauthorized command."); }