RFE: Testing instead of actual rooting

[tjyang]

What I need is to deploy a safe C binary to detect this CVE . Return 1 code if not already patched without actually rooting the system, return 0 if the system is patched. Can this RFE be added ?

[tjyang]

or after rooting the OS , only run a whoami command then return the username and exit the program? Goal is to have one exe binary not shell script.

[berdav]

A single binary needs some rewriting, because it requires a directory (which can be created by the binary) a library (which must then wirtten and compiled by the binary using system or similar methods).

Otherwise we can just create another process, execute true and check if the return code is different from zero.

The whoami tactic is probably a little easier to code, let me know if you require this to be a single binary and if the binary can compile stuff (otherwise we can just pack the stage1 and the library in a single dezipping loader).

[tjyang]

@berdav thanks for the reply. One single binary and run "whoami" return 1 when hacked approach will be very helpful for CM tool like saltstack/ansible. We can then use this for detection and verification purpose.

[berdav]

I've pushed a branch issue-14-dry-run with a fix of what you're asking for.

You need to compile it with make dry-run and then execute the binary in the dry-run directory.

I've tested it, if it is what you intended I will merge it into the main branch.

[tjyang]

• I tested the dry-run branch on a ubuntu 18.04 and it worked as expected to return 1 error code when rooted the system.

me@ubuntu18t03:~/github/CVE-2021-4034/dry-run$ ./dry-run-cve-2021-4034
root
me@ubuntu18t03:~/github/CVE-2021-4034/dry-run$ echo $?
1
me@ubuntu18t03:~/github/CVE-2021-4034/dry-run$

• but on a centos 7 , I ran into compiling issue. I will try to use binary from ubuntu 18 to test C7 system.

  
  [me@centos7t01 CVE-2021-4034]$ make dry-run
  make -C dry-run
  make[1]: Entering directory `/home/me/github/CVE-2021-4034/dry-run'
  cc -Wall -DTRUE='"/usr/bin/true"' -DWHOAMI='"/usr/bin/whoami"' --shared -o pwnkit-dry-run.so pwnkit-dry-run.c
  /usr/bin/ld: /tmp/ccVUUTUM.o: relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
  /usr/bin/ld: final link failed: Nonrepresentable section on output
  collect2: error: ld returned 1 exit status
  make[1]: *** [pwnkit-dry-run.so] Error 1
  make[1]: Leaving directory `/home/me/github/CVE-2021-4034/dry-run'
  make: *** [dry-run] Error 2
  [me@centos7t01 CVE-2021-4034]$

[tjyang]

dry-run-cve-2021-4034 binary created on ubuntu 18 was able to run on centos 7. Pls consider merging this branch into main.

[berdav]

oops! You're right. I had missed the -fPIC compilation flag :disappointed: also there was a problem in the code with old compilers default beaviour.

I've added it to the branch. Can you retest it?

Merging into main.

[tjyang]

• "make dry-run" compilation on centos 7 and ubuntu 18 all fine.
• ./dry-run/dry-run-cve-2021-4034 work as expected.
• please close this issue.