RDot (https://rdot.org/forum/index.php)
-   Повышение привилегий/Privilege escalation (https://rdot.org/forum/forumdisplay.php?f=24)
-   -   CVE-2016-10010 // OpenSSH LPE (https://rdot.org/forum/showthread.php?t=4414)

cj69 09.01.2018 23:40

CVE-2016-10010 // OpenSSH LPE
Довольно забавный баг. Если UsePrivilegeSeparation=no то возможно при запросе "лоу_порт" открыть сессию с уид 0 .
Jan 9 22:19:25 local sshd[1312]: Accepted password for uzzz from port 47117 ssh2
Jan 9 22:19:25 local sshd[1312]: pam_unix(sshd:session): session opened for user uzzz by (uid=0)

забавный баг, правда до уид0 шелла не удалось поднять т.к конфиг ссхд самопальный, если у кого есть время и до ковыряет багу дайте знать.


This issue affects OpenSSH if privilege separation is disabled (config option
UsePrivilegeSeparation=no). While privilege separation is enabled by default, it
is documented as a hardening option, and therefore disabling it should not
directly make a system vulnerable.

OpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation
is disabled, then on the server side, the forwarding is handled by a child of
sshd that has root privileges. For TCP server sockets, sshd explicitly checks
whether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if
so, requires the client to authenticate as root. However, for UNIX domain
sockets, no such security measures are implemented.

This means that, using "ssh -L", an attacker who is permitted to log in as a
normal user over SSH can effectively connect to non-abstract unix domain sockets
with root privileges. On systems that run systemd, this can for example be
exploited by asking systemd to add an LD_PRELOAD environment variable for all
following daemon launches and then asking it to restart cron or so. The attached
exploit demonstrates this - if it is executed on a system with systemd where
the user is allowed to ssh to his own account and where privsep is disabled, it
yields a root shell.

Часовой пояс GMT +3, время: 15:00.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd. Перевод: zCarot