📄 769.html
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>[AD_LAB-04003] Linux 2.6.* 内核Capability LSM模块进程特权信任状本地权限提升漏洞 </title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography," />
<link rel="stylesheet" href="../../css/plone.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="top">
<div class="searchBox">
<form name="searchform" action="http://www.google.com/search" method="get">
<input type="hidden" name="domains" value="www.xfocus.net">
<input type="hidden" name="sitesearch" value="www.xfocus.net">
<input type="text" name="q" size="20">
<input type="submit" name="btnG" value="Google Search">
</form>
</div>
<img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">
<img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title">
</div>
<div class="tabs">
<a href="../../index.html" class="plain">首页</a>
<a href="../../releases/index.html" class="plain">焦点原创</a>
<a href="../../articles/index.html" class="selected">安全文摘</a>
<a href="../../tools/index.html" class="plain">安全工具</a>
<a href="../../vuls/index.html" class="plain">安全漏洞</a>
<a href="../../projects/index.html" class="plain">焦点项目</a>
<a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a>
<a href="../../about/index.html" class="plain">关于我们</a>
</div>
<div class="personalBar">
<a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a>
</div>
<table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分类 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'>专题文章</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>编程技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'><b>焦点公告 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推荐 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>[AD_LAB-04003] Linux 2.6.* 内核Capability LSM模块进程特权信任状本地权限提升漏洞</h1><br>创建时间:2004-12-23<br>文章属性:原创<br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=20515'>flashsky</a> (flashsky1_at_sina.com)<br><br>[安全通告]<br />
通告:[AD_LAB-04003] Linux 2.6.* 内核Capability LSM模块进程特权信任状本地权限提升漏洞<br />
分类:设计错误<br />
日期:12/20/2004<br />
CVE编号:NO<br />
受威胁的系统:<br />
Linux kernel 2.6.*<br />
未受威胁的系统:<br />
<br />
1.漏洞描述<br />
当POSIX权能(Capability)LSM未被编译进内核时,在插入Capability模块(commoncap.ko和capability.ko)后,所有已经存在的普通用户<br />
进程将具有所有的root特权!<br />
<br />
2.技术细节<br />
当特权操作由Capability LSM 模块控制时,系统基于进程信任状(creds)来仲裁特权操作。当Capability未被编译进内核时,内核使用默<br />
认的安全模块(security/dummy.c)仲裁特权操作,机制非常简单,仅仅检查进程euid、fsuid(进行文件系统相关特权操作时)是否为0。<br />
在这种情况下,dummy模块根本不关心进程的信任状,每个进程的信任状都拷贝其父进程的信任状。追根溯源,每个进程的信任状无论进程用<br />
户是否为超级用户,最终都拷贝Init进程的信任状,信任状中包含有超级用户进程的所有权能。在根据用户ID进行特权判断情况下,此错误未<br />
被激发。但在插入Capability模块后,特权机制转为根据进程信任状进行判断,而此前存在的任何进程的信任状都与Init进程一致,导致这些<br />
进程都具有超级用户root的特权。此错误的本质是装载Capability模块时没有对已有进程的信任状按Capability机制的要求进行重新计算。试<br />
验表明,此错误出现在2.6.* Linux内核中。<br />
<br />
示例:<br />
当Capability模块未被编译进内核时,(如果已经编译进内核,须disable相应编译选项后重新编译内核)。在装载Capability模块前,以普<br />
通用户身份允许一个vim编辑器,在vim种输入命令: <br />
<br />
:r /etc/shadow<br />
<br />
vim 将回应 “can't open file /etc/shadow”,这个访问root文件操作的操作被拒绝。<br />
不要终结vim,转到其它控制台以root身份登录,插入Capability模块: <br />
<br />
#modprobe capability <br />
<br />
在模块被转载后,回到vim中再次尝试打开shadow文件,将发现能够以普通用户读写并且保存(w!)shadow文件!根本的原因是vim进程的信<br />
任状中包含了权能CAP_DAC_OVERRIDE和CAP_DAC_READ_SEARCH,因而能够进行超越访问控制策略的特权操作。<br />
<br />
使用以下命令可查看vim的信任状:<br />
<br />
$cat /proc/2454/status (2454 是vim进程的pid)<br />
<br />
Name: vim <br />
State: S (sleeping) <br />
SleepAVG: 91% <br />
Tgid: 2454 <br />
Pid: 2454 <br />
PPid: 1552 <br />
TracerPid: 0 <br />
Uid: 500 500 500 500 <br />
Gid: 500 500 500 500 <br />
FDSize: 256 <br />
Groups: 500 <br />
VmSize: 9356 kB <br />
VmLck: 0 kB <br />
VmRSS: 2728 kB <br />
VmData: 856 kB <br />
VmStk: 16 kB <br />
VmExe: 1676 kB <br />
VmLib: 3256 kB <br />
Threads: 1 <br />
SigPnd: 0000000000000000 <br />
ShdPnd: 0000000000000000 <br />
SigBlk: 0000000000000000 <br />
SigIgn: 8000000000003000 <br />
SigCgt: 00000000ef824eff <br />
CapInh: 0000000000000000 <br />
CapPrm: 00000000ffffffff <br />
CapEff: 00000000fffffeff <br />
<br />
最后3行即是vim的信任状,可以看到它具有除了CAP_SETPCAP外的所有Capability权能。<br />
以上测试在 2.6.* 和2.5.72-lsm1中通过。<br />
<br />
修正<br />
在 security/capability.c中加入以下代码<br />
static void recompute_capability_creds(struct task_struct *task) <br />
{ <br />
if(task->pid <= 1) <br />
return; <br />
<br />
<br />
task_lock(task); <br />
task->keep_capabilities = 0; <br />
<br />
if ((task->uid && task->euid && task->suid) && !task->keep_capabilities) <br />
cap_clear (task->cap_permitted); <br />
else <br />
task->cap_permitted = CAP_INIT_EFF_SET; <br />
<br />
<br />
<br />
if (task->euid != 0){ <br />
cap_clear (task->cap_effective); <br />
} <br />
else{ <br />
task->cap_effective = CAP_INIT_EFF_SET; <br />
} <br />
<br />
if(task->fsuid) <br />
task->cap_effective &= ~CAP_FS_MASK; <br />
else <br />
task->cap_effective |= CAP_FS_MASK; <br />
<br />
task_unlock(task); <br />
<br />
return; <br />
} <br />
<br />
并且在已有capability_init 函数在其返回前加入以下代码: <br />
<br />
struct task_struct *task; <br />
<br />
read_lock(&tasklist_lock); <br />
for_each_process(task){ <br />
recompute_capability_creds(task); <br />
} <br />
read_unlock(&tasklist_lock); <br />
<br />
return 0; <br />
<br />
再次重复榆树测试示例,检查vim信任状如下<br />
<br />
$cat /proc/(pid of vim)/status<br />
<br />
Name: vim <br />
State: S (sleeping) <br />
SleepAVG: 91% <br />
Tgid: 2864 <br />
Pid: 2864 <br />
PPid: 1552 <br />
TracerPid: 0 <br />
Uid: 500 500 500 500 <br />
Gid: 500 500 500 500 <br />
FDSize: 256 <br />
Groups: 500 <br />
VmSize: 9360 kB <br />
VmLck: 0 kB <br />
VmRSS: 2816 kB <br />
VmData: 860 kB <br />
VmStk: 16 kB <br />
VmExe: 1676 kB <br />
VmLib: 3256 kB <br />
Threads: 1 <br />
SigPnd: 0000000000000000 <br />
ShdPnd: 0000000000000000 <br />
SigBlk: 0000000000000000 <br />
SigIgn: 8000000000003000 <br />
SigCgt: 00000000ef824eff <br />
CapInh: 0000000000000000 <br />
CapPrm: 0000000000000000 <br />
CapEff: 0000000000000000 <br />
<br />
3.感谢<br />
梁彬(liangbin@venustech.com.cn)发现并公布了此漏洞的具体技术细节<br />
感谢启明星辰技术信息有限公司积极防御实验室的伙伴和丰收项目小组。<br />
<br />
4.申明:<br />
<br />
The information in this bulletin is provided "AS IS" without warranty of any<br />
kind. In no event shall we be liable for any damages whatsoever including direct,<br />
indirect, incidental, consequential, loss of business profits or special damages. <br />
<br />
Copyright 1996-2004 VENUSTECH. All Rights Reserved. Terms of use.<br />
<br />
VENUSTECH Security Lab <br />
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(<a href='http://www.venustech.com.cn' target='_blank'>http://www.venustech.com.cn</a>)<br />
<br />
Security<br />
Trusted {Solution} Provider<br />
Service
</td>
</tr>
</table>
<div class="footer">
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved
</div>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -