2008³â 2¿ù 8ÀÏ : Ä¿³Î 2.6.17 ~ 2.6.24.1 ¹öÀü±îÁö root exploit ¹ö±×°¡ ¹ß»ýÇß´Ù.
À̹ø ¹ö±×´Â Ä¿³Î °ü·ÃÀ̹ǷΠ¹èÆ÷ÆÇÀÇ Á¾·ù¿Í´Â ¹«°üÇϸç, À§ÀÇ Ä¿³Î ¹öÀüÀ» »ç¿ëÇÏ´Â ¹èÆ÷ÆǵéÀº ¸ðµÎ ÇØ´çµÈ´Ù.
(CentOS 5.1ÀÇ °æ¿ì ÇÊÀÚÀÇ ³ëÆ®ºÏ¿¡¼ Å×½ºÆ®½Ã Ä¿³ÎÆдÐÀ¸·Î ¼¹ö°¡ down(¸ØÃã) µÇ¾úÀ½)
³»¿ë : ½© ±ÇÇÑÀ» °¡Áø À¯Àú°¡ Á¢¼ÓÇÏ¿© root ±ÇÇÑÀ» ȹµæÇÒ ¼ö ÀÖ´Ù.
***¹Ýµå½Ã Ä¿³Î ¾÷µ¥ÀÌÆ® ¶Ç´Â ÆÐÄ¡ ÈÄ Ä¿³ÎÀ» ÀçÄÄÆÄÀÏÇϼ¼¿ä.***
* Å×½ºÆ® ¸ð½À *
[test@localhost?tmp]$ ./ex
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f3c000 .. 0xb7f6e000
[+] root
[test@localhost tmp]# id
uid=0(root) gid=0(root) groups=510(test) |
* ÇØ°á ¹æ¹ý *
1. ±âÁ¸ Ä¿³ÎÀ» À¯ÁöÇØ¾ß ÇÒ °æ¿ì
/usr/src/linux/fs/splice.c Ä¿³Î ¼Ò½º¸¦ ¾Æ·¡¿Í °°ÀÌ º¯°æÇÑ ´ÙÀ½ Ä¿³Î ÄÄÆÄÀÏÀ» ÇÏ°í ÀçºÎÆÃÇÑ´Ù.(¾Æ·¡ ºÓÀº»ö ºÎºÐÀ» Ãß°¡ÇÏ°í Ä¿³ÎÀ» ÀçÄÄÆÄÀÏ)
2. 2.6.24.2 ¹öÀü ÀÌ»óÀÇ Ä¿³ÎÀ» ´Ù¿î·Îµå ÇÏ°í, Ä¿³ÎÄÄÆÄÀÏÇÏ¿© »ç¿ëÇÑ´Ù.
http://www.kernel.org
Ä¿³Î 2.6.24.2 changlog ³»¿ë(ChangeLog-2.6.24.2)
commit c78cb439103bf7deba5feb64921398d0ff93179a
Author: Greg Kroah-Hartman <gregkh@suse.de>
Date: Sun Feb 10 21:51:11 2008 -0800
Linux 2.6.24.2
commit 1617e66d11d6621824f642728d62f242272fd063
Author: Bastian Blank <bastian@waldi.eu.org>
Date: Sun Feb 10 16:47:57 2008 +0200
splice: fix user pointer access in get_iovec_page_array()
patch 712a30e63c8066ed84385b12edbfb804f49cbc44 in mainline.
Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added the proper access_ok() calls to
copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
from userspace to the kernel.
But we also must check whether we can access the actual memory region
pointed to by the struct iovec to fix the access checks properly.
Signed-off-by: Bastian Blank <waldi@debian.org>
Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
3. CentOS »çÀÌÆ®ÀÇ °ø½ÄÀÔÀåÀÌ ³ª¿À±â Àü±îÁö´Â erek´ÔÀÌ ¸¸µç Ä¿³Î rpmÀ¸·Î ¾÷µ¥ÀÌÆ®ÇÑ´Ù.
http://erek.blumenthals.com/blog/2008/02/11/rhel-5-centos-5-kernel-rpms-patched-against-vmsplice-local-root-exploit/
* ÆÐÄ¡µÈ Ä¿³Î·Î ¾÷µ¥ÀÌÆ® Àû¿ë ÈÄ ¸ð½À *
[multi@localhost ~]$ su -
¾ÏÈ£:
[root@localhost ~]# cd /usr/local/src/
[root@localhost src]# mkdir kernel
[root@localhost src]# cd kernel/
[root@localhost kernel]# lftpget http://erek.blumenthals.com/vmsplicekernels/kernel-2.6.18-53.1.7.el5.erek.i686.rpm
[root@localhost kernel]# lftpget http://erek.blumenthals.com/vmsplicekernels/kernel-devel-2.6.18-53.1.7.el5.erek.i686.rpm
[root@localhost kernel]# ls
kernel-2.6.18-53.1.7.el5.erek.i686.rpm
kernel-devel-2.6.18-53.1.7.el5.erek.i686.rpm
[root@localhost kernel]# rpm -Uvh kernel-2.6.18-53.1.7.el5.erek.i686.rpm
Áغñ Áß... ########################################### [100%]
1:kernel ########################################### [100%]
[root@localhost kernel]# rpm -Uvh kernel-devel-2.6.18-53.1.7.el5.erek.i686.rpm
Áغñ Áß... ########################################### [100%]
1:kernel-devel ########################################### [100%]
[root@localhost ~]#
grub.conf ÆÄÀÏÀ» ºÃ´õ´Ï ±×³É ½Ï´Ù ¹Ð¾î¹ö¸®°í, ÆÐÄ¡µÈ Ä¿³Î¸¸ ´Þ¶û ³²±â³×¿ä. ^^
[root@localhost ~]# cat /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You do not have a /boot partition. This means that
# all kernel and initrd paths are relative to /, eg.
# root (hd0,0)
# kernel /boot/vmlinuz-version ro root=/dev/hda1
# initrd /boot/initrd-version.img
#boot=/dev/hda
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-53.1.7.el5.erek)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-53.1.7.el5.erek ro root=LABEL=/ rhgb quiet
initrd /boot/initrd-2.6.18-53.1.7.el5.erek.img
[root@localhost kernel]# reboot
*** ÀçºÎÆà ÈÄ Å×½ºÆ® ***
[multi@localhost tmp]$ gcc -o ex ex.c
[multi@localhost tmp]$ ls -al ex
-rwxrwxr-x 1 multi multi 8516 2¿ù 12 19:53 ex
[multi@localhost tmp]$ ./ex
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f3c000 .. 0xb7f6e000
[-] vmsplice: Bad address
[multi@localhost tmp]$ |
¸®´ª½º¸¦ ¼¹ö·Î »ç¿ëÇҽÿ¡´Â ´ëºÎºÐ ÀÏ¹Ý »ç¿ëÀÚ °èÁ¤À» ´Ù¸¥ »ç¶÷µé¿¡°Ô ³ª´©¾î ÁÖ°í ÀÖÁö¿ä.
ÀÌ·± »óȲÀ϶§¿¡´Â °øºÎÀÇ ¸ñÀûÀÌ ¾Æ´Ï¶ó¸é ½©Á¢±Ù ±ÇÇÑÀ» ÁÖÁö ¾Ê´Â°ÍÀÌ ¹Ù¶÷Á÷ ÇÏ°Ú´Ù.
(»ç¿ëÀÚ °èÁ¤ÀÇ ½© ÁöÁ¤¿¡¼ /bin/false[/etc/passwd])
°¡²û½Ä À§¿Í °°Àº ·çƮŶµéÀÌ °ø°³ÀûÀ¸·Î µÊÀ¸·Î½á ¼¹ö ¿î¿µÀÚ´Â Ãß°¡ÀûÀÎ ³ëµ¿(ÀÏ)À» ÇؾßÇÒ °æ¿ì°¡ »ý±â°Ô µÇ±â ¶§¹®ÀÌ´Ù.
¼¹ö¸¦ ¿î¿µÇÏ°íÀÚ ÇÑ´Ù¸é, º¸¾ÈÀûÀÎ Ãø¸é¿¡¼ ¹«Á¶°Ç ´Üµ¶ ¼¹ö¸¦ »ç¿ëÇÏ°í, ½©±ÇÇÑÀ» °¡Áö´Â »ç¿ëÀÚ °èÁ¤À» Çϳª¸¸ µî·ÏÇÏ¿© »ç¿ëÇÏ°í, ¿ø°ÝÁ¢¼Ó(ssh) ±ÇÇÑÀ» °¡Áö´Â »ç¿ëÀÚ°èÁ¤À» Çϳª¸¸ ÁöÁ¤ÇØ µÎ°í, Æнº¿öµå´Â µÇµµ·Ï ±æ°Ô ÁöÁ¤ÇÏ°í, root±ÇÇÑÀ» ȹµæÇÒ ¼ö ÀÖ´Â ¼öÆÛÀ¯Àú ȹµæ ±ÇÇÑ(su ¸í·É¾î)À» °¡Áö´Â »ç¿ëÀÚ °èÁ¤ÀÇ ±×·ì(wheel ±×·ì)À» ÁöÁ¤ÇÏ¿©(su ¸í·É¾îÀÇ Æ۹̼ǿ¡¼ ½ÇÇà ±×·ìÀ» wheel±×·ìÀ¸·Î ÁöÁ¤) ¼¹ö¸¦ ¿î¿µÇϸé Á» ´õ ¾ÈÁ¤ÀûÀÎ ¼¹ö ¿î¿µÀÌ °¡´ÉÇÒ °ÍÀÌ´Ù.
´Ù½Ã Çѹø ¸»ÇÏÁö¸¸, ºÎµæÀÌÇÑ °æ¿ì°¡ ¾Æ´Ï¶ó¸é ¼¹ö¿î¿µÀº ´Üµ¶¼¹ö·Î ¿î¿µÇÏ±æ ±ÇÀåÇÑ´Ù.
[Ãâó-Çѱ¹¸®´ª½ºÀ¯Àú±×·ì]
|
|
