首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 chkrootkit 0.49 - Local Root Vulnerability 来源：vfocus.net 作者：Stangner 发布时间：2014-06-30   We just found a serious vulnerability in the chkrootkit package, which may allow local attackers to gain root access to a box in certain configurations (/tmp not mounted noexec). The vulnerability is located in the function slapper() in the shellscript chkrootkit: # # SLAPPER.{A,B,C,D} and the multi-platform variant # slapper (){    SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"    SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \    ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a    SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "    OPT=-an    STATUS=0    file_port=    if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1       then       STATUS=1       [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \          $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print  $7 }' | tr -d :`    fi    for i in ${SLAPPER_FILES}; do       if [ -f ${i} ]; then          file_port=$file_port $i          STATUS=1       fi    done    if [ ${STATUS} -eq 1 ] ;then       echo "Warning: Possible Slapper Worm installed ($file_port)"    else       if [ "${QUIET}" != "t" ]; then echo "not infected"; fi          return ${NOT_INFECTED}    fi } The line 'file_port=$file_port $i' will execute all files specified in $SLAPPER_FILES as the user chkrootkit is running (usually root), if $file_port is empty, because of missing quotation marks around the variable assignment. Steps to reproduce: - Put an executable file named 'update' with non-root owner in /tmp (not mounted noexec, obviously) - Run chkrootkit (as uid 0) Result: The file /tmp/update will be executed as root, thus effectively rooting your box, if malicious content is placed inside the file. If an attacker knows you are periodically running chkrootkit (like in cron.daily) and has write access to /tmp (not mounted noexec), he may easily take advantage of this. Suggested fix: Put quotation marks around the assignment. file_port="$file_port $i" I will also try to contact upstream, although the latest version of chkrootkit dates back to 2009 - will have to see, if I reach a dev there.   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·HP AutoPass License Server Fil ·check_dhcp 2.0.2 (Nagios Plugi ·MS14-009 .NET Deployment Servi ·Gitlist <= 0.4.0 - Remote Code ·MS13-097 Registry Symlink IE S ·Supermicro Onboard IPMI Port 4 ·Python CGIHTTPServer File Disc ·OpenSSL DTLS Fragment Buffer O ·Internet Explorer 8, 9 & 10 - ·MongoDB NoSQL Collection Enume ·AlienVault OSSIM < 4.7.0 - av- ·Sun/Oracle GlassFish Authentic   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved