运行 setgid 时 printf 中的不安全依赖关系
作为我的安全课程的一部分,我们必须利用安全性较低的 ubuntu 版本中的许多漏洞。我解决了所有挑战,但是我遇到了一个问题,我希望有人能够阐明这一问题。
每个挑战都是一个 setgid 二进制文件,当它被接管时,攻击者将获得下一级特权。为了添加到该级别的组,需要运行命令 l33t,该命令实际上运行 adduser。
在我的一次攻击中,我的 shellcode 只是调用了 exec l33t,然后我收到了以下消息: 运行 setgid 时 printf 中的不安全依赖关系 /usr/share/perl5/Debian/AdduserCommon.pm 第 64 行。
为了解决这个问题,我创建了一个工作正常的两行 bourne shell:
#!/bin/sh
l33t
任何人都可以解释为什么我看到不安全依赖问题吗?
As part of my security class we had to exploit a number of vulnerabilities in a less secure version of ubuntu. I solved all the challenges, however I came across one problem which I am hoping someone can shed some light on.
Each challenge was a setgid binary, which when taken over would give the attacker the next level privilege. In order to be added to that level's group, one would run the command l33t which essentially ran adduser <user> <group>.
On one of my exploits, my shellcode simply made a call to exec l33t and I received this message:
Insecure dependency in printf while running setgid at
/usr/share/perl5/Debian/AdduserCommon.pm line 64.
To get around the problem, I created a two line bourne shell that worked fine:
#!/bin/sh
l33t
Can anyone explain why I saw the Insecure dependency problem?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您还不了解污点模式:它会导致所有用户输入被标记为“受污染”,并且将拒绝输出任何“受污染”值(这意味着您必须明确“去污染”不受信任的输入)。
无论如何,
AdduserCommon.pm的第 64 行是dief函数中的sprintf...所以我怀疑发生的情况是,当您调用 < code>l33t 直接,adduser脚本遇到某种错误,然后当adduser尝试报告该错误时会引发污点错误。If you don't already know about taint mode: it causes all user input to be marked as “tainted”, and will refuse to output any “tainted” value (the implication being that you must explicitly “untaint” untrusted input).
Anyway, line 64 of
AdduserCommon.pmis ansprintfin thedieffunction… So I suspect what is happening is that, when you calll33tdirectly, theadduserscript encounters some kind of error, then the taint error is raised whenaddusertries to report that error.