ProHoster > Блог > rongo ipurangi > He ngoikoretanga nui kei roto i te PolKit e āhei ai te uru pakiaka ki te nuinga o ngā tohatoha. Linux

He ngoikoretanga nui kei roto i te PolKit e āhei ai te uru pakiaka ki te nuinga o ngā tohatoha. Linux

Kua kitea e Qualys tētahi ngoikoretanga (CVE-2021-4034) i roto i te wāhanga pūnaha Polkit (i mua ko PolicyKit), e whakamahia ana i roto i ngā tohatoha hei whakahohe i ngā kaiwhakamahi kāore i te whai mana ki te mahi i ngā mahi e hiahia ana kia teitei ake ngā mana uru. Mā te ngoikoretanga ka taea e tētahi kaiwhakamahi ā-rohe kāore i te whai mana te whakanui ake i ō rātou mana ki te pakiaka me te whiwhi i te mana whakahaere katoa o te pūnaha. Ko te raruraru, ko te ingoa waehere ko PwnKit, he mea rongonui mō te whanaketanga o tētahi whakamahinga mahi e mahi ana i roto i te whirihoranga taunoa i runga i te nuinga o ngā tohatoha. Linux.

Ko te raruraru kei roto i te whaipainga pkexec a PolKit, ka tae mai me te haki pakiaka SUID ka hangaia hei whakahaere i nga whakahau me nga mana o tetahi atu kaiwhakamahi e ai ki nga ture PolKit kua tohua. Na te he o te whakahaere i nga tohenga raina whakahau i tukuna ki te pkexec, ka taea e te kaiwhakamahi kore whai mana ki te karo i te motuhēhēnga me te whakahaere i o raatau waehere hei putake, ahakoa nga ture whakauru kua whakaritea. Mo te whakaeke, kaore he aha he aha nga tautuhinga me nga here kua tohua i roto i te PolKit, he nui noa atu ko te huanga pakiaka SUID kua whakaritea mo te konae whakahaere me te whaipainga pkexec.

Kāore a Pkexec e tirotiro i te mana o te tatau tautohe raina whakahau (argc) i tukuna i te tīmatanga o tētahi tukanga. I whakaaro ngā kaiwhakawhanake o pkexec ko te whakaurunga tuatahi o te argv array kei roto tonu te ingoa tukanga (pkexec), ā, ko te tuarua he NULL, he ingoa rānei o te whakahau i whakarewahia mā pkexec. Nā te mea kāore i tirohia te tatau tautohe ki ngā ihirangi tuturu o te array, ā, i whakaarohia he nui ake i te 1 i ngā wā katoa, mēnā ka tukuna he argv array kau ki te tukanga, e whakaaetia ana e te mahi execve i roto i Linux, i whakahaerehia e pkexec te NULL hei tautohe tuatahi (te ingoa tukanga), me te mahara i muri i te mutunga o te pūrua hei toenga o te rarangi. |———+———+—————|———+———+————| | argv[0] | argv[1] | … | argv[argc] | envp[0] | envp[1] | … | envp[envc] | |—-|—-+—-|—-+——+——|——|—-|—-+—-|—-+——+——|——| VVVVVVV "hōtaka" "-kōwhiringa" NULL "uara" "PATH=ingoa" NULL

Ko te raruraru ko muri i te huinga argv he huinga envp kei roto i te mahara kei roto nga taurangi taiao. No reira, ki te putua te huinga argv, ka tangohia e te pkexec nga raraunga mo te whakahaere whakahau me nga mana teitei mai i te huānga tuatahi o te huānga me nga taurangi taiao (argv[1] ka rite ki te envp[0]), ka taea te whakahaere i nga mea o roto. na te tangata whakaeke.

I te rironga o te uara o argv[1], ka ngana a pkexec, me te whai whakaaro ki nga ara konae kei te PATH, ki te whakatau i te ara katoa ki te konae ka taea te whakahaere me te tuhi tohutohu ki te aho me te ara katoa hoki ki argv[1], ka arahi ki te tuhirua i te uara o te taurangi taiao tuatahi, i te mea he rite te argv[1] ki te envp[0]. Ma te raweke i te ingoa o te taurangi taiao tuatahi, ka taea e te kaitukino te whakakapi i tetahi atu taurangi taiao i roto i te pkexec, hei tauira, whakakapi i te taurangi taiao "LD_PRELOAD", kaore e whakaaetia i roto i nga kaupapa suid, me te whakarite kia utaina to raatau whare pukapuka ki te tukanga.

Ko te mahi mahi ko te whakakapi i te taurangi GCONV_PATH, e whakamahia ana hei whakatau i te ara ki te whare pukapuka whakawhiti tohu, e utaina ana i te wa e karanga ana i te mahi g_printerr(), ko te tohu e whakamahi ana i te iconv_open(). Ma te tautuhi ano i te ara i roto i te GCONV_PATH, ka taea e te kaiwhaiwhai te whakarite ehara i te mea ko te whare pukapuka iconv paerewa e utaina ana, engari ko tana ake whare pukapuka, ka mahia nga kaikawe mai i te wa e whakaatuhia ana he karere hapa i te atamira kei te rere tonu te pkexec motika pakiaka me i mua i te whakarewatanga ka tirohia nga whakaaetanga.

E mōhiotia ana, ahakoa te take o te pirau o te mahara, ka taea te whakamahi pono me te auau ahakoa te hoahoa taputapu i whakamahia. I whakamatautauria angitu te whakamahinga kua whakaritea i roto i Ubuntu, Debian, Fedora me CentOS, engari ka taea te whakamahi i runga i ētahi atu tohatoha. Kāore anō kia wātea te whakamahinga taketake ki te marea, e tohu ana he mea ngāwari noa iho, ā, ka taea te hanga anō e ētahi atu kairangahau. Nō reira, he mea nui kia tāutahia te papaki i te wā e taea ai ki runga i ngā pūnaha maha-kaiwhakamahi. Kei te wātea hoki a Polkit mō ngā pūnaha BSD me Solaris, engari kāore anō kia rangahauhia te whakamahinga ki runga i a rātou. Ko te mea anake e mōhiotia ana kāore e taea te whakahaere i te whakaeke ki runga i a OpenBSD, nā te mea kāore te kernel OpenBSD e tuku i te uara argc kore ki te karanga execve().

Kua puta te raruraru mai i te marama o Mei 2009, i te wā i tāpirihia ai te whakahau pkexec. Kei te wātea inaianei he whakatikatika mō te ngoikoretanga i roto i te PolKit hei papaki (kāore anō kia tukuna he putanga whakatikatika), engari nā te mea kua whakamōhiotia ngā kaiwhakawhanake tohatoha mō te raruraru i mua, ko te nuinga o ngā tohatoha i whakaputa i tētahi whakahoutanga i te wā kotahi me te whakaaturanga ngoikoretanga. Kua whakatikahia te raruraru i roto i te RHEL 6/7/8. Debian, Ubuntu, openSUSE, SUSE, Fedora, ALT Linux, ROSA, Gentoo, Korekore Linux, Āwhata Linux me Manjaro. Hei mahi rangitahi hei aukati i te ngoikoretanga, ka taea e koe te tango i te haki pakiaka SUID mai i te kaupapa /usr/bin/pkexec ("chmod 0755 /usr/bin/pkexec").



Source: opennet.ru
Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster