centos exploit技术交流

Common Exploits and Technical Details for CentOS Systems

1. Dirty Cow (CVE-2016-5195)

Dirty Cow is a race condition vulnerability in the Linux kernel’s Copy-on-Write (CoW) mechanism, allowing unprivileged users to bypass read-only memory restrictions and escalate privileges to root. The flaw exists in how the kernel handles memory pages during CoW operations, enabling attackers to modify sensitive system files.
Typical Exploitation Steps:

• Obtain the EXP code (e.g., dirtycow.c from GitHub).
• Compile the code using gcc -pthread dirtycow.c -o dirtycow -lcrypt.
• Execute the binary and follow on-screen prompts (e.g., entering a preset password) to complete the privilege escalation.
  This exploit is one of the most infamous for CentOS systems, affecting versions prior to CentOS 7.4 (kernel 3.10.0-693).

2. Pkexec Vulnerabilities (e.g., CVE-2013-4287, CVE-2017-1000367)

Pkexec is a setuid utility designed to allow ordinary users to execute commands as root. Multiple vulnerabilities in pkexec stem from improper argument handling—for example, CVE-2017-1000367 occurs when pkexec fails to validate the number of arguments, treating environment variables as executable commands.
Typical Exploitation Steps:

• Download an EXP script (e.g., pkexec_exp.c).
• Compile with gcc pkexec_exp.c -o pkexec_exp.
• Run the compiled binary; pkexec will execute the injected command (e.g., spawning a root shell).
  CentOS 6, 7, and 8 are commonly impacted by these vulnerabilities.

3. SUID Privilege Escalation

The Set User ID (SUID) bit allows users to execute files with the permissions of the file owner (typically root). Misconfigured SUID binaries (e.g., find, vim, bash) can be abused to gain root access.
Common Methods:

• Find Command: Execute find / -perm -u=s -type f 2>/dev/null to locate SUID files. If /usr/bin/find has the SUID bit set, run find / -exec /bin/bash \; to spawn a root shell.
• Vim Command: For /usr/bin/vim with SUID, use vim -c '!bash' to start a root shell.
• Bash Command: If /bin/bash has SUID, run bash -p to switch to root.
  Regularly auditing SUID files (e.g., via find commands) is critical to mitigating this risk.

4. sudo Configuration Errors (e.g., CVE-2021-3156)

The sudo utility permits privileged command execution for authorized users. Misconfigurations (e.g., allowing execution of dangerous commands like awk, less, or vim) can be exploited to bypass authentication and modify system files (e.g., adding a root user to /etc/passwd).
Typical Exploitation Steps:

• Modify the sudoers file (via visudo) to grant unsafe permissions (e.g., user1 ALL=(ALL) NOPASSWD: /usr/bin/awk).
• Execute a malicious command (e.g., sudo awk 'BEGIN {system("/bin/bash")}') to spawn a root shell.
  CentOS 7 and 8 systems running sudo 1.8.9–1.8.23 are vulnerable.

5. Kernel Use-After-Free Vulnerabilities (e.g., CVE-2024-1086)

CVE-2024-1086 is a high-severity use-after-free vulnerability in the netfilter subsystem’s nf_tables component. It occurs when the kernel fails to properly handle freed memory, allowing local attackers to execute arbitrary code with root privileges.
Typical Exploitation Steps:

• Download the EXP code (e.g., cve-2024-1086_exp.c).
• Compile with gcc cve-2024-1086_exp.c -o cve-2024-1086_exp.
• Execute the binary; successful exploitation grants root access.
  This vulnerability affects CentOS systems with unpatched kernels (prior to versions addressing the fix). Testing should be performed in isolated environments to avoid disrupting production systems.

Key Mitigation Strategies

• Patch Regularly: Apply security updates for the kernel, sudo, and other critical packages (e.g., yum update kernel for CentOS 7/8).
• Restrict SUID/SGID: Use find / -perm -4000 2>/dev/null to identify and remove unnecessary SUID/SGID files.
• Hardening sudo: Configure sudoers to limit commands to least privilege (e.g., avoid NOPASSWD for dangerous tools).
• Network Segmentation: Isolate vulnerable systems from untrusted networks to reduce exposure to remote exploits.
• Monitor Activity: Use tools like SELinux, auditd, or intrusion detection systems (IDS) to detect anomalous behavior (e.g., unexpected process creation, unauthorized file modifications).