{"id":10517,"date":"2025-10-20T13:26:05","date_gmt":"2025-10-20T06:26:05","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10517"},"modified":"2026-02-05T13:26:11","modified_gmt":"2026-02-05T06:26:11","slug":"lo-hong-trong-he-thong-xac-thuc-linux-pam-co-the-cho-phep-nguoi-dung-chiem-quyen-root","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/20\/lo-hong-trong-he-thong-xac-thuc-linux-pam-co-the-cho-phep-nguoi-dung-chiem-quyen-root\/","title":{"rendered":"L\u1ed7 h\u1ed5ng trong h\u1ec7 th\u1ed1ng x\u00e1c th\u1ef1c Linux-PAM c\u00f3 th\u1ec3 cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng chi\u1ebfm quy\u1ec1n root"},"content":{"rendered":"

M\u1ed9t l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt v\u1eeba \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 trong h\u1ec7 th\u1ed1ng x\u00e1c th\u1ef1c n\u1ed5i ti\u1ebfng Pluggable Authentication Modules (Linux-PAM). \u0110\u01b0\u1ee3c \u0111\u1ecbnh danh v\u1edbi m\u00e3 CVE-2025-8941, l\u1ed7 h\u1ed5ng n\u00e0y cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng c\u00f3 quy\u1ec1n truy c\u1eadp c\u1ee5c b\u1ed9 c\u00f3 th\u1ec3 khai th\u00e1c \u0111\u1ec3 chi\u1ebfm to\u00e0n quy\u1ec1n ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng th\u00f4ng qua m\u1ed9t chu\u1ed7i c\u00e1c k\u1ef9 thu\u1eadt tinh vi nh\u01b0: T\u1ea5n c\u00f4ng li\u00ean k\u1ebft t\u01b0\u1ee3ng tr\u01b0ng v\u00e0 \u0110i\u1ec1u ki\u1ec7n tranh ch\u1ea5p.<\/b><\/p>\n

\"1760942587457.png\"<\/a>\u200b<\/div>\n

D\u00f9 kh\u00f4ng th\u1ec3 khai th\u00e1c t\u1eeb xa, nh\u01b0ng trong m\u00f4i tr\u01b0\u1eddng nhi\u1ec1u ng\u01b0\u1eddi d\u00f9ng ho\u1eb7c h\u1ec7 th\u1ed1ng m\u00e1y ch\u1ee7, nguy c\u01a1 b\u1ecb khai th\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y \u0111\u1ec3 l\u00e0m r\u00f2 r\u1ec9 d\u1eef li\u1ec7u, c\u00e0i m\u00e3 \u0111\u1ed9c ho\u1eb7c ph\u00e1 h\u1ee7y h\u1ec7 th\u1ed1ng l\u00e0 ho\u00e0n to\u00e0n c\u00f3 th\u1ec3 x\u1ea3y ra v\u00e0 \u0111ang khi\u1ebfn gi\u1edbi b\u1ea3o m\u1eadt ph\u1ea3i \u201c\u0111\u1ee9ng ng\u1ed3i kh\u00f4ng y\u00ean\u201d.<\/p>\n

L\u1ed7 h\u1ed5ng \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n v\u00e0 c\u00f4ng b\u1ed1 b\u1edfi c\u00e1c chuy\u00ean gia b\u1ea3o m\u1eadt t\u1eeb nh\u00f3m nghi\u00ean c\u1ee9u Ameeba Security. H\u1ecd \u0111\u00e3 ph\u00e2n t\u00edch s\u00e2u v\u00e0o module pam_namespace (m\u1ed9t th\u00e0nh ph\u1ea7n trong Linux-PAM ch\u1ecbu tr\u00e1ch nhi\u1ec7m t\u1ea1o kh\u00f4ng gian t\u00ean ri\u00eang bi\u1ec7t cho c\u00e1c phi\u00ean l\u00e0m vi\u1ec7c c\u1ee7a ng\u01b0\u1eddi d\u00f9ng).<\/p>\n

M\u1ee5c ti\u00eau ban \u0111\u1ea7u c\u1ee7a module n\u00e0y l\u00e0 b\u1ea3o v\u1ec7 ng\u01b0\u1eddi d\u00f9ng b\u1eb1ng c\u00e1ch t\u00e1ch bi\u1ec7t m\u00f4i tr\u01b0\u1eddng l\u00e0m vi\u1ec7c, nh\u01b0ng l\u1ea1i v\u00f4 t\u00ecnh \u0111\u1ec3 l\u1ed9 ra m\u1ed9t \u0111i\u1ec3m y\u1ebfu ch\u1ebft ng\u01b0\u1eddi: X\u1eed l\u00fd kh\u00f4ng \u0111\u00fang c\u00e1c \u0111\u01b0\u1eddng d\u1eabn do ng\u01b0\u1eddi d\u00f9ng ki\u1ec3m so\u00e1t, d\u1eabn \u0111\u1ebfn vi\u1ec7c c\u00f3 th\u1ec3 ch\u00e8n c\u00e1c li\u00ean k\u1ebft t\u01b0\u1ee3ng tr\u01b0ng (symlink) v\u00e0 khai th\u00e1c \u0111i\u1ec1u ki\u1ec7n th\u1eddi gian (race condition) khi h\u1ec7 th\u1ed1ng t\u1ea1o th\u01b0 m\u1ee5c.<\/p>\n

2. C\u00e1ch th\u1ee9c khai th\u00e1c\u200b<\/h4>\n

T\u01b0\u1edfng t\u01b0\u1ee3ng m\u1ed9t ng\u01b0\u1eddi d\u00f9ng b\u00ecnh th\u01b0\u1eddng tr\u00ean h\u1ec7 th\u1ed1ng Linux t\u1ea1o m\u1ed9t li\u00ean k\u1ebft t\u01b0\u1ee3ng tr\u01b0ng t\u1eeb th\u01b0 m\u1ee5c c\u1ee7a m\u00ecnh \u0111\u1ebfn th\u01b0 m\u1ee5c \/root (v\u1ed1n ch\u1ec9 d\u00e0nh ri\u00eang cho qu\u1ea3n tr\u1ecb vi\u00ean h\u1ec7 th\u1ed1ng):<\/p>\n

\n
\n
ln -s \/root \/tmp\/victim\/symlink<\/div>\n
Nh\u1ea5n \u0111\u1ec3 m\u1edf r\u1ed9ng…<\/a><\/div>\n<\/div>\n<\/blockquote>\n

Khi h\u1ec7 th\u1ed1ng \u0111ang th\u1ef1c hi\u1ec7n vi\u1ec7c t\u1ea1o th\u01b0 m\u1ee5c c\u00e1ch ly cho ng\u01b0\u1eddi d\u00f9ng n\u00e0y, n\u1ebfu ng\u01b0\u1eddi t\u1ea5n c\u00f4ng canh \u0111\u00fang th\u1eddi \u0111i\u1ec3m, h\u1ec7 th\u1ed1ng s\u1ebd v\u00f4 t\u00ecnh t\u1ea1o th\u01b0 m\u1ee5c b\u00ean trong \/root. L\u00fac n\u00e0y, th\u00f4ng qua vi\u1ec7c \u0111i\u1ec1u ch\u1ec9nh quy\u1ec1n truy c\u1eadp, ng\u01b0\u1eddi d\u00f9ng th\u01b0\u1eddng c\u00f3 th\u1ec3 chi\u1ebfm to\u00e0n quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n h\u1ec7 th\u1ed1ng:<\/p>\n

\n
\n
chmod 777 \/root<\/div>\n
Nh\u1ea5n \u0111\u1ec3 m\u1edf r\u1ed9ng…<\/a><\/div>\n<\/div>\n<\/blockquote>\n

D\u00f9 vi\u1ec7c khai th\u00e1c th\u1ef1c t\u1ebf \u0111\u00f2i h\u1ecfi k\u1ef9 thu\u1eadt cao v\u00e0 k\u1ecbch b\u1ea3n ph\u1ee9c t\u1ea1p, nh\u01b0ng k\u1ebft qu\u1ea3 cu\u1ed1i c\u00f9ng l\u00e0 quy\u1ec1n root (quy\u1ec1n cao nh\u1ea5t trong h\u1ec7 \u0111i\u1ec1u h\u00e0nh Unix\/Linux). M\u1ed9t khi \u0111\u1ea1t \u0111\u01b0\u1ee3c, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3:<\/p>\n