Chinaunix首页 | 论坛 | 博客
  • 博客访问: 661595
  • 博文数量: 139
  • 博客积分: 2655
  • 博客等级: 少校
  • 技术积分: 1723
  • 用 户 组: 普通用户
  • 注册时间: 2008-04-02 16:03
文章分类

全部博文(139)

文章存档

2013年(2)

2011年(17)

2010年(14)

2009年(86)

2008年(20)

分类: LINUX

2009-08-29 23:02:45

这个影响比较大,包括但不限于RedHat,CentOS,Suse,Debian,Ubuntu,Slackware,Mandriva,Gentoo及其衍生系统.

In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.

If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the "accept" operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.

This is not always a security issue, as the kernel validates the pointers at
the call site, such as this example from sock_splice_read:

static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
                    struct pipe_inode_info *pipe, size_t len,
                unsigned int flags)
{
    struct socket *sock = file->private_data;

    if (unlikely(!sock->ops->splice_read))
        return -EINVAL;

    return sock->ops->splice_read(sock, ppos, pipe, len, flags);
}

But we have found an example where this is not the case; the sock_sendpage()
routine does not validate the function pointer is valid before dereferencing
it, and therefore relies on the correct initialization of the proto_ops
structure.

We have identified several examples where the initialization is incomplete:

- The SOCKOPS_WRAP macro defined in include/linux/net.h, which appears correct
  at first glance, was actually affected. This includes PF_APPLETALK, PF_IPX,
  PF_IRDA, PF_X25 and PF_AX25 families.

- Initializations were missing in other protocols, including PF_BLUETOOTH,
  PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN.

--------------------
Affected Software
------------------------

All Linux 2.4/2.6 versions since May 2001 are believed to be affected:

- Linux 2.4, from 2.4.4 up to and including 2.4.37.4
- Linux 2.6, from 2.6.0 up to and including 2.6.30.4

--------------------
Consequences
-----------------------

This issue is easily exploitable for local privilege escalation. In order to
exploit this, an attacker would create a mapping at address zero containing
code to be executed with privileges of the kernel, and then trigger a
vulnerable operation using a sequence like this:

/* ... */
    int fdin = mkstemp(template);
    int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0);

    unlink(template);

    ftruncate(fdin, PAGE_SIZE);

    sendfile(fdout, fdin, NULL, PAGE_SIZE);
/* ... */

Please note, sendfile() is just one of many ways to cause a sendpage
operation on a socket.

Successful exploitation will lead to complete attacker control of the system.

-------------------
Mitigation
-----------------------

Recent kernels with mmap_min_addr support may prevent exploitation if
the sysctl vm.mmap_min_addr is set above zero. However, administrators
should be aware that LSM based mandatory access control systems, such
as SELinux, may alter this functionality.

It should also be noted that all kernels up to 2.6.30.2 are vulnerable to
published attacks against mmap_min_addr.

-------------------
Solution
-----------------------

Linus committed a patch correcting this issue on 13th August 2009.


[注]:linus认为kernel_sendpage() does the proper default case handling for when the
socket doesn't have a native sendpage implementation.
他给出的patch是将scok_sendpage函数中的return sock->ops->sendpage(sock, page, offset, size, flags);换成return kernel_sendpage(sock, page, offset, size, flags);

-------------------
Credit
-----------------------

This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team.

--

以前转载过利用udev攻击的例子,这次网上还搜到利用此漏洞提升权限的程序,原文参见
 
          wunderbar_emporium-3.tar.gz
         
BTW,

1.我按文章中说的设置sysctl -w  vm.mmap_min_addr = 1000(原来为65536),在ubuntu(8.04)和Fedora10下没用!

2.ubuntu下设置此也没用:cat > /etc/modprobe.d/mitigate-2692.conf << EOM
install ppp_generic /bin/true
install pppoe /bin/true
install pppox /bin/true
install slhc /bin/true
install bluetooth /bin/true
install ipv6 /bin/true
install irda /bin/true
install ax25 /bin/true
install x25 /bin/true
install ipx /bin/true
install appletalk /bin/true
EOM
/etc/init.d/bluez-utils stop

3. 对于centos5.3( 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux),我测试过不受影响,运行之后出现:
 [+] Personality set to: PER_SVR4
Pulseaudio does not exist!

Reference:



阅读(1112) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~