Tavis Ormandy and myself have recently reported CVE-2009-2698 which has been disclosed at the beginning of the week.
This flaw affects at least Linux 2.6 with a version < 2.6.19.
【Godbach注】该漏洞存在于2.6版本中,低于2.6.19. p0c73n1完成了利用该漏洞的代码,spender写了一个比较系统的exp代码。
When we ran into this, we realized the newest kernel versions were not affected by the PoC code we had. The reason for this was that Herbert Xu had . Linux distributions running on 2.6.18 and earlier kernels did not realize the security impact of this fix and did not backport it.
This is a good example on how hard it is to backport relevant fixes to maintained stable versions of the kernel.
If you look at , you will see that the rt routing table is initialized as NULL and some code paths can lead to call with a NULL rt. ip_append_data() obviously doesn't handle this case properly and will cause a NULL pointer dereference.
【Godbach注】udp_sendmsg函数中rt变量被初始化为NULL,而在某些条件下会导致,在调用ip_append_data函数时,传进去的参数rt有可能为NULL。而ip_append_data函数里面有没有对该变量进行合法性检查,因此对导致对NULL指针进行解引用。
Note that this is a data NULL pointer dereference and mapping code at page zero will not lead to immediate privileged code execution for a local attacker. However, controlling the rtable structure seems to give enough control to the attacker to elevate privileges.
【Godbach注】这一段内容是关键。前面已经提到了该漏洞可能导致解引用NULL指针。但是,这里解引用的是个变量,本地恶意用户没法直接在此基础上执行恶意代码,不像我们在《Linux内核NULL pointer引发的BUG》文章中分析的那样,代码是要调用某个函数,而该函数地址为NULL,我们将0地址映射,并添加上我们自己实现的代码。 不过,恶意用户仍然可以通过rtable的结构体间接实现执行恶意代码。
Since it's hard to guarantee that ip_append_data will never be called with a NULL *rtp, we believe that this function should be made more robust .
Here's one way to trigger this vulnerability locally:
$ cat croissant.c
#include
#include
#include
int main(int argc, char **argv)
{
int fd = socket(PF_INET, SOCK_DGRAM, 0);
char buf[1024] = {0};
struct sockaddr to = {
.sa_family = AF_UNSPEC,
.sa_data = "TavisIsAwesome",
};
sendto(fd, buf, 1024, MSG_PROXY | MSG_MORE, &to, sizeof(to));
sendto(fd, buf, 1024, 0, &to, sizeof(to));
return 0;
}
【Godbach注】以上就是触发漏洞的代码。该代码执行的后果就是内核Oops。因此该代码导致了内核中访问NULL指针。
An effective implementation of mmap_min_addr or the UDEREF feature of PaX/GrSecurity would prevent local privilege escalation through this issue.