Chinaunix首页 | 论坛 | 博客
  • 博客访问: 290061
  • 博文数量: 67
  • 博客积分: 10
  • 博客等级: 民兵
  • 技术积分: 802
  • 用 户 组: 普通用户
  • 注册时间: 2011-03-14 16:23
文章分类
文章存档

2011年(4)

2010年(18)

2009年(32)

2008年(13)

我的朋友

分类: LINUX

2010-01-19 13:53:09

    对于该漏洞的描述,来自于http://blog.cr0.org/。
    本文将转载该漏洞的描述,以及个人对该漏洞的理解。在随后的第二篇和三篇中将分别贴出漏洞产生的原因代码以及漏洞利用代码和总结。
  【警告:本文中列出的代码仅限于学习和研究使用。任何用于非法用途的,请自行承担责任。】

      本文欢迎自由转载,但请标明出处,并保证本文的完整性。
     
作者:Godbach
    Blog:http://Godbach.cublog.cn
     
日期:2010/01/19

CVE-2009-2698: udp_sendmsg() vulnerability

EDIT: p0c73n1 for this to milw0rm as did , and spender wrote "the rebel"

Tavis Ormandy and myself have recently reported CVE-2009-2698 which has been disclosed at the beginning of the week.

This flaw affects at least Linux 2.6 with a version < 2.6.19.
【Godbach注】该漏洞存在于2.6版本中,低于2.6.19. p0c73n1完成了利用该漏洞的代码,spender写了一个比较系统的exp代码。
When we ran into this, we realized the newest kernel versions were not affected by the PoC code we had. The reason for this was that Herbert Xu had . Linux distributions running on 2.6.18 and earlier kernels did not realize the security impact of this fix and did not backport it.
This is a good example on how hard it is to backport relevant fixes to maintained stable versions of the kernel.

If you look at , you will see that the rt routing table is initialized as NULL and some code paths can lead to call with a NULL rt. ip_append_data() obviously doesn't handle this case properly and will cause a NULL pointer dereference.
【Godbach注】udp_sendmsg函数中rt变量被初始化为NULL,而在某些条件下会导致,在调用ip_append_data函数时,传进去的参数rt有可能为NULL。而ip_append_data函数里面有没有对该变量进行合法性检查,因此对导致对NULL指针进行解引用。
Note that this is a data NULL pointer dereference and mapping code at page zero will not lead to immediate privileged code execution for a local attacker. However, controlling the rtable structure seems to give enough control to the attacker to elevate privileges.
【Godbach注】这一段内容是关键。前面已经提到了该漏洞可能导致解引用NULL指针。但是,这里解引用的是个变量,本地恶意用户没法直接在此基础上执行恶意代码,不像我们在《Linux内核NULL pointer引发的BUG》文章中分析的那样,代码是要调用某个函数,而该函数地址为NULL,我们将0地址映射,并添加上我们自己实现的代码。 不过,恶意用户仍然可以通过rtable的结构体间接实现执行恶意代码。
Since it's hard to guarantee that ip_append_data will never be called with a NULL *rtp, we believe that this function should be made more robust .

Here's one way to trigger this vulnerability locally:

$ cat croissant.c
#include
#include
#include

int main(int argc, char **argv)
{
int fd = socket(PF_INET, SOCK_DGRAM, 0);
char buf[1024] = {0};
struct sockaddr to = {
.sa_family = AF_UNSPEC,
.sa_data = "TavisIsAwesome",
};

sendto(fd, buf, 1024, MSG_PROXY | MSG_MORE, &to, sizeof(to));
sendto(fd, buf, 1024, 0, &to, sizeof(to));

return 0;
}
【Godbach注】以上就是触发漏洞的代码。该代码执行的后果就是内核Oops。因此该代码导致了内核中访问NULL指针。

An effective implementation of mmap_min_addr or the UDEREF feature of PaX/GrSecurity would prevent local privilege escalation through this issue.

diff -r b3cbf0ceeb34 net/ipv4/ip_output.c
--- a/net/ipv4/ip_output.c    Mon Aug 24 14:48:29 2009 +0200
+++ b/net/ipv4/ip_output.c    Thu Aug 27 15:20:36 2009 +0200
@@ -814,6 +814,8 @@
             inet->cork.addr = ipc->addr;
         }
         rt = *rtp;
+        if (unlikely(!rt))
+            return -EFAULT;
         /*
          * We steal reference to this route, caller should not release it
          */



阅读(1815) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~