Chinaunix首页 | 论坛 | 博客
  • 博客访问: 117001
  • 博文数量: 24
  • 博客积分: 416
  • 博客等级: 下士
  • 技术积分: 238
  • 用 户 组: 普通用户
  • 注册时间: 2011-07-07 19:16



2011-08-17 15:41:35



CVE-2009-2698: udp_sendmsg() vulnerability
EDIT: p0c73n1  for this to milw0rm as did , and spender wrote "the rebel"

Tavis Ormandy and myself have recently reported CVE-2009-2698 which has been disclosed at the beginning of the week.

This flaw affects at least Linux 2.6 with a version < 2.6.19.
【Godbach注】该漏洞存在于2.6版本中,低于2.6.19. p0c73n1完成了利用该漏洞的代码,spender写了一个比较系统的exp代码。
When we ran into this, we realized the newest kernel versions were not affected by the PoC code we had. The reason for this was that Herbert Xu had found and corrected a closely related bug. Linux distributions running on 2.6.18 and earlier kernels did not realize the security impact of this fix and did not backport it.
This is a good example on how hard it is to backport relevant fixes to maintained stable versions of the kernel.

If you look at udp_sendmsg, you will see that the rt routing table is initialized as NULL and some code paths can lead to call ip_append_data with a NULL rt. ip_append_data() obviously doesn't handle this case properly and will cause a NULL pointer dereference.
Note that this is a data NULL pointer dereference and mapping code at page zero will not lead to immediate privileged code execution for a local attacker. However, controlling the rtable structure seems to give enough control to the attacker to elevate privileges.
【Godbach注】这一段内容是关键。前面已经提到了该漏洞可能导致解引用NULL指针。但是,这里解引用的是个变量,本地恶意用户没法直接在此基础上执行恶意代码,不像我们在《Linux内核NULL pointer引发的BUG》文章中分析的那样,代码是要调用某个函数,而该函数地址为NULL,我们将0地址映射,并添加上我们自己实现的代码。 不过,恶意用户仍然可以通过rtable的结构体间接实现执行恶意代码。
Since it's hard to guarantee that ip_append_data will never be called with a NULL *rtp, we believe that this function should be made more robust by using this patch.

Here's one way to trigger this vulnerability locally:

$ cat croissant.c

int main(int argc, char **argv)
int fd = socket(PF_INET, SOCK_DGRAM, 0);
char buf[1024] = {0};
struct sockaddr to = {
.sa_family = AF_UNSPEC,
.sa_data = "TavisIsAwesome",

sendto(fd, buf, 1024, MSG_PROXY | MSG_MORE, &to, sizeof(to));
sendto(fd, buf, 1024, 0, &to, sizeof(to));

return 0;

An effective implementation of mmap_min_addr or the UDEREF feature of PaX/GrSecurity would prevent local privilege escalation through this issue.

diff -r b3cbf0ceeb34 net/ipv4/ip_output.c
--- a/net/ipv4/ip_output.c    Mon Aug 24 14:48:29 2009 +0200
+++ b/net/ipv4/ip_output.c    Thu Aug 27 15:20:36 2009 +0200
@@ -814,+814,8 @@ 
             inet->cork.addr = ipc->addr;
         rt = *rtp;
+        if (unlikely(!rt))
+            return -EFAULT;
          * We steal reference to this route, caller should not release it

阅读(1517) | 评论(0) | 转发(0) |


下一篇:struct socket详解