- 论坛徽章:
- 36
|
对于该漏洞的描述,来自于http://blog.cr0.org/。
本文将转载该漏洞的描述,以及个人对该漏洞的理解。在随后的第二篇和三篇中将分别贴出漏洞产生的原因代码以及漏洞利用代码和总结。
【警告:本文中列出的代码仅限于学习和研究使用。任何用于非法用途的,请自行承担责任。】
本文欢迎自由转载,但请标明出处,并保证本文的完整性。
作者:Godbach
Blog:
http://Godbach.cublog.cn
日期:2010/01/19
CVE-2009-2698: udp_sendmsg() vulnerability
EDIT: p0c73n1
has posted an exploit
for this to milw0rm as did
andi@void.at
, and spender wrote
"the rebel"
Tavis Ormandy and myself have recently reported CVE-2009-2698 which has been disclosed at the beginning of the week.
This flaw affects at least Linux 2.6 with a version 【Godbach注】该漏洞存在于2.6版本中,低于2.6.19. p0c73n1完成了利用该漏洞的代码,spender写了一个比较系统的exp代码。
When
we ran into this, we realized the newest kernel versions were not
affected by the PoC code we had. The reason for this was that Herbert
Xu had
found and corrected a closely related bug
.
Linux distributions running on 2.6.18 and earlier kernels did not
realize the security impact of this fix and did not backport it.
This is a good example on how hard it is to backport relevant fixes to maintained stable versions of the kernel.
If you look at
udp_sendmsg
, you will see that the rt routing table is initialized as NULL and some code paths can lead to call
ip_append_data
with a NULL rt. ip_append_data() obviously doesn't handle this case properly and will cause a NULL pointer dereference.
【Godbach注】udp_sendmsg函数中rt变量被初始化为NULL,而在某些条件下会导致,在调用ip_append_data函数时,传进去的参数rt有可能为NULL。而ip_append_data函数里面有没有对该变量进行合法性检查,因此对导致对NULL指针进行解引用。
Note
that this is a data NULL pointer dereference and mapping code at page
zero will not lead to immediate privileged code execution for a local
attacker. However, controlling the rtable structure seems to give
enough control to the attacker to elevate privileges.
【Godbach注】这一段内容是关键。前面已经提到了该漏洞可能导致解引用NULL指针。但是,这里解引用的是个变量,本地恶意用户没法直接在此基础上执行恶意代码,不像我们在《Linux内核NULL pointer引发的BUG》文章中分析的那样,代码是要调用某个函数,而该函数地址为NULL,我们将0地址映射,并添加上我们自己实现的代码。 不过,恶意用户仍然可以通过rtable的结构体间接实现执行恶意代码。
Since it's
hard to guarantee that ip_append_data will never be called with a NULL
*rtp, we believe that this function should be made more robust
by using this patch
.
Here's one way to trigger this vulnerability locally:
$ cat croissant.c
#include
#include
#include
int main(int argc, char **argv)
{
int fd = socket(PF_INET, SOCK_DGRAM, 0);
char buf[1024] = {0};
struct sockaddr to = {
.sa_family = AF_UNSPEC,
.sa_data = "TavisIsAwesome",
};
sendto(fd, buf, 1024, MSG_PROXY | MSG_MORE, &to, sizeof(to));
sendto(fd, buf, 1024, 0, &to, sizeof(to));
return 0;
}
【Godbach注】以上就是触发漏洞的代码。该代码执行的后果就是内核Oops。因此该代码导致了内核中访问NULL指针。
An
effective implementation of mmap_min_addr or the UDEREF feature of
PaX/GrSecurity would prevent local privilege escalation through this
issue.
Posted by
Julien Tinnes
at
4:43 AM
4
comments
Labels:
Linux
,
Security
,
vulnerability
补丁
上文中已经给出了该漏洞的补丁连接。由于补丁的内容相对简单,在ip_append_data函数中添加对rt指针的合法性检查即可。这里列出其内容:
diff -r b3cbf0ceeb34 net/ipv4/ip_output.c
--- a/net/ipv4/ip_output.c Mon Aug 24 14:48:29 2009 +0200
+++ b/net/ipv4/ip_output.c Thu Aug 27 15:20:36 2009 +0200
@@ -814,6 +814,8 @@
inet->cork.addr = ipc->addr;
}
rt = *rtp;
+ if (unlikely(!rt))
+ return -EFAULT;
/*
* We steal reference to this route, caller should not release it
*/
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/33048/showart_2153041.html |
|
免费注册
发表于 2010-01-19 13:53
发表于 2011-08-17 15:46