udev Netlink消息验证本地权限提升漏洞，个人认为这是目前为止比较严重的漏洞

阿辉

发布日期：2009-04-15
更新日期：2009-04-21

受影响系统：

    udev udev 124

描述：BUGTRAQ  ID: 34536
CVE(CAN) ID: CVE-2009-1185

udev是Linux kernel系列的设备管理器，主要功能是管理/dev目录下的设备节点。

udev没有正确地检查Netlink消息的来源，本地攻击者可以利用这个漏洞从用户空间进程而不是内核向udev发送特制的Netlink消息，导致其创建已有系统块设备（如root文件系统）完全可写的块设备文件，以获得root用户权限。

<*来源：Sebastian Krahmer （krahmer@suse.de）
  
  链接：https://bugzilla.redhat.com/show ... tiple&id=495051
        https://www.redhat.com/support/errata/RHSA-2009-0427.html
        http://www.debian.org/security/2009/dsa-1772
*>

测试方法：

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
http://www.milw0rm.com/exploits/8478

建议：厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-1772-1）以及相应补丁:
DSA-1772-1：New udev packages fix privilege escalation
链接：http://www.debian.org/security/2009/dsa-1772

补丁下载：

Source archives:

http://security.debian.org/pool/ ... .105-4etch1.diff.gz
Size/MD5 checksum:    65496 c004ab727c31c58012eb518ea1293c06
http://security.debian.org/pool/ ... v_0.105.orig.tar.gz
Size/MD5 checksum:   188150 9d58389d5ef915c49681cae4fba3cd60
http://security.debian.org/pool/ ... ev_0.105-4etch1.dsc
Size/MD5 checksum:      653 11e4e0cb9bc8cb2f93890e80e9314a7b

alpha architecture (DEC Alpha)

http://security.debian.org/pool/ ... 5-4etch1_alpha.udeb
Size/MD5 checksum:   133696 82ebf80715efaa545bb98fa92b5c6e30
http://security.debian.org/pool/ ... 05-4etch1_alpha.deb
Size/MD5 checksum:   293006 6e1ff1cf34638ebe01d6a7cc3771eef9
http://security.debian.org/pool/ ... 05-4etch1_alpha.deb
Size/MD5 checksum:    25892 17fc41c4605c256b933cefcda3c21a48
http://security.debian.org/pool/ ... 05-4etch1_alpha.deb
Size/MD5 checksum:    67762 335db6bf028839d64d656b3b243d3e23

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/ ... 05-4etch1_amd64.deb
Size/MD5 checksum:   277954 4daf7f67c7ddb2bea7906c3a2e5f4450
http://security.debian.org/pool/ ... 05-4etch1_amd64.deb
Size/MD5 checksum:    17570 abb465d39529deff8a8a44e6e3511e92
http://security.debian.org/pool/ ... 05-4etch1_amd64.deb
Size/MD5 checksum:    64016 1fa7e638e153131fae0794bdfa29f10e
http://security.debian.org/pool/ ... 5-4etch1_amd64.udeb
Size/MD5 checksum:   118680 18f17e7030d7ec1c8445e8b2e5420150

arm architecture (ARM)

http://security.debian.org/pool/ ... .105-4etch1_arm.deb
Size/MD5 checksum:   266724 8cb242b97c43b91065a51ad06e341c26
http://security.debian.org/pool/ ... .105-4etch1_arm.deb
Size/MD5 checksum:    65394 053e04d02f57089c52ee9ed2dedd1824
http://security.debian.org/pool/ ... .105-4etch1_arm.deb
Size/MD5 checksum:    18146 06aaf0730d2822b9efc3658d9c6aad6f
http://security.debian.org/pool/ ... 105-4etch1_arm.udeb
Size/MD5 checksum:   108792 d1d15e13b7acaf80449d70a46474d5cc

hppa architecture (HP PA RISC)

http://security.debian.org/pool/ ... 105-4etch1_hppa.deb
Size/MD5 checksum:   284024 5a95e42a4bc958ea800d0ad2fc7137f7
http://security.debian.org/pool/ ... 105-4etch1_hppa.deb
Size/MD5 checksum:    69216 1fa0f6be4314a15c272008889ad5cdd3
http://security.debian.org/pool/ ... 05-4etch1_hppa.udeb
Size/MD5 checksum:   123292 9423477a619848bc5b897c183578eedf
http://security.debian.org/pool/ ... 105-4etch1_hppa.deb
Size/MD5 checksum:    22822 2e425348f052eb7227af5b4162d87886

i386 architecture (Intel ia32)

http://security.debian.org/pool/ ... 105-4etch1_i386.deb
Size/MD5 checksum:    62672 1fb6a5c71a746c54d2d153f82d156622
http://security.debian.org/pool/ ... 05-4etch1_i386.udeb
Size/MD5 checksum:   104858 6755b7f2be45c09dcfbeba11b71fb2b4
http://security.debian.org/pool/ ... 105-4etch1_i386.deb
Size/MD5 checksum:    15596 42d679cf1bf5708e12f2ebe0928d0f17
http://security.debian.org/pool/ ... 105-4etch1_i386.deb
Size/MD5 checksum:   263502 c771e199202b3a30191e562591b2a5f1

ia64 architecture (Intel ia64)

http://security.debian.org/pool/ ... 105-4etch1_ia64.deb
Size/MD5 checksum:    71234 db3642925a8d81f1d63fa5a194be85ca
http://security.debian.org/pool/ ... 105-4etch1_ia64.deb
Size/MD5 checksum:   348482 03798072d8288f3e6080f6a32178a55a
http://security.debian.org/pool/ ... 105-4etch1_ia64.deb
Size/MD5 checksum:    26664 f1eeb303578e5d42c46d1d50bedc3427
http://security.debian.org/pool/ ... 05-4etch1_ia64.udeb
Size/MD5 checksum:   178622 1681eaf7e11447c584d199eca57c7829

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/ ... 105-4etch1_mips.deb
Size/MD5 checksum:    21846 c154d642eeaec8a4ff465d0dd7854d6f
http://security.debian.org/pool/ ... 105-4etch1_mips.deb
Size/MD5 checksum:   278706 c612857d27e034d3979476512798bb43
http://security.debian.org/pool/ ... 05-4etch1_mips.udeb
Size/MD5 checksum:   123368 547c1b25665f105ca681dbb1efe1841d
http://security.debian.org/pool/ ... 105-4etch1_mips.deb
Size/MD5 checksum:    65332 0a7201607ea9d769cbd09ebc96905500

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/ ... 5-4etch1_mipsel.deb
Size/MD5 checksum:   279278 6a3d796f15b65b8b61a991cd2631ef69
http://security.debian.org/pool/ ... 5-4etch1_mipsel.deb
Size/MD5 checksum:    65140 e5d91868a42e3a0c36eb30f512376db1
http://security.debian.org/pool/ ... -4etch1_mipsel.udeb
Size/MD5 checksum:   123416 b97a524a2ea9289b38467dd03d5213db
http://security.debian.org/pool/ ... 5-4etch1_mipsel.deb
Size/MD5 checksum:    21560 672e1b4ffc6da2e7d8c6ffdbfebd5b51

powerpc architecture (PowerPC)

http://security.debian.org/pool/ ... 4etch1_powerpc.udeb
Size/MD5 checksum:   109412 149ab68cffb0272aadbd758c45f640fc
http://security.debian.org/pool/ ... -4etch1_powerpc.deb
Size/MD5 checksum:    18832 d37c3f79c808b6b775e9b5e82c265cdc
http://security.debian.org/pool/ ... -4etch1_powerpc.deb
Size/MD5 checksum:    65400 e1030bc12fcca0cf4ca2f4000a9d732e
http://security.debian.org/pool/ ... -4etch1_powerpc.deb
Size/MD5 checksum:   283004 083d7593e935231bfbc1868d54be6899

s390 architecture (IBM S/390)

http://security.debian.org/pool/ ... 105-4etch1_s390.deb
Size/MD5 checksum:    66024 63704d890de325cce6d3ab739bfcc5df
http://security.debian.org/pool/ ... 105-4etch1_s390.deb
Size/MD5 checksum:   280362 68985aade59854bea6933ba6b9825152
http://security.debian.org/pool/ ... 05-4etch1_s390.udeb
Size/MD5 checksum:   119284 b89e7a4ae300862b138c65d1a65f5861
http://security.debian.org/pool/ ... 105-4etch1_s390.deb
Size/MD5 checksum:    19968 8176690f76660c6dfdbb9d0a0ad1c85b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/ ... 5-4etch1_sparc.udeb
Size/MD5 checksum:   108102 09f683e56ddcf705f6b0f1ff1465299a
http://security.debian.org/pool/ ... 05-4etch1_sparc.deb
Size/MD5 checksum:   261794 0c02b3cc77b22cc7ec88c424bc5342ab
http://security.debian.org/pool/ ... 05-4etch1_sparc.deb
Size/MD5 checksum:    66058 44da6bfe900da48fd4ac0b367846c23b
http://security.debian.org/pool/ ... 05-4etch1_sparc.deb
Size/MD5 checksum:    18924 2871710daab3972cda3485866c1ff0f7

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/ ... 25-7+lenny1.diff.gz
Size/MD5 checksum:    63221 1cdb4f78dc7cf5c5702fa69e3f528724
http://security.debian.org/pool/ ... v_0.125.orig.tar.gz
Size/MD5 checksum:   254564 be98e04cefdd9ca76b8fe7e92735ce29
http://security.debian.org/pool/ ... _0.125-7+lenny1.dsc
Size/MD5 checksum:     1031 3c1c71e9321ee24dcbb4237bda82ecf8

alpha architecture (DEC Alpha)

http://security.debian.org/pool/ ... -7+lenny1_alpha.deb
Size/MD5 checksum:    81916 0d0d955ef294f83409f7729287911834
http://security.debian.org/pool/ ... 7+lenny1_alpha.udeb
Size/MD5 checksum:   148990 83667ad6d0c6d0c43ddd851d139f1fd6
http://security.debian.org/pool/ ... -7+lenny1_alpha.deb
Size/MD5 checksum:   281758 61570a51644b3470c4ca8306f6531d2f
http://security.debian.org/pool/ ... -7+lenny1_alpha.deb
Size/MD5 checksum:     2436 82668adc7df4b743eff35e1c353f5101

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/ ... 7+lenny1_amd64.udeb
Size/MD5 checksum:   128220 6951de1f9f2a952c718c6322d4cc041c
http://security.debian.org/pool/ ... -7+lenny1_amd64.deb
Size/MD5 checksum:   266322 d25ceb9d564f9ff30cc841432588d11a
http://security.debian.org/pool/ ... -7+lenny1_amd64.deb
Size/MD5 checksum:     2426 c04b51779d612328c0e63048ae9112e2
http://security.debian.org/pool/ ... -7+lenny1_amd64.deb
Size/MD5 checksum:    77548 68d9da089db647fed48a5e2e126109a0

arm architecture (ARM)

http://security.debian.org/pool/ ... 25-7+lenny1_arm.deb
Size/MD5 checksum:    79020 8990da78870b19da2123a246308b9f42
http://security.debian.org/pool/ ... 5-7+lenny1_arm.udeb
Size/MD5 checksum:   123542 64e28579a5dd7f20902b4683c1c2d717
http://security.debian.org/pool/ ... 25-7+lenny1_arm.deb
Size/MD5 checksum:     2438 6749f4622bebfb95248e522d031ac012
http://security.debian.org/pool/ ... 25-7+lenny1_arm.deb
Size/MD5 checksum:   257106 80d322c9d53711a0fee58af3d027e32d

armel architecture (ARM EABI)

http://security.debian.org/pool/ ... -7+lenny1_armel.deb
Size/MD5 checksum:     2440 27ff9848ed16db7e8c5ca75f0a022403
http://security.debian.org/pool/ ... -7+lenny1_armel.deb
Size/MD5 checksum:   258074 fce468ead3db83d21356f1da16e50e9d
http://security.debian.org/pool/ ... 7+lenny1_armel.udeb
Size/MD5 checksum:   124506 2eb7a09d5ee3b5c308ac221851fc1573
http://security.debian.org/pool/ ... -7+lenny1_armel.deb
Size/MD5 checksum:    79228 2c16ecd4418d9fcd3f6dadf85fab95bb

hppa architecture (HP PA RISC)

http://security.debian.org/pool/ ... 5-7+lenny1_hppa.deb
Size/MD5 checksum:    84240 5f32416e51f5ee674c8331429bcd71ad
http://security.debian.org/pool/ ... 5-7+lenny1_hppa.deb
Size/MD5 checksum:   274388 9464fdcd2dac50388cf23d2e891fa903
http://security.debian.org/pool/ ... -7+lenny1_hppa.udeb
Size/MD5 checksum:   142578 18523c4afa6e272ed8449dc433bb68ce
http://security.debian.org/pool/ ... 5-7+lenny1_hppa.deb
Size/MD5 checksum:     2438 187adc54d95719c8bf2a20c73b9b820a

i386 architecture (Intel ia32)

http://security.debian.org/pool/ ... 5-7+lenny1_i386.deb
Size/MD5 checksum:   253168 9667472701f5f78e75f944afe4e18a1f
http://security.debian.org/pool/ ... 5-7+lenny1_i386.deb
Size/MD5 checksum:    76280 c9f04437d9c090e54fdfaf4c08b04273
http://security.debian.org/pool/ ... -7+lenny1_i386.udeb
Size/MD5 checksum:   115724 05843396641d6e8eed4d417020969f23
http://security.debian.org/pool/ ... 5-7+lenny1_i386.deb
Size/MD5 checksum:     2426 ea4c748d93da3e0ffd9c070461fb9ea4

ia64 architecture (Intel ia64)

http://security.debian.org/pool/ ... 5-7+lenny1_ia64.deb
Size/MD5 checksum:    85644 2594d69577d4d309f6be2878524641f2
http://security.debian.org/pool/ ... -7+lenny1_ia64.udeb
Size/MD5 checksum:   190230 a682ed3c0b26b059740b37ac0976bd93
http://security.debian.org/pool/ ... 5-7+lenny1_ia64.deb
Size/MD5 checksum:     2432 0c4b9c1716892330ff482e8a8cb2f12d
http://security.debian.org/pool/ ... 5-7+lenny1_ia64.deb
Size/MD5 checksum:   324656 efa495e7fc30164bb91958f81a5f0e02

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/ ... -7+lenny1_mips.udeb
Size/MD5 checksum:   135612 f596cc4d41bf41fa78d25deae191df8a
http://security.debian.org/pool/ ... 5-7+lenny1_mips.deb
Size/MD5 checksum:     2436 ef6056a525dd10b577dcf3ac162cad18
http://security.debian.org/pool/ ... 5-7+lenny1_mips.deb
Size/MD5 checksum:    78790 50b801e86b6a29fedac17aa4012cc222
http://security.debian.org/pool/ ... 5-7+lenny1_mips.deb
Size/MD5 checksum:   270716 15cea80dfc523e1ffadcf609293be4d6

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/ ... 7+lenny1_mipsel.deb
Size/MD5 checksum:     2438 51d32dfc43f95c2579e989d332c6837e
http://security.debian.org/pool/ ... +lenny1_mipsel.udeb
Size/MD5 checksum:   135566 8a7d0840ba79647dad206aeea62dbc4e
http://security.debian.org/pool/ ... 7+lenny1_mipsel.deb
Size/MD5 checksum:    78640 e7197dd434ba99f4bef46f7176b458f1
http://security.debian.org/pool/ ... 7+lenny1_mipsel.deb
Size/MD5 checksum:   270760 53926589b10466163d5ea90008de5b8c

powerpc architecture (PowerPC)

http://security.debian.org/pool/ ... +lenny1_powerpc.deb
Size/MD5 checksum:   272424 7a9d2807d73e0da05171d50882bb2b44
http://security.debian.org/pool/ ... lenny1_powerpc.udeb
Size/MD5 checksum:   129696 4e24c200eaf8b615603cc7319b449f30
http://security.debian.org/pool/ ... +lenny1_powerpc.deb
Size/MD5 checksum:     2442 a0d04b0bf5d8278796d276568940084e
http://security.debian.org/pool/ ... +lenny1_powerpc.deb
Size/MD5 checksum:    79194 bb40fe52920ee2bfc65f1243ced8268f

s390 architecture (IBM S/390)

http://security.debian.org/pool/ ... 5-7+lenny1_s390.deb
Size/MD5 checksum:    79448 d17034c5d4f29b21f9f6affcc8c31cf3
http://security.debian.org/pool/ ... -7+lenny1_s390.udeb
Size/MD5 checksum:   133264 e34bae7a1639cccb63814f96a014cd37
http://security.debian.org/pool/ ... 5-7+lenny1_s390.deb
Size/MD5 checksum:     2428 d88d5d9eedc3c5d1bfb2f441d948f9ef
http://security.debian.org/pool/ ... 5-7+lenny1_s390.deb
Size/MD5 checksum:   271886 9eaba049c1bbdf7903fbe52efd296f5b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/ ... -7+lenny1_sparc.deb
Size/MD5 checksum:   259536 409b46996745484d7514739cfb4cca6e
http://security.debian.org/pool/ ... -7+lenny1_sparc.deb
Size/MD5 checksum:    79640 2cc666f27b22a986c6ef5677509e13ad
http://security.debian.org/pool/ ... -7+lenny1_sparc.deb
Size/MD5 checksum:     2436 3c928f720d5a3cd021b633f8070ddfd6
http://security.debian.org/pool/ ... 7+lenny1_sparc.udeb
Size/MD5 checksum:   124598 a93970f05ff0c1a9b670e5dd3bacdad8

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update
  
   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2009:0427-01）以及相应补丁:
RHSA-2009:0427-01：Important: udev security update
链接：https://www.redhat.com/support/errata/RHSA-2009-0427.html

udev
----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=e86a923d508c2aed371cdd958ce82489cf2ab615
http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=e2b362d9f23d4c63018709ab5f81a02f72b91e75

diyself

谢谢！提供的内容来的及时啊。ubuntu cn可能就是被这个弄垮的

chenyx

头大,Linux的漏洞,后果很严重

flyinweb

http://www.517sou.net/blogview.asp?logID=1596

漏洞原理，攻击代码演示以及防范措施（AS5补丁更新具体操作）

yuan_mu_muy

据说debian最是重灾。
还好，我的debian上没有gcc之类的工具。