udp_sendmsg漏洞(一)--介绍
来源:互联网 发布:ubuntu snmp v3配置 编辑:程序博客网 时间:2024/05/29 02:21
对于该漏洞的描述,来自于http://blog.cr0.org/。
本文将转载该漏洞的描述,以及个人对该漏洞的理解。在随后的第二篇和三篇中将分别贴出漏洞产生的原因代码以及漏洞利用代码和总结。
【警告:本文中列出的代码仅限于学习和研究使用。任何用于非法用途的,请自行承担责任。】
本文欢迎自由转载,但请标明出处,并保证本文的完整性。
作者:Godbach
Blog:http://Godbach.cublog.cn
日期:2010/01/19
CVE-2009-2698: udp_sendmsg() vulnerability
EDIT: p0c73n1 has posted an exploit for this to milw0rm as did andi@void.at, and spender wrote "the rebel"
Tavis Ormandy and myself have recently reported CVE-2009-2698 which has been disclosed at the beginning of the week.
This flaw affects at least Linux 2.6 with a version < 2.6.19.
【Godbach注】该漏洞存在于2.6版本中,低于2.6.19. p0c73n1完成了利用该漏洞的代码,spender写了一个比较系统的exp代码。
When we ran into this, we realized the newest kernel versions were not affected by the PoC code we had. The reason for this was that Herbert Xu had found and corrected a closely related bug. Linux distributions running on 2.6.18 and earlier kernels did not realize the security impact of this fix and did not backport it.
This is a good example on how hard it is to backport relevant fixes to maintained stable versions of the kernel.
If you look at udp_sendmsg, you will see that the rt routing table is initialized as NULL and some code paths can lead to call ip_append_data with a NULL rt. ip_append_data() obviously doesn't handle this case properly and will cause a NULL pointer dereference.
【Godbach注】udp_sendmsg函数中rt变量被初始化为NULL,而在某些条件下会导致,在调用ip_append_data函数时,传进去的参数rt有可能为NULL。而ip_append_data函数里面有没有对该变量进行合法性检查,因此对导致对NULL指针进行解引用。
Note that this is a data NULL pointer dereference and mapping code at page zero will not lead to immediate privileged code execution for a local attacker. However, controlling the rtable structure seems to give enough control to the attacker to elevate privileges.
【Godbach注】这一段内容是关键。前面已经提到了该漏洞可能导致解引用NULL指针。但是,这里解引用的是个变量,本地恶意用户没法直接在此基础上执行恶意代码,不像我们在《Linux内核NULL pointer引发的BUG》文章中分析的那样,代码是要调用某个函数,而该函数地址为NULL,我们将0地址映射,并添加上我们自己实现的代码。 不过,恶意用户仍然可以通过rtable的结构体间接实现执行恶意代码。
Since it's hard to guarantee that ip_append_data will never be called with a NULL *rtp, we believe that this function should be made more robust by using this patch.
Here's one way to trigger this vulnerability locally:
$ cat croissant.c
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
int main(int argc, char **argv)
{
int fd = socket(PF_INET, SOCK_DGRAM, 0);
char buf[1024] = {0};
struct sockaddr to = {
.sa_family = AF_UNSPEC,
.sa_data = "TavisIsAwesome",
};
sendto(fd, buf, 1024, MSG_PROXY | MSG_MORE, &to, sizeof(to));
sendto(fd, buf, 1024, 0, &to, sizeof(to));
return 0;
}
【Godbach注】以上就是触发漏洞的代码。该代码执行的后果就是内核Oops。因此该代码导致了内核中访问NULL指针。
An effective implementation of mmap_min_addr or the UDEREF feature of PaX/GrSecurity would prevent local privilege escalation through this issue.
Tavis Ormandy and myself have recently reported CVE-2009-2698 which has been disclosed at the beginning of the week.
This flaw affects at least Linux 2.6 with a version < 2.6.19.
【Godbach注】该漏洞存在于2.6版本中,低于2.6.19. p0c73n1完成了利用该漏洞的代码,spender写了一个比较系统的exp代码。
When we ran into this, we realized the newest kernel versions were not affected by the PoC code we had. The reason for this was that Herbert Xu had found and corrected a closely related bug. Linux distributions running on 2.6.18 and earlier kernels did not realize the security impact of this fix and did not backport it.
This is a good example on how hard it is to backport relevant fixes to maintained stable versions of the kernel.
If you look at udp_sendmsg, you will see that the rt routing table is initialized as NULL and some code paths can lead to call ip_append_data with a NULL rt. ip_append_data() obviously doesn't handle this case properly and will cause a NULL pointer dereference.
【Godbach注】udp_sendmsg函数中rt变量被初始化为NULL,而在某些条件下会导致,在调用ip_append_data函数时,传进去的参数rt有可能为NULL。而ip_append_data函数里面有没有对该变量进行合法性检查,因此对导致对NULL指针进行解引用。
Note that this is a data NULL pointer dereference and mapping code at page zero will not lead to immediate privileged code execution for a local attacker. However, controlling the rtable structure seems to give enough control to the attacker to elevate privileges.
【Godbach注】这一段内容是关键。前面已经提到了该漏洞可能导致解引用NULL指针。但是,这里解引用的是个变量,本地恶意用户没法直接在此基础上执行恶意代码,不像我们在《Linux内核NULL pointer引发的BUG》文章中分析的那样,代码是要调用某个函数,而该函数地址为NULL,我们将0地址映射,并添加上我们自己实现的代码。 不过,恶意用户仍然可以通过rtable的结构体间接实现执行恶意代码。
Since it's hard to guarantee that ip_append_data will never be called with a NULL *rtp, we believe that this function should be made more robust by using this patch.
Here's one way to trigger this vulnerability locally:
$ cat croissant.c
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
int main(int argc, char **argv)
{
int fd = socket(PF_INET, SOCK_DGRAM, 0);
char buf[1024] = {0};
struct sockaddr to = {
.sa_family = AF_UNSPEC,
.sa_data = "TavisIsAwesome",
};
sendto(fd, buf, 1024, MSG_PROXY | MSG_MORE, &to, sizeof(to));
sendto(fd, buf, 1024, 0, &to, sizeof(to));
return 0;
}
【Godbach注】以上就是触发漏洞的代码。该代码执行的后果就是内核Oops。因此该代码导致了内核中访问NULL指针。
An effective implementation of mmap_min_addr or the UDEREF feature of PaX/GrSecurity would prevent local privilege escalation through this issue.
diff -r b3cbf0ceeb34 net/ipv4/ip_output.c
--- a/net/ipv4/ip_output.c Mon Aug 24 14:48:29 2009 +0200
+++ b/net/ipv4/ip_output.c Thu Aug 27 15:20:36 2009 +0200
@@ -814,6 +814,8 @@
inet->cork.addr = ipc->addr;
}
rt = *rtp;
+ if (unlikely(!rt))
+ return -EFAULT;
/*
* We steal reference to this route, caller should not release it
*/
- udp_sendmsg漏洞(一)--介绍
- udp_sendmsg漏洞(三)--漏洞利用的源码及分析
- 内核中的UDP socket流程(7)——udp_sendmsg
- udp_sendmsg函数分析
- 缓冲区溢出漏洞(一):认识缓冲区溢出漏洞.
- 软件漏洞分析入门(一)
- windows常见漏洞分析(一)
- php漏洞浅层分析(一)
- bash破壳漏洞分析(一)
- Android 漏洞分析入门 (一)
- CVE漏洞知识库介绍
- FCK漏洞和介绍
- wordpress漏洞介绍
- 缓冲区溢出漏洞入门介绍 hokersome(原作)
- SQL注入漏洞一
- 软件漏洞发觉与防范的学习(一)缓冲区溢出漏洞
- 缓冲区溢出漏洞入门介绍
- 缓冲区溢出漏洞入门介绍
- http chunk编码 C++
- C语言编译全过程
- 读取一行数据(C/C++语言)
- axf、elf、bin
- 图的邻接表存储 深度优先遍历 广度优先遍历 C语言实现
- udp_sendmsg漏洞(一)--介绍
- web测试方法
- 关于Testdirector 8.0 的暴力迁移法
- 二分查找(C/C++语言)
- flashback 技术(待续)
- C#获取windows服务的路径和安装卸载服务实例代码
- Camera 总结
- 解决自定义UITableViewCell在浏览中出现数据行重复的问题
- linq to sql 插入值后,如何取回自增的ID
