Microsoft Windows TCP/IP实现IppSortDestinationAddresses()函数整数溢出漏洞

发表评论 (0) 查看评论

受影响系统:

Microsoft Windows Vista SP1
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008
Microsoft Windows 7

描述:

BUGTRAQ  ID: 42254
CVE ID: CVE-2010-1893

Microsoft Windows是微软发布的非常流行的操作系统。

Windows系统中TCP/IP实现的IppSortDestinationAddresses()函数在处理SOCKET_ADDRESS_LIST结构时存在整数溢出漏洞,本地用户可以通过调用WSAIoctl和使用SIO_ADDRESS_LIST_SORT IOCTL破坏内核内存,以系统级权限执行任意代码。

在IppSortDestinationAddresses()函数的开始处存在以下伪代码:

DestinationAddresses = ExAllocatePoolWithTag(NumberOfDestinationAddresses * sizeof(SOCKADDR_IN6));
// sizeof(SOCKADDR_IN6) = 0x1C
NtStatus = IppFlattenAddressList(SocketAddressList, DestinationAddresses);

if (!NT_SUCCESS(NtStatus)) ExFreePoolWithTag(DestinationAddresses);

整数溢出是由IppSortDestinationAddresses()函数和IppFlattenAddressList()函数中的内核域池溢出导致的。以下伪代码仅包含有函数的最重要部分:

NTSTATUS
IppFlattenAddressList(IN PSOCKET_ADDRESS_LIST SocketAddressList,
                              OUT PSOCKADDR_IN6 FlattenAddressList)
{
PSOCKADDR_IN6 Address;
    // […]

    for (Index = 0; Index < SocketAddressList->iAddressCount; Index += 1) {
        if (SocketAddressList->Address[Index].iSockaddrLength != sizeof(SOCKADDR_IN6)) return STATUS_INVALID_PARAMETER;

        Address = SocketAddressList->Address[Index].lpSockaddr;

        // Of course, there is a ProbeForRead + __try if the function is called from Userland
        FlattenAddressList[Index] = *Address; // <— Pool Overflow is occuring here.

        //
        // The following part is important if you want to proceed to the overflow.
        //
        if (FlattenAddressList[Index].sin6_family != AF_INET6) return STATUS_INVALID_PARAMETER;
    }
    // […]
}

由于SocketAddressList->iAddressCount会拥有过高的值,循环会继续向内核池拷贝数据,直至sin6_family与AF_INET6不同或iSockaddrLength与sizeof(SOCKADDR_IN6)不同。在这两种情况下IppFlattenAddressList()函数都会返回STATUS_INVALID_PARAMETER强制调用程序释放内核池。

sin6_family是SOCKADDR_IN6结构中的第一个字段,在从链表中摘除期间会读取为POOL_HEADER结构的PreviousSize字段,导致较难利用这个漏洞。

<*来源:Matthieu Suiche
  
  链接:http://secunia.com/advisories/40904/
        http://moonsols.com/blog/14-august-security-bulletin
        http://www.microsoft.com/technet/security/bulletin/MS10-058.mspx?pf=true
        http://www.us-cert.gov/cas/techalerts/TA10-222A.html
*>

建议:

厂商补丁:

Microsoft
———
Microsoft已经为此发布了一个安全公告(MS10-058)以及相应补丁:
MS10-058:Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
链接:http://www.microsoft.com/technet/security/bulletin/MS10-058.mspx?pf=true

发表评论?

0 条评论。

发表评论