Linux Orinoco驱动远程信息泄漏漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197655 漏洞类型 设计错误
发布时间 2005-10-12 更新时间 2007-01-09
CVE编号 CVE-2005-3180 CNNVD-ID CNNVD-200510-070
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/15085
https://cxsecurity.com/issue/WLB-2005100035
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-070
|漏洞详情
Linuxkernel是开放源码操作系统Linux所使用的内核,而LinuxOrinoco驱动支持各种实现802.11b标准的无线网卡。Linuxkernel的Orinoco驱动中存在远程信息泄漏漏洞。由于驱动在很小的网络报文中发送了未经初始化的kernel内存,远程攻击者可能获得敏感的kernel内存,从而获得敏感信息。
|漏洞EXP
          Linux Orinoco Driver Information Leakage Vulnerability
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I. Background
~~~~~~~~~~~~~

http://sourceforge.net/projects/orinoco

The Linux orinoco driver, included in the kernel since 2.4.3 and in David
Hinds' pcmcia-cs package since 3.1.30 supports a large number of wireless NICs
based on the Lucent/Agere Hermes, Symbol Spectrum24 and Intersil/Conexant
Prism 2/2.5/3 chipsets.

II. Description
~~~~~~~~~~~~~~~

Due to padding of Ethernet frames with uninitialized data, it is possible to
remotely obtain parts of memory which may contain sensitive information [1].

Following sample dumps illustrate the problem:

13:21:58.901746 arp reply 192.168.0.179 is-at 00:09:5b:3e:ca:d4
        0x0000:  0001 0800 0604 0002 0009 5b3e cad4 c0a8  ..........[>....
        0x0010:  00b3 0012 f0bb 22ae c0a8 001f 6f73 743a  ......".....ost:
        0x0020:  7e20 2d20 5368 656c 6c20 4e6f 2e20 7353  ~.-.Shell.No..sS
        0x0030:  8071                                     .q

13:21:17.811889 arp reply 192.168.0.179 is-at 00:09:5b:3e:ca:d4
        0x0000:  0001 0800 0604 0002 0009 5b3e cad4 c0a8  ..........[>....
        0x0010:  00b3 0012 f0bb 22ae c0a8 001f 2054 7261  ......"......Tra
        0x0020:  636b 3035 2e6d 7033 2028 343a 3139 1b62  ck05.mp3.(4:19.b
        0x0030:  6dd1                                     m.

Attacker can use arping(8) to send ARP requests to the target running
vulnerable orinoco drivers and observe contents of uninitialized memory in
the ARP replies.

III. Vendor status 
~~~~~~~~~~~~~~~~~~

Developers of linux orinoco drivers where notified and the fix, which has been
incorporated into 2.6.13.4 kernel, was issued.

Patch can be viewed here:
http://www.kernel.org/hg/linux-2.6/?cmd=filediff;node=feecb2ffde28639e60
ede769c6f817dc536c677b;file=drivers/net/wireless/orinoco.c

IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~
4/10/2005 - Issue discovered. Vendor notified.
4/10/2005 - Vendor response received along with the patch to remedy the problem.
10/10/2005 - Confirmed that patch was incorporated into 2.6.13.4 kernel.

V. Acknowledgements
~~~~~~~~~~~~~~~~~~~

Thanks to Pavel Roskin for quick response and fix.

VI. References
~~~~~~~~~~~~~~

1. http://www.atstake.com/research/advisories/2003/atstake_etherleak_report
.pdf

-- 
http://o0o.nu/~meder
|受影响的产品
Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 Trustix Secure Enterprise
|参考资料

来源:www.kernel.org
链接:http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=feecb2ffde28639e60ede769c6f817dc536c677b
来源:UBUNTU
名称:USN-219-1
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-219-1
来源:BID
名称:15085
链接:http://www.securityfocus.com/bid/15085
来源:FEDORA
名称:FLSA:157459-2
链接:http://www.securityfocus.com/archive/1/archive/1/428058/100/0/threaded
来源:FEDORA
名称:FLSA:157459-1
链接:http://www.securityfocus.com/archive/1/archive/1/428028/100/0/threaded
来源:FEDORA
名称:FLSA:157459-3
链接:http://www.securityfocus.com/archive/1/archive/1/427980/100/0/threaded
来源:SUSE
名称:SUSE-SA:2005:068
链接:http://www.securityfocus.com/archive/1/archive/1/419522/100/0/threaded
来源:SUSE
名称:SUSE-SA:2005:067
链接:http://www.securityfocus.com/advisories/9806
来源:FEDORA
名称:FEDORA-2005-1007
链接:http://www.securityfocus.com/advisories/9549
来源:REDHAT
名称:RHSA-2006:0191
链接:http://www.redhat.com/support/errata/RHSA-2006-0191.html
来源:REDHAT
名称:RHSA-2006:0190
链接:http://www.redhat.com/support/errata/RHSA-2006-0190.html