CVE-2004-2536
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:24
NMCO    

[原文]The exit_thread function (process.c) in Linux kernel 2.6 through 2.6.5 does not invalidate the per-TSS io_bitmap pointers if a process obtains IO access permissions from the ioperm function but does not drop those permissions when it exits, which allows other processes to access the per-TSS pointers, access restricted memory locations, and possibly gain privileges.


[CNNVD]Linux Kernel本地IO访问权限继承漏洞(CNNVD-200412-509)

        
        Linux是一款开放源代码操作系统。
        Linux内核存在一个IO访问继承漏洞,本地攻击者可以利用这个漏洞使系统挂起,进行拒绝服务攻击,可能也存在权限提升问题。
        任何进程通过ioperm()获得一个IO访问权限,IO权限就会被所有系统中其他进程"继承"。不过看起来exit_thread()仅仅使per-thread io_bitmap指针无效,而没有正确的处理使per-TSS io_bitmap指针无效,因此per-TSS针对对其他进程来说还是有效,滥用此指针可导致程序死锁,造成拒绝服务。存在权限提升可能。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:linux:linux_kernel:2.6.3Linux Kernel 2.6.3
cpe:/o:linux:linux_kernel:2.6.1Linux Kernel 2.6.1
cpe:/o:linux:linux_kernel:2.6.1:rc1Linux Kernel 2.6.1 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.1:rc2Linux Kernel 2.6.1 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.5Linux Kernel 2.6.5
cpe:/o:linux:linux_kernel:2.6.2Linux Kernel 2.6.2
cpe:/o:linux:linux_kernel:2.6.0Linux Kernel 2.6.0
cpe:/o:linux:linux_kernel:2.6.4Linux Kernel 2.6.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2536
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2536
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-509
(官方数据源) CNNVD

- 其它链接及资源

http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1242.html
(PATCH)  MLIST  20040507 Bug in IO bitmap handling? Probably exploitable (2.6.5)
http://xforce.iss.net/xforce/xfdb/16106
(UNKNOWN)  XF  linux-exitthread-gain-privileges(16106)
http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1265.html
(UNKNOWN)  MLIST  20040507 Re: Bug in IO bitmap handling? Probably exploitable (2.6.5)
http://www.securityfocus.com/bid/10302
(UNKNOWN)  BID  10302
http://www.osvdb.org/5997
(UNKNOWN)  OSVDB  5997
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.6
(UNKNOWN)  CONFIRM  http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.6
http://secunia.com/advisories/11577
(VENDOR_ADVISORY)  SECUNIA  11577

- 漏洞信息

Linux Kernel本地IO访问权限继承漏洞
高危 访问验证错误
2004-12-31 00:00:00 2006-01-24 00:00:00
本地  
        
        Linux是一款开放源代码操作系统。
        Linux内核存在一个IO访问继承漏洞,本地攻击者可以利用这个漏洞使系统挂起,进行拒绝服务攻击,可能也存在权限提升问题。
        任何进程通过ioperm()获得一个IO访问权限,IO权限就会被所有系统中其他进程"继承"。不过看起来exit_thread()仅仅使per-thread io_bitmap指针无效,而没有正确的处理使per-TSS io_bitmap指针无效,因此per-TSS针对对其他进程来说还是有效,滥用此指针可导致程序死锁,造成拒绝服务。存在权限提升可能。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Stas Sergeev提供如下第三方补丁:
        --- linux/arch/i386/kernel/process.c 2004-04-14 09:41:14.000000000 +0400
        +++ linux/arch/i386/kernel/process.c 2004-05-07 14:54:13.000000000 +0400
        @@ -293,8 +293,11 @@
        /* The process may have allocated an io port bitmap... nuke it. */
        if (unlikely(NULL != tsk->thread.io_bitmap_ptr)) {
        + int cpu = smp_processor_id();
        + struct tss_struct *tss = init_tss + cpu;
        kfree(tsk->thread.io_bitmap_ptr);
        tsk->thread.io_bitmap_ptr = NULL;
        + tss->io_bitmap_base = INVALID_IO_BITMAP_OFFSET;
        }
        }
        厂商补丁:
        Linux
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.kernel.org/

- 漏洞信息

5997
Linux Kernel IO Bitmap Access Permissions Inheritance
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

Linux kernel contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The exit_thread function fails to invalidate per-TSS io_bitmap pointers before certain processes exit, which could result in other processes inheriting the IO access permissions, thus allowing a malicious user to possibly gain root privileges, resulting in a loss of integrity.

- 时间线

2004-05-07 Unknow
2004-05-07 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Stas Sergeev has released a unofficial patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站