• 当前位置:首页>>编程开发A>>安全防御>>Linux kernel pktcdvd ioctl break user space limit vulnerability
  • Linux kernel pktcdvd ioctl break user space limit vulnerability
  • 创建时间:2005-05-17 更新时间:2005-05-18
    文章属性:原创
    文章提交:alert7 (alert7_at_xfocus.org)

    Synopsis:  Linux kernel pktcdvd ioctl break user space limit vulnerability
    Product:   Linux kernel
    Version:   2.6 up to and including 2.6.12-rc4
    Vendor:    http://www.kernel.org/
    URL:      
    CVE:       CAN-2005-1589
    Severity:  local(7)
    Date:      May 16, 2005


    Issue:
    ======

    One locally exploitable flaw have been found in the Linux pktcdvd block
    device ioctl handler that allows local users to gain root privileges and
    also execute arbitrary code at kernel privilege level.


    Details:
    ========

    The Linux kernel contains pktcdvd block device components.
    Due to the missing check Pktcdvd and rawdevice ioctl handler parameter,
    the process can break user space limit and  execute arbitrary code at
    kernel privilege level.


    Discussion:
    =============

    The vulnerable  code  resides  in  drivers/block/pktcdvd.c  in  your  
    preferable version of the Linux kernel source code tree:

    static int pkt_ioctl(struct inode *inode, struct file *file, unsigned
                        int cmd, unsigned long arg)
    {
        struct pktcdvd_device *pd = inode->i_bdev->bd_disk->private_data;

        VPRINTK("pkt_ioctl: cmd %x, dev %d:%d\n", cmd, imajor(inode),
                                iminor(inode));
        BUG_ON(!pd);

        switch (cmd) {
        /*
         * forward selected CDROM ioctls to CD-ROM, for UDF
         */
        case CDROMMULTISESSION:
        case CDROMREADTOCENTRY:
        case CDROM_LAST_WRITTEN:
        case CDROM_SEND_PACKET:
        case SCSI_IOCTL_SEND_COMMAND:
    [*]        return ioctl_by_bdev(pd->bdev, cmd, arg);

        case CDROMEJECT:
            /*
             * The door gets locked when the device is opened, so we
             * have to unlock it or else the eject command fails.
             */
            pkt_lock_door(pd, 0);
    [*]        return ioctl_by_bdev(pd->bdev, cmd, arg);

        default:

    As can be seen from [*] the arg variable supplied to  the  ioctl_by_bdev()
    function  is not checked and user can input arg > TASK_SIZE value.


    fs/block_dev.c
    int ioctl_by_bdev(struct block_device *bdev, unsigned cmd, unsigned long arg)
    {
        int res;
        mm_segment_t old_fs = get_fs();
    [**]    set_fs(KERNEL_DS);
        res = blkdev_ioctl(bdev->bd_inode, NULL, cmd, arg);
        set_fs(old_fs);
        return res;
    }

    However, for also support kernel space parameters ,ioctl_by_bdev() call [**]
    set_fs(KERNEL_DS) to access parameters in kernel space . So if
    ioctl_by_bdev() parameter arg > TASK_SIZE,the process can break user space
    limit and rewrite kernel space data. Local user can execute arbitrary code
    at kernel privilege level.

    This exploit require user can read the block device.


    CREDIT:
    ========

    alert7 ( wangwei@ssr.cn , alert7@xfocus.org )  discovery this vulnerability
    Special thanks to ssr and xfocus guys:P



    DISCLAIMER:
    ========
    The information in this bulletin is provided "AS IS" without warranty of any
    kind. In no event shall we be liable for any damages whatsoever including direct,
    indirect, incidental, consequential, loss of business profits or special damages.

    ZHONGHANGJIAXIN INFORMATION TECHNOLOGY CO.,LTD (http://www.ssr.cn)
    Copyright 2003-2005 ZHONGHANGJIAXIN. All Rights Reserved. Terms of use.

    Security
    Trusted {Solution} Provider
    Service


    Appendix:
    =========

    /*  pktcdvd_dos.c proof-of-concept
    *  This is only a lame POC which will crash the machine, no root shell here.
    *                      --- alert7
    *                2005-5-15
    *  the vulnerability in 2.6 up to and including 2.6.12-rc4
    *
    *  gcc -o pktcdvd_dos pktcdvd_dos.c
    *
    *  NOTE: require user can read pktcdvd block device

    *    THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
    *    AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
    *    WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
    */

    #define _GNU_SOURCE
    #include <stdio.h>
    #include <stdlib.h>
    #include <errno.h>
    #include <string.h>
    #include <unistd.h>
    #include <fcntl.h>
    #include <signal.h>
    #include <paths.h>
    #include <grp.h>
    #include <setjmp.h>
    #include <stdint.h>
    #include <sys/mman.h>
    #include <sys/ipc.h>
    #include <sys/shm.h>
    #include <sys/ucontext.h>
    #include <sys/wait.h>
    #include <asm/ldt.h>
    #include <asm/page.h>
    #include <asm/segment.h>
    #include <linux/unistd.h>
    #include <linux/linkage.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>
    #incl
  • 上一篇:[AD_LAB-04003] Linux 2.6.* 内核Capability LSM模块进程特权信任状本地权限提升漏洞
    下一篇:Snort中文用户手册