리눅스 커널 취약점

출처 : CERTCC메일링
작성자 : 홍석범

최신의 일부 리눅스 커널에 또 다시 심각한 보안 결함이 발견되었습니다.
이는 리눅스 커널의 net/ipv4/ip_sockglue.c 파일에 있는 ip_setsockopt()
함수와 관련되어 2.4.22/2.6.1 부터 새롭게 추가된 MCAST_MSFILTER 옵션에서
integer overflow 가 발생하였기 때문인데, 이 취약성을 이용할 경우 로컬에서
관리자 권한을 획득하거나 시스템을 재부팅할 수 있다고 합니다.

-. 취약한 커널: 2.4.22부터 2.4.25 까지
2.6.1부터 2.6.3 까지 (이하 버전은 본 취약성에 해당
안됨)
-. 대응방법 : 2.4.26 또는 2.6.4로 업그레이드

현재 본 취약성에 대한 공격 코드는 공개되지 않았으나 취약성 발표 후 15일
전후에 코드를 공개해 온 것으로 보아 조만간 공개되지 않을까 예상합니다.
관련 URL : http://isec.pl/vulnerabilities/isec-0015-msfilter.txt

Synopsis: Linux kernel setsockopt MCAST_MSFILTER integer overflow
Product: Linux kernel
Version: 2.4.22 - 2.4.25, 2.6.1 - 2.6.3
Vendor: http://www.kernel.org/
URL: http://isec.pl/vulnerabilities/isec-0015-msfilter.txt
Author: Paul Starzetz <ihaquer [at] isec [dot] pl>
Wojciech Purczynski  <cliph [at] isec [dot] pl>
Date: April 20, 2004

1. Issue

A critical security vulnerability has been found in the Linux kernel in
the ip_setsockopt() function code.

2. Details

The ip_setsockopt() function code is a subroutine of the setsockopt(2)
system call. This function allows manipulation of various options of
the IP socket. The MCAST_MSFILTER option can be used to provide the
kernel with a list of multicast addresses to be received on the socket.
This code has been introduced with the 2.4.22/2.6.1 kernel releases.

There is an exploitable integer overflow inside the code handling the
MCAST_MSFILTER socket option in the IP_MSFILTER_SIZE macro calculation.

The vulnerable code resides in net/ipv4/ip_sockglue.c file:

case MCAST_MSFILTER:
{
/* ... */
msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);
msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL);
/* ... */
for (i=0; i<gsf->gf_numsrc; ++i) {
psin = (struct sockaddr_in *)&gsf->gf_slist[i];
if (psin->sin_family != AF_INET)
goto mc_msf_out;
msf->imsf_slist[i] = psin->sin_addr.s_addr;
}

whereas the IP_MSFILTER_SIZE macro is defined as follows:

#define IP_MSFILTER_SIZE(numsrc)
(sizeof(struct ip_msfilter) - sizeof(__u32)
+ (numsrc) * sizeof(__u32))

Integer overflow during kernel memory space calculation may cause the
kernel buffer to be overflown with arbitrary values within the for loop
code.

3. Impact

Proper exploitation of this vulnerability leads to local privilege
escalation giving an attacker full super-user privileges. Unsuccesfull
exploitation of the vulnerability may lead to a denial-of-service
attack causing machine crash or instant reboot.

4. Solution

This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases. All
users of vulnerable kernels are advised to upgrade to the latest kernel
version. For further information please contact your vendor.

5. Credits:

Paul Starzetz <ihaquer [at] isec [dot] pl> discovered the vulnerability over half
a year ago. Wojciech Purczynski performed further research and developed
exploit code.

6. Copyright

Copyright (c) 2004 iSEC Security Research
All Rights Reserved.

7. Disclaimer

This document and all the information it contains are provided "as is",
for educational purposes only, without warranty of any kind, whether
express or implied.

All the content presented here my be subject of future modifications
and updates without prior notice.

The authors reserve the right not to be responsible for the topicality
correctness, completeness or quality of the information provided in
this document. Liability claims regarding damage caused by the use of
any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected.

관련 링크: http://isec.pl/vulnerabilities/isec-0015-msfilter.txt