Linux kernel (2.6.17 - 2.6.24.1) Local Root Exploit

출처 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0010
관련링크 :
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0010
http://kldp.org/node/90926
일반 계정유저가 exploit을 돌리면 루트쉘을 바로 얻을수 있다고 하니 서둘러 커널업데이트나
패치를 하시기 바랍니다. exploit이 실행되는 커널 버전은 2.6.17 - 2.6.24.1대로 알려져있습니다.
------------------------------------------------------------------------------------------------
Vulnerability Summary CVE-2008-0010
Original release date: 2/12/2008
Last revised: 2/12/2008
Source: US-CERT/NIST

Overview

The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate
a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base score: 2.1 (Low) (AV:L/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 3.9

Access Vector: Locally exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information

References to Advisories, Solutions, and Tools

External Source: MILW0RM (disclaimer) Name: 5093 Hyperlink: http://www.milw0rm.com/exploits/5093

External Source: (disclaimer) Hyperlink: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1

External Source: (disclaimer) Hyperlink: http://isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txt

Vulnerable software and versions
Configuration 1
− Linux, Kernel, 2.6.22 , 2.6.22 Rc6 , 2.6.22.1 , 2.6.22.16 , 2.6.22.3 , 2.6.22.4 , 2.6.22.5
2.6.22.6 , 2.6.22.7 , 2.6.23 , 2.6.23 .2 , 2.6.23 Rc1 , 2.6.23.09 , 2.6.23.1 , 2.6.23.14
2.6.23.2 , 2.6.23.3 , 2.6.23.4 , 2.6.23.5 , 2.6.23.6 , 2.6.23.7 , 2.6.23_rc2 , 2.6.23rc1
2.6.23rc2 , 2.6.24 Rc2 , 2.6.24_rc2 , 2.6.24_rc3
Technical Details

Vulnerability Type (View All)
Input Validation (CWE-20)

CVE Standard Vulnerability Entry:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0010

Common Platform Enumeration:
http://nvd.nist.gov/cpe.cfm?cvename=CVE-2008-0010


출처 : http://www.samba.org/samba/security/CVE-2007-4138.html

==========================================================
==
== Subject: Incorrect primary group assignment for
== domain users using the rfc2307 or sfu
== winbind nss info plugin.
==
== CVE ID#: CVE-2007-4138
==
== Versions: Samba 3.0.25 - 3.0.25c (inclusive)
==
== Summary: When the "winbind nss info" parameter in
== smb.conf is set to either "sfu" or "rfc2307",
== Windows users are incorrectly assigned
== a primary gid of 0 in the absence of the
== RFC2307 or Services or Unix (SFU) primary
== group attributes.
==
==========================================================

===========
Description
===========

The idmap_ad.so library provides an nss_info extension to Winbind
for retrieving a user's home directory path, login shell and
primary group id from an Active Directory domain controller. This
functionality is enabled by defining the "winbind nss info"
smb.conf option to either "sfu" or "rfc2307".

Both the Windows "Identity Management for Unix" and "Services for
Unix" MMC plug-ins allow a user to be assigned a primary group
for Unix clients that differs from the user's Windows primary group.
When the rfc2307 or sfu nss_info plugin has been enabled, in
the absence of either the RFC2307 or SFU primary group attribute,
Winbind will assign a primary group ID of 0 to the domain user
queried using the getpwnam() C library call.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 3.0.26 has been issued as a security
release to correct the defect.

==========
Workaround
==========

Samba and Active Directory administrators may avoid this security
issue by two methods:

(a) Ensure that all user's stored in AD are properly assigned a
Unix primary group, or
(b) Discontinue use of the sfu or rfc2307 "winbind nss info" plugin
until a patched version of the idmap_ad.so library can be
installed.

Note that the problem is only evident on servers using the sfu
or rfc2307 "winbind nss info" plugin and not those only making
use of Winbind's idmap_ad IDMap backend interface.

=======
Credits
=======

This vulnerability was reported to Samba developers by Rick King
as Samba Bug #4927.

The time line is as follows:

* Aug 29, 2007: Initial report from Rick King.
* Aug 29, 2007: First response from Samba developers confirming
the bug along with a proposed patch.
* Sep 4, 2007: Announcement to vendor-sec mailing list.
* Sep 11, 2007: Public security advisory made available.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

srpm은 다음 링크에서 받을수 있습니다.

http://us4.samba.org/samba/ftp/Binary_Packages/Fedora/SRPMS/samba-3.0.26...
http://us4.samba.org/samba/ftp/Binary_Packages/Fedora/SRPMS/samba-3.0.26...

  1. first4you 2007.11.17 15:45

    Samba 3.0.27 Available for Download

    Samba 3.0.27 is a security release to address CVE-2007-4572 and CVE-2007-5398.

    The Samba 3.0.27 source code (GPG signature) can be downloaded now. If you prefer, the patch file against previous releases (GPG signature) is also available for download. Please read these instructions on how to verify the gpg signature. Precompiled packages will be made available on a volunteer basis and can be found in the Binary_Packages download area.

    download source:
    http://samba.org/samba/ftp/stable/samba-3.0.27.tar.gz

    Binary_Packages:
    http://samba.org/samba/ftp/Binary_Packages/

  2. first4you 2007.12.11 22:44

    CVE-2007-6015 
    ============================================================== Subject: Boundary failure in GETDC mailslot== processing can result in a buffer overrun==== CVE ID#: CVE-2007-6015==== Versions: Samba 3.0.0 - 3.0.27a (inclusive)==== Summary: Specifically crafted GETDC mailslot requests== can trigger a boundary error in the domain== controller GETDC mail slot support which== can be remotely exploited to execute arbitrary== code.=======================================================================Description===========Secunia Research reported a vulnerability that allows forthe execution of arbitrary code in nmbd. This defect isonly be exploited when the "domain logons" parameter hasbeen enabled in smb.conf.==================Patch Availability==================A patch addressing this defect has been posted tohttp://www.samba.org/samba/security/Additionally, Samba 3.0.28 has been issued as a securityrelease to correct the defect.==========Workaround==========Samba administrators may avoid this security issue by disablingboth the "domain logons" options in the server's smb.conf file.Note that this will disable all domain controller features aswell.=======Credits=======This vulnerability was reported to Samba developers byAlin Rad Pop, Secunia Research.The time line is as follows:* Nov 22, 2007: Initial report to security@samba.org.* Nov 22, 2007: First response from Samba developers confirmingthe bug along with a proposed patch.* Dec 10, 2007: Public security advisory made available.============================================================ Our Code, Our Bugs, Our Responsibility.== The Samba Team==========================================================

netfilter관련 문제라고 하는군요.linux kernel 2.6.x대 모두 해당한다고 합니다.

NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference [CVE-2007-2876]

When creating a new connection by sending an unknown chunk type, we don't transition to a valid state,

causing a NULL pointer dereference in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

Fix by don't creating new conntrack entry if initial state is invalid. Noticed by Vilmos Nebehaj

관련링크 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2876

출처 : http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028630.html

linux kernel 2.6.22에 geoip 사용을 위해 patch-o-matic-ng로 커널에 geoip패치를 한후
커널 컴파일을 하면 다음과 같은 에러가 날 수 있습니다.


 
  1. ....... 생략
  2.  
  3. CC [M] net/ipv4/netfilter/ipt_geoip.o
  4. net/ipv4/netfilter/ipt_geoip.c: In function `match':
  5. net/ipv4/netfilter/ipt_geoip.c:113: error: structure has no member named `nh'
  6. net/ipv4/netfilter/ipt_geoip.c: In function `init':
  7. net/ipv4/netfilter/ipt_geoip.c:291: warning: implicit declaration of function `ipt_register_match'
  8. net/ipv4/netfilter/ipt_geoip.c: In function `fini':
  9. net/ipv4/netfilter/ipt_geoip.c:296: warning: implicit declaration of function `ipt_unregister_match'
  10. make[3]: *** [net/ipv4/netfilter/ipt_geoip.o] Error 1
  11. make[2]: *** [net/ipv4/netfilter] Error 2
  12. make[1]: *** [net/ipv4] Error 2
  13. make: *** [net] Error 2


해결방법은 geoip.c 소스를 직접 수정하면 에러없이 정상적으로 커널을 컴파일 할수 있습니다.
또는 아래링크의 패치파일로 패치를 할수 있습니다.

http://bjerkeset.com/patches/geoip-match-2.6.22.patch.gz

'System' 카테고리의 다른 글

CentOS Yum으로 SRPM (source rpm) 받기  (1) 2009.01.19
CentOS 5.x Utter Ramblings Repo  (0) 2009.01.18
linux kernel 2.6.22 & geoip 패치  (2) 2007.07.22
Defragment XFS File-system  (0) 2006.11.28
커널 컴파일시 HIGHMEM옵션  (0) 2006.11.10
하드디스크 온도 모니터링  (3) 2006.08.04
  1. first4you 2007.07.24 16:23

    kernel 2.6.22 쓰시는 분들은 2.6.22.1로 업데이트 하시는게 좋을것같군요. :( 변경사항은 아래를 참고하세요.

    Author: Greg Kroah-Hartman

    Linux 2.6.22.1

    Ok, so it was more than just 5 minutes for the first exploit to be
    found, nothing to be ashamed about :)

    Signed-off-by: Greg Kroah-Hartman

    Author: Patrick McHardy

    NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)

    When creating a new connection by sending an unknown chunk type, we
    don't transition to a valid state, causing a NULL pointer dereference in
    sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

    Fix by don't creating new conntrack entry if initial state is invalid.

    또한 geoip역시 같은 방법으로 패치를 해줘야 됩니다. :devil_girl:

  2. first4you 2007.08.03 21:44

    centos 에서의 geoip패치는 아래링크를 참고하세요.

    http://kldp.org/node/82983

출처 : http://bbs.kldp.org/viewtopic.php?t=39294
x86 2.4.2x 대 버전과 2.6.x 대 버전의 커널 보안버그 현재 사용하는 커널의 패치여부는 아래 패치파일 링크에서
확인해 보시면 되겠습니다. 패치를 하려고 보니 이미 패치가 되어있군요. exploit도 공개가 되어있고 특별히
root권한이 필요한것도 아니니 매우 위험할수도 있습니다.
관련링크 : http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html#toc1
패치파일 : http://linux.bkbits.net:8080/linux-2.4/gnupatch@40cdf6f8V7sOe5n96HA5Q7r9uDRvJQ
관련 링크: http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html#toc1

+ Recent posts