udp_sendmsg漏洞（一）--介绍

对于该漏洞的描述，来自于http://blog.cr0.org/。
    本文将转载该漏洞的描述，以及个人对该漏洞的理解。在随后的第二篇和三篇中将分别贴出漏洞产生的原因代码以及漏洞利用代码和总结。
  【警告：本文中列出的代码仅限于学习和研究使用。任何用于非法用途的，请自行承担责任。】

      本文欢迎自由转载，但请标明出处，并保证本文的完整性。
      作者：Godbach
    Blog：http://Godbach.cublog.cn
      日期：2010/01/19

CVE-2009-2698: udp_sendmsg() vulnerability

EDIT: p0c73n1  has posted an exploit  for this to milw0rm  as did  andi@void.at , and spender wrote  "the rebel"

Tavis Ormandy and myself have recently reported CVE-2009-2698 which has been disclosed at the beginning of the week.

This flaw affects at least Linux 2.6 with a version < 2.6.19.
【Godbach注】该漏洞存在于2.6版本中，低于2.6.19.  p0c73n1 完成了利用该漏洞的代码，spender写了一个比较系统的exp代码。
When we ran into this, we realized the newest kernel versions were not affected by the PoC code we had. The reason for this was that Herbert Xu had  found and corrected a closely related bug. Linux distributions running on 2.6.18 and earlier kernels did not realize the security impact of this fix and did not backport it.
This is a good example on how hard it is to backport relevant fixes to maintained stable versions of the kernel.

If you look at  udp_sendmsg, you will see that the rt routing table is initialized as NULL and some code paths can lead to call  ip_append_data with a NULL rt. ip_append_data() obviously doesn't handle this case properly and will cause a NULL pointer dereference.
【Godbach注】udp_sendmsg函数中rt变量被初始化为NULL，而在某些条件下会导致，在调用ip_append_data函数时，传进去的参数rt有可能为NULL。而ip_append_data函数里面有没有对该变量进行合法性检查，因此对导致对NULL指针进行解引用。
Note that this is a data NULL pointer dereference and mapping code at page zero will not lead to immediate privileged code execution for a local attacker. However, controlling the rtable structure seems to give enough control to the attacker to elevate privileges.
【Godbach注】这一段内容是关键。前面已经提到了该漏洞可能导致解引用NULL指针。但是，这里解引用的是个变量，本地恶意用户没法直接在此基础上执行恶意代码，不像我们在《 Linux内核NULL pointer引发的BUG》文章中分析的那样，代码是要调用某个函数，而该函数地址为NULL，我们将0地址映射，并添加上我们自己实现的代码。 不过，恶意用户仍然可以通过rtable的结构体间接实现执行恶意代码。
Since it's hard to guarantee that ip_append_data will never be called with a NULL *rtp, we believe that this function should be made more robust  by using this patch.

Here's one way to trigger this vulnerability locally:

$ cat croissant.c
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>

int main(int argc, char **argv)
{
int fd = socket(PF_INET, SOCK_DGRAM, 0);
char buf[1024] = {0};
struct sockaddr to = {
.sa_family = AF_UNSPEC,
.sa_data = "TavisIsAwesome",
};

sendto(fd, buf, 1024, MSG_PROXY | MSG_MORE, &to, sizeof(to));
sendto(fd, buf, 1024, 0, &to, sizeof(to));

return 0;
}
【Godbach注】以上就是触发漏洞的代码。该代码执行的后果就是内核Oops。因此该代码导致了内核中访问NULL指针。

An effective implementation of mmap_min_addr or the UDEREF feature of PaX/GrSecurity would prevent local privilege escalation through this issue.

Posted by Julien Tinnes  at 4:43 AM  4 comments 

Labels: Linux, Security, vulnerability

补丁
    上文中已经给出了该漏洞的补丁连接。由于补丁的内容相对简单，在ip_append_data函数中添加对rt指针的合法性检查即可。这里列出其内容：

diff -r b3cbf0ceeb34 net/ipv4/ip_output.c --- a/net/ipv4/ip_output.c    Mon Aug 24 14:48:29 2009 +0200 +++ b/net/ipv4/ip_output.c    Thu Aug 27 15:20:36 2009 +0200 @@ -814,6 +814,8 @@               inet->cork.addr = ipc->addr;          }          rt = *rtp; +        if (unlikely(!rt)) +            return -EFAULT;          /*           * We steal reference to this route, caller should not release it           */