Linux kernel vulnerability analysis Article attribute: reprint
http://www.xfocus.net/articles/200410/746.html)
Linux is considered to have better security and other extension performance compared to Windows. These characteristics make Linux all over the operating system in the field of operation and get more and more attention. With the increase of Linux applications, their security has also gradually been concerned about public or even hackers. So, is Linux really as safe as it supports manufacturers? In this issue, we have invited the Purchase Star Information Technology Co.
Linux core, high stability, good stability, low scalability, low hardware demand, rich network function, is available in a variety of CPUs, so that in the operating system field. Its unique charm makes it not only occupying a certain share on the PC, but also more and more in various embedded devices and is used as a professional router, firewall, or high-end server OS. Various types of Linux issued versions are like rain, and the domestic is also set up Linux's use boom. Many government departments are also required to use Linux due to safety needs. It is because Linux is used more and more, and its security has gradually received public attention. Of course, it is more concerned about hackers. Usually, we discuss Linux system security is discussed from the perspective of Linux security configuration or Linux security features, and this time we convert a view, from the vulnerability of these vulnerabilities with these vulnerabilities to discuss linux Safety.
First explain this time we discuss the scope of Linux system security. In fact, what we say that Linux is a GNU / Linux system, Linux is the operating system kernel used in the system. This time we focus on the safety of the Linux system from several very characterful vulnerabilities existing in the Linux system kernel.
Permission enhancement
In general, using the logical defects or buffer overflows on the system, the attacker is easy to get the administrator privilegeval root locally; in some remote conditions, the attacker will use some root identity There is a defective system daemon to get root privileges, or use a defective service process vulnerability to get normal user privileges to remotely log in to the server. A lot of Linux servers are used to enhance their security in a way that unwanted services and processes, but as long as this server runs some services, the attacker can find the way to improve the way. Below is a loophole that compares newly enhancement.
DO_BRK () Boundary Check Insufficient Vulnerabilities were discovered by Linux kernel developers in September 2003, and repaired in Linux Kernel 2.6.0-Test6 issued by the end of September. However, Linux kernel developers did not realize the threat of this vulnerability, so did not do any notifications, some security experts and hackers saw the huge power of this vulnerability. In November 2003, the hacker uses an unprecedented pile in RSYNC to cooperate with this vulnerability, successfully attacking multiple Debian's servers with Gentoo Linux.
Let us briefly describe the vulnerability. The vulnerability was discovered in the BRK system call. The BRK system call can operate on the size of the heap of the user process, expand or shrink the heap. The BRK is directly using the Do_Brk () function to do specific operations, and the Do_Brk () function does not have any check on the parameter LEN in the size of the process heap (without checking the size), nor did the Addr Does LEN exceed Task_SIZE to check. In this way, we can submit any of the parameters of the unit, and the size of the user process changes to the limit of Task_size, so that the system believes that the memory space of the kernel range is also accessible by the user, so that ordinary users can access it. The memory area of the kernel. With a certain operation, the attacker can get administrator privileges. This vulnerability is extremely dangerous, using this vulnerability to make attackers directly to kernel area, can bypass a lot of security protection modules under the Linux system. The discovery of this vulnerability proposes a new vulnerability concept that enhances permissions by extending the memory space of the user's memory space to the system kernel. When this vulnerability is found, through the study, we believe that there is a similar vulnerability in the kernel. Sure enough, the hackers have found a vulnerability similar to BRK in the Linux core several months. Through this successful forecast, it is more confirmed that this new type of conceptual vulnerability is very helpful to find new vulnerabilities in the system.
Refused service vulnerability
Refusal service attack is currently a popular attack method, which does not get server privileges, but causes the server to crash or lose response. Most of the rejection service of Linux does not need to be logged in, deny the service attack, caching the system or related application crashes or lost response capabilities, which belongs to the use of system itself or its daemon defects and incorrect settings attack.
In another case, after logging in to the Linux system, the system itself or application can also crash the system itself or the application. This vulnerability is mainly caused by procedures for the processes of accidents. If you do not check if the file is present before writing temporary files, blindly follows links.
Below, we briefly describe the rejection service vulnerability generated when Linux occurs when the register in the Intel IA386 CPU is handled. This vulnerability is caused by the characteristics of the register MXCSR used by the IA386 multimedia instruction. Since the IA386 CPU specifies that the high 16-bit high 16 bits of the MXCSR register cannot be set, the CPU will report an error to cause the system to crash. In order to ensure the normal operation of the system, there is a code in the Linux system to handle this characteristic of MXCSR, and this code will have an error in a specific case, causing the high 16 bits in MXCSR to be cleared, so that the system crashes . If an attacker makes this "limit" memory, the system will produce a DOS effect.
The attacker can read the multimedia register to the user space by calling the GET_FPXREGS function, so that the user can obtain the value of the MXCSR register. Call the set_fpxRegs function You can assign the MXCSR register using the data provided by the user space. This feature of the IA386 CPU is guaranteed by clearance of the MXCSR high 16-bit. If a limiting effect is generated to skip this line, so that the high 16 bits of the MXCSR register are not cleared 0, once the MXCSR register has a high 16 bit, the system will immediately crash!
Because this vulnerability attacker needs to log in to the system, this vulnerability does not enable the attacker to improve the permissions, only the DOS effect, so this vulnerability is still relatively small. But is it meaningful to analyze this vulnerability? In fact, it can be seen from the analysis of this vulnerability: Linux kernel development members did not consider the case of this memory copy, causing this vulnerability. After analyzing this vulnerability, there is also a new in vulnerability. The type allows us to avoid this in the future development.
Next, let us see a vulnerability that appears on the Linux kernel algorithm. Let's briefly introduce this vulnerability. When the Linux system receives the attacker's special construct, it will cause the Hash table to cause conflicts to cause the server resources to be exhausted. The Hash conflict herein refers to: Many values have the same value after a Hash algorithm operation, and these values are stored in the same HASH slot, which makes the Hash table becomes a one-way linked list. The insertion operation of this Hash table will become O (N * n) from the original complexity O (N). This will cause the system to consume huge CPU resources, resulting in a DOS attack effect. Let's take a look at the Hash algorithm used in Linux, this algorithm is used in the operation of the LINUX ROUTE CATCH. This year, the Scott A. Crosby of the Rice University Computer Science, proposed a new low-bandwidth DOS attack method, which is attacked for the vulnerability of the Hash algorithm used by the application. This method is proposed: If the Hash algorithm used by the application is weak, that is, the Hash algorithm does not effectively breed data, the attacker can cause a Hash algorithm to cause a DOS attack by constructing a special value.
202
203 static __inline__ unsigned rt_hash_code (U32 Daddr, U32 Saddr, U8 TOS)
204 {
205 Unsigned Hash = ((DADDR & 0xF0F0F0) >> 4) │
206 ((DADDR & 0x0F0F0F) << 4);
207 Hash ^ = Saddr ^ TOS;
208 Hash ^ = (Hash >> 16);
209 RETURN (Hash ^ (HASH >> 8)) & rt_hash_mask;
210}
The above code is the algorithm used when Linux is routed or restructure the IP packet. This algorithm creates a DOS vulnerability due to too simply without simply making a Route cache. Let's analyze this function below.
203 Behavior The function name of this function and the entrance parameter, the U32 Daddr is the 32-bit destination address, and the U32 Saddr is 32-bit original address, TOS is a protocol.
205 rows -206 lines are converted to the target address before and after.
207 lines take the original address to TOS or then with the HASH and then assign the value to Hash.
208 rows The value of HASH is shifted by 16 bits and then assigns Hash with the Hash or re-assapore.
209 Ring is that this function returns to HASH and itself offers 8 bits to the right or, and then the value of the operation with RT_Hash_Mask.
This attack is a relatively rare rejection service because it utilizes the vulnerability in the algorithm of the system itself. The vulnerability also represents a new vulnerability discovery, which is a vulnerability excavation for the use of the HASH algorithm used by the application. Therefore, this method for the Hash table attack is not only for Linux, but also affects many applications. For example, the Hash algorithm used by Perl5 in this Perl version is easy to make the attacker using the well-filtered data, using Perl5 The HASH table for programming is generated by the Hash conflict, including some proxy server software, even IDS software, firewall, etc., because the Linux kernel will be affected by this attack.
Integer overflow vulnerability in the Linux kernel
Linux Kernel 2.4 NFSV3 XDR Processor Routines Remote Delivery Service Vulnerability is announced on July 29, 2003, affecting all Linux kernel versions of Linux Kernel 2.4.21.
The vulnerability exists in the XDR processor routine, and the related kernel source code file is NFS3XDr.c. This vulnerability is due to a plastic vulnerability (positive / negative). An attacker can construct a special XDR header (negatively negatively numbered viable variable int size) to trigger this vulnerability. When the NFSV3 XDR handler of the Linux system receives this package of the special constructed, the detection statement in the program is incorrect to determine the size of the package, thereby copying huge memory in the kernel, causing the kernel data to be destroyed, causing the Linux system crash. . Vulnerability code:
Static Inline U32 *
Decode_fh (U32 * P, Struct SVC_FH * FHP)
{
Int size;
FH_INIT (FHP, NFS3_FHSIZE);
Size = NTOHL (* P );
IF (Size> NFS3_FHSIZE)
Return NULL;
Memcpy (& fHP-> fH_HANDLE.FH_BASE, P, SIZE); fHP-> fH_HANDLE.FH_SIZE = Size
Return P XDR_QUADLEN (SIZE);
}
Because this memory copy is performed in the kernel memory area, the data in the kernel can cause the kernel to crash, so this vulnerability does not confirm that the attacker can be used remotely, and the attacker must be Mount this system when using this vulnerability. It is more difficult to add this vulnerability.
Our goal is to find this type of vulnerability through this vulnerability characteristics and better patches it. As you can see, the vulnerability is a very typical integer overflow vulnerability, and if there is such a vulnerability in the kernel, it is very dangerous. So Linux's kernel developers have processed the variables in the Linux core on the data size (using unsigned int), which avoids this typical integer overflow again. By analyzing this particularly typical vulnerability principle, developers can avoid this vulnerability in future development.
IP address spoofing vulnerability
Due to the defect of TCP / IP itself, many operating systems have TCP / IP stack vulnerabilities, making the attacker's IP address spoof very easy. Linux is no exception. Although IP address spoof does not have a serious impact on the Linux server itself, this vulnerability is fatal for many firewalls and IDS products that use Linux to operate the operating system.
IP address spoof is a lot of attacks, which is the use of this method because IP itself. The IP protocol sends an IP packet based on the destination address item in the IP header. If the destination address is the address within the local network, the IP package is sent directly to the destination. If the destination address is not in the local network, the IP package will be sent to the gateway, and then determine where it will be sent. This is a method of IP routing IP packets. IP routing IP packets When the IP source provided in the IP head does not perform any check, it is considered that the IP source address in the IP header is the IP address of the machine that transmits the package. When the destination host is received to communicate with the source host, it uses the IP source address in the IP source of the IP packet as the destination address of the IP packet it transmitted, to communicate with the source host. This data communication method of IP is very simple and efficient, but it is also a security hazard of IP. Many network security accidents are caused by this shortcomings of IP.
The hacker or invader uses the forged IP sending address to generate false data packets, and the packet filters from the internal station are attacked. This type of attack is very dangerous. Regarding the packet involved is truly internal or external packets are packaged, and there is no signs of various groups. As long as the system finds that the send address is within its own range, the packet is treated and allowed to pass.
Typically, the TCP connection of the host A and the host B is established by host A to the host B, and the acknowledgment between the A and B is only based on the initial sequence number ISN authenticated by the host B. Specifically three steps. Host A generates its ISN, transmitted to host B, requests to establish a connection; B receives the ISN from A with the SYN flag, returns your own ISN along with the answer information ACK to a; A and then B is transmitted ISN and response information ACK is returned to B. At this point, in normal case, the TCP connection of the host A and B is established.
B ---- SYN ----> A
B <---- SYN ACK ---- A
B ---- ACK ----> A
Suppose C attempts to attack a, because A and B are trustworthy, if c is already known to be trusted by A, then you must find a way to make B's network function, prevent you from interfering with your attack. The usual use here is SYN FLOOD. An attacker sends a lot of TCP-SYN packages to the attacked host. The source address of these TCP-SYN packets is not an IP address of the host of the attacker, but an attacker's own IP address you fill in. When the attacker receives the TCP-SYN package sent by the attacker, a certain resource is allocated for a TCP connection, and the source address (ie the attacker's own IP address) in the received packet is The destination address is transmitted to the target of the TCP- (SYN ACK). Since the attacker's own IP address must be a carefully selected address, the attacked host will never receive the TCP- (Syn ACK) package of the TCP- (SYN ACK) package, which is attacked the TCP of the host. The state machine is in the waiting state. If the TCP status machine of the attacked host has timeout control, the resource allocated for the connection will be reclaimed until the timeout is timeout. Therefore, if an attacker sends a sufficient TCP-SYN package to the attacked host, it is enough, the TCP module that is attacked the host will definitely be in service reject because it cannot be assigned to the system resources for the new TCP connection. Even if the administrator of the attacked host is located, the attacker's packet cannot be determined according to the source address information of the IP header.
When the network function of B is temporarily paralyzed, c must find ways to determine A current ISN. First, the 25 port is connected, because SMTP is no security check mechanism, similar to the front, but this time you need to record a ISN, and the rough RTT (Round Trip Time) of C to A. This step is to repeat multiple times to find the average of RTT. Once c knows the ISN base value and increase law of A, it can calculate the time from c to a requires RTT / 2. Then enter the attack immediately, otherwise there are other hosts between this, and ISN will be more expected.
C Send a data segment with the SYN flag to a request connection, just the source IP is changed to B. A Turn to b to the SYN ACK data segment, B has not responded that the TCP layer of B is simply discarding A return data segment. At this time, C needs to pause a small party, let A have enough time to send SYN ACK, because C can't see this package. The C is then disguised to send ACK again to a, and the data segment transmitted at this time is ISN 1 of the predicted A. If the forecast is accurate, the connection is established, the data transfer begins. The problem is that even if the connection is established, A will still send data to b, not C, C still can't see the data segment sent to B, and C must send a command to a command according to the protocol standard counterfeit B, so the attack is completed. If the prediction is not accurate, a will send a data segment with the RST flag to terminate the connection, and C is only from the head. With the continuous correction of the forecast ISN, the attacker will eventually establish a meeting with the target host. In this way, the attacker logs in to the target host as a legal user, without further confirmation. If the repeated trial allows the target host to receive the root login of the network, you can fully control the entire network. C (b) ---- SYN ----> A
B <---- SYN ACK ---- A
C (b) ---- ACK ----> A
C (b) ---- psh ----> a
IP spoofing attacks take advantage of the RPC server only on the characteristics of the source IP address for security checks, and the most difficult place is to predict A's ISN. The difficulty of attack is relatively large, but the possibility of success is also very likely. C must be accurately foreseen that may be sent from A to B, and A expecting what response information from B, which requires attackers to be quite familiar with the agreement itself. At the same time, it is necessary to understand that this attack is not possible to complete in an interaction state, and must write the program. Of course, the protocol analysis can be used in the preparation phase.
to sum up
Through analysis of several vulnerabilities above, you can see Linux is not perfect, there are many places to improve. Some vulnerabilities greatly affect Linux promotion and use, such as the loophole of the Linux Hash table conflict, because some IDS manufacturers and firewall manufacturers are based on Linux core to develop their own products, if still used the Linux itself's Hash algorithm Affected by this vulnerability, it is easy to be DOS attacks by an attacker. Because of the firewall, IDS itself is a security product. If they are attacked, they will make users with great losses, so we need to track these vulnerabilities, and by understanding their characteristics to avoid these types of vulnerabilities in the system. By predicting excavation of these types of vulnerabilities, we can actively defense against hackers.
About the Author
Zhao Wei was actively defending laboratory, SST member, member of the National Computer Network Security Event Emergency Group (CNCERT / CC) member. Main research direction: UNIX / Linux vulnerability mining, UNIX / Linux application system security, Linux kernel vulnerability mining, Linux HIDS development and event research, XML-related security. Participate in a number of national projects and 863 projects related to computer crime issuance, computer disaster recovery systems.
