正文

Linux内核create_elf_tables()函数整数溢出漏洞导致本地提权

admin
admin V管理员 /0 评论 /17 阅读
0423
此篇文章发布距今已超过1150天,您需要注意文章的内容或图片是否可用!

CVE编号

CVE-2018-14634

利用情况

漏洞武器化

补丁情况

官方补丁

披露时间

2018-09-26
漏洞描述
Linux内核的create_elf_tables函数中存在一个整数溢出缺陷,能访问SUID可执行文件的低权限的本地用户可通过利用此缺陷进行权限提升。内核2.6.x/3.10.x/4.14.x 受影响。 由于利用该漏洞需要大量内存空间,32位的操作系统不受此漏洞影响。小于32GB内存的操作系统几乎不会受到此漏洞影响。 RHEL 5 附带的内核不受此漏洞影响。 缓解措施: -- RHEL系操作系统 1) 将以下代码存为mitigation.stp function clamp_stack_rlim_cur:long () %{ struct rlimit *rlim = current->signal->rlim; unsigned long rlim_cur = READ_ONCE(rlim[RLIMIT_STACK].rlim_cur); unsigned long limit = _STK_LIM / 4 * 3; limit *= 4; // multiply it back up, to the scale used by rlim_cur if (rlim_cur > limit) { WRITE_ONCE(rlim[RLIMIT_STACK].rlim_cur, limit); STAP_RETURN(limit); } else STAP_RETURN(0); %} probe kernel.function("copy_strings").call { l = clamp_stack_rlim_cur() if (l) printf("lowered process %s(%d) STACK rlim_cur to %p\n", execname(), pid(), l) } probe begin { printf("CVE-2018-14634 mitigation loaded\n") } probe end { printf("CVE-2018-14634 mitigation unloaded\n") } 2) 安装systemtap, 使用systemtap运行上述文件 sudo stap -g mitigation.stp
解决建议
缓解措施:
-- RHEL系操作系统
1) 将以下代码存为mitigation.stp
function clamp_stack_rlim_cur:long ()
%{
struct rlimit *rlim = current->signal->rlim;
unsigned long rlim_cur = READ_ONCE(rlim[RLIMIT_STACK].rlim_cur);

unsigned long limit = _STK_LIM / 4 * 3;
limit *= 4; // multiply it back up, to the scale used by rlim_cur

if (rlim_cur > limit) {
WRITE_ONCE(rlim[RLIMIT_STACK].rlim_cur, limit);
STAP_RETURN(limit);
} else
STAP_RETURN(0);
%}

probe kernel.function("copy_strings").call
{
l = clamp_stack_rlim_cur()
if (l)
printf("lowered process %s(%d) STACK rlim_cur to %p\n",
execname(), pid(), l)
}

probe begin {
printf("CVE-2018-14634 mitigation loaded\n")

}

probe end {
printf("CVE-2018-14634 mitigation unloaded\n")
}

2) 安装systemtap, 使用systemtap运行上述文件
sudo stap -g mitigation.stp
参考链接
http://www.openwall.com/lists/oss-security/2021/07/20/2
http://www.securityfocus.com/bid/105407
https://access.redhat.com/errata/RHSA-2018:2748
https://access.redhat.com/errata/RHSA-2018:2763
https://access.redhat.com/errata/RHSA-2018:2846
https://access.redhat.com/errata/RHSA-2018:2924
https://access.redhat.com/errata/RHSA-2018:2925
https://access.redhat.com/errata/RHSA-2018:2933
https://access.redhat.com/errata/RHSA-2018:3540
https://access.redhat.com/errata/RHSA-2018:3586
https://access.redhat.com/errata/RHSA-2018:3590
https://access.redhat.com/errata/RHSA-2018:3591
https://access.redhat.com/errata/RHSA-2018:3643
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14634
https://security.netapp.com/advisory/ntap-20190204-0002/
https://security.paloaltonetworks.com/CVE-2018-14634
https://support.f5.com/csp/article/K20934447?utm_source=f5support&utm_medium=RSS
https://usn.ubuntu.com/3775-1/
https://usn.ubuntu.com/3775-2/
https://usn.ubuntu.com/3779-1/
https://www.exploit-db.com/exploits/45516/
https://www.openwall.com/lists/oss-security/2018/09/25/4
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
系统 linux linux_kernel * From
(including)
2.6.0 		Up to
(including)
2.6.39.4
运行在以下环境
系统 linux linux_kernel * From
(including)
3.10.0 		Up to
(including)
3.10.102
运行在以下环境
系统 linux linux_kernel * From
(including)
4.14.0 		Up to
(including)
4.14.54
运行在以下环境
系统 redhat_6 kernel * Up to
(excluding)
0:2.6.32-754.6.3.el6
运行在以下环境
系统 redhat_7 kernel * Up to
(excluding)
0:3.10.0-862.14.4.el7
运行在以下环境
系统 redhat_7 kernel-rt * Up to
(excluding)
0:3.10.0-862.14.4.rt56.821.el7
运行在以下环境
系统 sles_12 kernel-ec2 * Up to
(excluding)
3.12.74-60.64.104
运行在以下环境
系统 ubuntu_14.04_lts linux * Up to
(excluding)
3.13.0-160.210
运行在以下环境
系统 ubuntu_16.04_lts linux * Up to
(excluding)
4.4.0-93.116
运行在以下环境
系统 ubuntu_18.04_lts linux * Up to
(excluding)
4.13.0-16.19
运行在以下环境
系统 ubuntu_18.10 linux * Up to
(excluding)
4.15.0-20.21
阿里云评分 8.6
  • 攻击路径 本地
  • 攻击复杂度 容易
  • 权限要求 普通权限
  • 影响范围 全局影响
  • EXP成熟度 漏洞武器化
  • 补丁情况 官方补丁
  • 数据保密性 数据泄露
  • 数据完整性 传输被破坏
  • 服务器危害 服务器失陷
  • 全网数量 N/A
CWE-ID 漏洞类型 CWE-190 整数溢出或超界折返