Home | Data Center | Contact US | Login

Á¦¸ñ [º¸¾È] ¸ðµç ¸®´ª½º Ä¿³Î¿¡ ¶Ç ´Ù¸¥ º¸¾È °áÇÔ ¹ß°ß
ÀÛ¼ºÀÏ 2005-04-09 11:28:19


 
À̹ø¿¡ ¹ß°ßµÈ Ãë¾à¼ºÀº Ä¿³ÎÀÇ page fault  handler¿¡¼­ÀÇ race condition ¿¡ ÀÇÇÑ °ÍÀ¸·Î
º» Ãë¾à¼ºÀ» ÀÌ¿ëÇÏ¿© ·ÎÄÃÀÇ ÀÏ¹Ý À¯Àú°¡ root ±ÇÇÑÀ» ½±°Ô ȹµæÇÒ ¼ö ÀÖ½À´Ï´Ù.
ÀÚ¼¼ÇÑ Ãë¾à¼º Á¤º¸´Â ¾Æ·¡¿Í °°½À´Ï´Ù.

* Ãë¾àÇÑ Ä¿³Î
  2.4.x ¹öÀü : 2.4.29-rc1 ÀÌÀü ¹öÀü(2.4.28 Æ÷ÇÔ)
  2.6.x ¹öÀü : 2.6.10
* Ãë¾àÇÏÁö ¾ÊÀº Ä¿³Î
  2.4.x ¹öÀü : 2.4.29-rc2 ¹öÀü ¶Ç´Â 2.4.29
  2.6.x ¹öÀü : 1¿ù 12ÀÏ ÀÌÈÄÀÇ -ac³ª -rc ÆÐÄ¡¹öÀü
* Ãë¾àÇÑ ½Ã½ºÅÛ 
  i386 °è¿­ÀÇ SMP(symmetric multiprocessing) ½Ã½ºÅÛ
  Áï, ´ÜÀÏ CPU¸¦ »ç¿ëÇÏ´Â ½Ã½ºÅÛÀº º» Ãë¾à¼º¿¡ ÇØ´çÇÏÁö ¾Ê½À´Ï´Ù.
  ±×·¯³ª, ´ÜÀÏ CPU¶óµµ
hyperthreadingÀÌ Áö¿øµÉ °æ¿ì
  º» Ãë¾à¼º¿¡ ÇØ´çÇÕ´Ï´Ù.

* Å×½ºÆ® ÄÚµå

http://???/???/???.c

 
À§ Äڵ带 ´Ù¿î·ÎµåÈÄ ÄÄÆÄÀÏÇÏ¿© ½ÇÇàÇϸé Ãë¾àÇÑÁö ¿©ºÎ¸¦ È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.

## Ãë¾àÇÑ °æ¿ì

$ ./test

 [+] in thread 1 (pid = 5791)
 [+] in thread 2 (pid = 5792)
 [+] rdtsc calibration: 32877
 [+] exploiting race, wait...
 [+] race won (shift: 572)
 [+] kernel might be vulnerable.

## Ãë¾àÇÏÁö ¾ÊÀº °æ¿ì

$ ./test
 [+] in thread 1 (pid = 731)
 [+] in thread 2 (pid = 732)
 [+] rdtsc calibration: 35668
 [+] exploiting race, wait...


¾Æ·¡´Â Ä¿³Î 2.4.28ÀÎ SMP ½Ã½ºÅÛ¿¡¼­ ½ÇÁ¦ °ø°ÝÄڵ带 ½ÇÇàÇßÀ» ¶§ÀÇ °á°úÀÔ´Ï´Ù. 

$ ./exploit

 [+] in thread 1 (pid = 7382)
 [+] in thread 2 (pid = 7383)
 [+] rdtsc calibration: 32596
 [+] exploiting race, wait...
 [+] race won (shift: 539)
bash#
id
uid=0(root)
¾Æ·¡´Â Ä¿³Î 2.4.29ÀÎ SMP ½Ã½ºÅÛ¿¡¼­ ½ÇÁ¦ °ø°ÝÄڵ带 ½ÇÇàÇßÀ» ¶§ÀÇ °á°úÀÔ´Ï´Ù. 
$ ./exploit

 [+] in thread 1 (pid = 787)
 [+] in thread 2 (pid = 788)
 [+] rdtsc calibration: 35626
 [+] exploiting race, wait...
 [-] unable to exploit race in 30s,
 kernel patched or load too high.


* ´ëÀÀ ¹æ¹ý

¾Æ·¡¿Í °°Àº 3°¡Áö ¹æ¹ýÀÌ ÀÖÀ» °Í °°½À´Ï´Ù.

(1)
°¡±ÞÀû ÃÖ½ÅÀÇ Ä¿³ÎÀÎ 2.4.29 ³ª 2.6.11-rc-1 µîÀ¸·Î ÆÐÄ¡/¾÷±×·¹À̵å ÇϽʽÿÀ.

(2)
¸¸¾à Ä¿³Î ¾÷±×·¹À̵尡 ¿©ÀÇÄ¡ ¾ÊÀ» °æ¿ì Àӽ÷Π/procÀÇ Æ۹̼ÇÀ» ÀÏ¹Ý À¯Àú°¡
    
ÀÐÀ» ¼ö ¾øµµ·Ï ¼³Á¤ÇϽʽÿÀ. ÀÌ¿Í °°ÀÌ ¼³Á¤ÇÒ °æ¿ì exploit ½ÇÇàÀ»  ¸·À» ¼ö ÀÖ½À´Ï´Ù.
    
/procÀÇ µð·ºÅ丮¸¦ 700 µîÀ¸·Î ¼³Á¤ÇÏ¸é µË´Ï´Ù.

(3) °ø°Ý Äڵ尡 ½ÇÇà½Ã¿¡´Â root ¼ÒÀ¯ÀÇ suid/sgid ÆÄÀÏÀ» ÇÊ¿ä·Î ÇÕ´Ï´Ù.
    µû¶ó¼­ ½Ã½ºÅÛ³» root ¼ÒÀ¯ÀÇ suid/sgid ÆÄÀÏÀÌ ÀÖ´Ù¸é ÀÌ ÆÄÀÏÀÇ sºñÆ®¸¦ Á¦°ÅÇϽʽÿÀ.
   
suid/sgid´Â  find / -type f -perm +6000 -ls  ¸¦ ½ÇÇàÇϸé Ã£À» ¼ö ÀÖ½À´Ï´Ù.

º» Ãë¾à¼º¿¡ ´ëÇÑ Á» ´õ ÀÚ¼¼ÇÑ ³»¿ëÀº ¾Æ·¡ÀÇ URL À» Âü°íÇϽñ⠹ٶø´Ï´Ù.
 

  [ÆÐÄ¡±Ç°í] Á¦·Îº¸µå 4.1pl7 ÆÐÄ¡±Ç°í
  [¾È³»] 2005³â 1/4 ºÐ±â ¼¼±Ý°è»ê¼­ Á¢¼ö ¸¶°¨ ¾È³»








ȸ»ç¼Ò°³ °³ÀÎÁ¤º¸Ãë±Þ¹æħ ÀÌ¿ë¾à°ü À̸ÞÀÏÁÖ¼Ò ¹«´Ü¼öÁý°ÅºÎ CONTACT US IDC ¾àµµ
ȸ»ç¼Ò°³ °³ÀÎÁ¤º¸Ãë±Þ¹æħ ÀÌ¿ë¾à°ü À̸ÞÀÏÁÖ¼Ò ¹«´Ü¼öÁý°ÅºÎ CONTACT US IDC ¾àµµ ȸ»ç¼Ò°³ °³ÀÎÁ¤º¸Ãë±Þ¹æħ ÀÌ¿ë¾à°ü À̸ÞÀÏÁÖ¼Ò ¹«´Ü¼öÁý°ÅºÎ CONTACT US IDC ¾àµµ