A simple analysis of Linux kernel vulnerability issues-vulnerabilities and early warning-the black bar safety net

ID MYHACK58:62200612365
Type myhack58
Reporter 佚名
Modified 2006-10-18T00:00:00


With Windows compared to Linux is considered to have better security and other extended properties. These features make the Linuxoperating systemfield meteoric rise, more and more attention. As the Linux application to increase the amount of its security has gradually been public, or even hacking concerns. So, Linux is really such as its support of the vendors claimed that security?

The Linux kernel fine-short, high stability, good scalability, hardware requirements low, free, network feature-rich, suitable for various cpu and other characteristics, so that in theoperating systemin the field have sprung up everywhere. Its unique charm make it not only on the pc to occupy a certain share, and is increasingly being used in various embedded devices, and is used as a professional router, firewall, or high-end server OS to use. Various types of Linux distributions too, such as popping out, the domestic is off of a Linux using the boom, many government departments due to security need to also be asked to use Linux. It is precisely because Linux is increasingly used, its safety has gradually attracted the attention of the public, of course, also more exposed to hackers attention. Typically, we discuss the Linux system security is from the Linux security configuration of the angle or Linux's security features and other aspects to discuss, and this time we switch perspectives, from the Linux system in the presence of vulnerabilities and these vulnerabilities impact to discuss Linux security.

First to illustrate this we discuss the Linux system security, in fact, we usually say Linux refers to the GNU/Linux system, Linux is used in the systemOSkernel. This time we focus on from a Linux system the kernel exists in a few classes very characteristic of vulnerability to the discussion of Linux system security.

Elevation of privileges class vulnerability

In General, the use of the system on some program logic flaws or buffer overflow means, the attacker easily in local accessLinux serveron the admin permissions of root; in some remote cases, the attacker will use some as root to perform the defective system daemon to obtain root privileges, or the use of defective service of process vulnerabilities to obtain the normal user permissions for the Telnet Server. Currently a lot ofLinux serverare used to turn off various unneeded services and processes to enhance their own security, but as long as the server is running on a certain service, the attacker can find an elevated pathway. The following is a comparison of the new lead to privilege escalation vulnerability.

do_brk()bounds checking is not sufficient vulnerability in 2 0 0 3 year 9 month by the Linux kernel developers found, and in 9 the end of the month release of Linux kernel 2.6.0-test6 in its repair. But Linux kernel developers are not aware of this vulnerability, so didn't do any reporting, some security experts and hackers saw this vulnerability and the implication of great power. In 2 0 0 3 year 1 1 hacking the client using rsync in an undisclosed heap overflow with this vulnerability with, to successfully attack more than one Debian and Gentoo Linux servers.

Below let us briefly describe the vulnerability. The vulnerability was found in the brk system call. brk system call the user process, the size of the heap, the heap is expanded or reduced. And brk interior is to directly use the do_brk()function to do the specific operation, the do_brk()function in the adjustment process, the size of the heap when neither the parameter len to any check does not check size also does not check the positive and negative, and not of addr+len exceeds TASK_SIZE do check. So that we can submit to it any the size of the parameter len, enable users to process the size of any change as well as can be over TASK_SIZE limits, so that the system thinks the kernel range of memory space can also be accessed by the user, so normal users can access to the kernel memory area. By a certain operation, the attacker can obtain administrator privileges. This vulnerability is extremely dangerous, the use of this vulnerability may allow an attacker directly in the kernel area of operation, you can bypass a lot of the Linux system under the security protection module.

This vulnerability discovery proposes a new vulnerability concept, i.e. by extending the user's memory space to kernel memory space to elevate privileges. When they find such a vulnerability, through research we believe that the kernel must also be the presence of similar vulnerability, and sure enough after a few months the hackers and in the Linux kernel found with brk a similar vulnerability. Through this successful prediction, confirmed for this new concept-vulnerability research is to help security personnel in the system to discover new vulnerabilities.

Denial of service class of vulnerability

A denial of service attack is currently the more popular attack methods, it does not get the Server Permissions, but to make the server crash or lose response. Linux-denial of service most of the are not required to log in to the system to initiate a denial of service attack, the system or the related application to crash or lose the ability to respond, this approach pertains to the use of the system itself the vulnerability or a daemon defect and incorrect settings for attack.

In addition a case, the attacker logged in to the Linux system, The use of such a vulnerability, it can also make the system itself or the application to crash. This vulnerability mainly by the program for unexpected processing errors caused by, such as writing a temporary file before it does not check whether the file exists, blindly follow the link.

Below, we briefly describe the Linux process intel IA386 CPU in the register when the error occurred and generate a denial of service vulnerability. The vulnerability is because IA386 multimedia instruction using the register MXCSR characteristics. Due to the IA386 CPU provisions of the MXCSR register high 1 6 bits can not have any bit is set, otherwise the CPU will error cause the system to crash. In order to ensure the normal operation of the system, in linux system, there is a section of code devoted to the MXCSR of this feature for processing, and this piece of code in a particular case an error occurs, resulting in the MXCSR high 1 6 bit is not cleared, allowing the system to collapse. If the attacker is manufactured up this“limit”the memory situation on the system will produce a DoS effect.

The attacker by calling get_fpxregs function can read the multimedia registers to user space, so that the user can obtain the MXCSR register value. Call set_fpxregs function you can use the user space provided data on the MXCSR register assignment. By the MXCSR high 1 6 bits are cleared to 0, ensures that the IA386 CPU this feature. If you produce a limit effect enabling the program to skip this line, so that the MXCSR register high 1 6 bit is not cleared to 0, once the MXCSR register high 1 6-bit any bit is set, the system will immediately crash!

Because using this vulnerability the attacker will need to login to the system, this vulnerability can allow an attacker to elevate privileges, only to achieve the DoS effect, so this vulnerability is still relatively small. But the analysis of this vulnerability does not make sense? In fact, by the analysis of this vulnerability can be seen: the Linux kernel developers for this memory copy error occurs when the situation is not to be considered, as well as the cause of this vulnerability analysis to understand the vulnerability, the vulnerability mining aspects but also the emergence of a new type, so that we in the later in development you can avoid this situation.

Next let us look at a Linux kernel algorithm appears on the vulnerability. I want to introduce this vulnerability, when a Linux system receives to the attacker through a special structure of the packet, will cause the hash table to produce conflict cause the server resources are exhausted. Here, the hash conflict refers to: the number of values through some kind of hash algorithm operation obtained by the same value, and these values are stored in the same hash slot, which makes the hash table into a one-way linked list. And this hash table insertion operation will be from the original complexity of O(n)becomes O(n*n). This will cause the system to consume huge cpu resources, resulting in a DoS attack effect.

We first look at the linux used in the hash algorithm, the algorithm used in the Linux route, catch the index and the fragmentation and reassembly operations. In May this year Rice University Department of Computer Science Scott A. Crosby and Dan S. Wallach proposes a new low-bandwidth DoS attack method, i.e. for the application of the use of the hash algorithm vulnerability to attack. This method is proposed: if the application uses the hash algorithm weaknesses, that the hash algorithm cannot efficiently convert the data to hash, the attacker can by the special structure of the value so that the hash algorithm generates a conflict caused by a DoS attack.


2 0 2

2 0 3 static inline unsigned rt_hash_code(u32 daddr, u32 saddr, u8 tos)

2 0 4 {

2 0 5 unsigned hash = ((daddr & 0xF0F0F0F0) >> 4) │

2 0 6 ((daddr & 0x0F0F0F0F) << 4);

2 0 7 hash ^= saddr ^ tos;

2 0 8 hash ^= (hash >> 1 6);

2 0 9 return (hash ^ (hash >> 8)) & rt_hash_mask;

2 1 0 }

The above code is the Linux ip packet routing or restructuring, when using the algorithm. This algorithm is due to too simple and not put the route cache for a valid hash, resulting in a DoS vulnerability. Below we to analyze this function.

2 0 3 behavior of this function is the name of the function and the entry parameters, u32 daddr 3 2-bit of the destination address, u32 saddr 3 2-bit source address, the tos of the agreement.

2 0 5-2 0 6 line is the destination address before and after the byte to be converted.

2 0, line 7 the original address and a tos XOR and hash ISO or re-assignment to the hash.

2 0 8 The row the hash value to the right offset 1 6-bit and then with the hash of the XOR and then assign a value to the hash.

2 0 line 9 is this function returns a hash with itself shifted to the right 8-bit value exclusive OR, then again with rt_hash_mask and the operation value.

This attack is a relatively rare denial-of-service mode, because it uses a system itself the algorithm of the vulnerability. The vulnerability also represents a new vulnerability discovered in the direction, that is, for the application software or the system using the hash algorithm for vulnerability mining. Due toThis, This for hash table the method of attack on not only on Linux but also on many software applications have an impact, say, Perl5 in this perl version used in the hash algorithm it is easy to make the attacker the use of carefully selected data, using the perl5 programming of the application using the hash table generates a hash conflict, including some proxy server software, and even some of the IDS software, the firewall, etc., due to the use of the Linux kernel will be this kind of attack impact.

Linux kernel integer overflow vulnerability

Linux Kernel 2.4 an NFSv3 XDR processor routines remote denial of service vulnerability in the 2 0 0 3 7 2 9, released,affect the Linux Kernel 2.4.21 all of the following Linux kernel versions.

The vulnerability exists in XDR processor routine, the relevant kernel source files for nfs3xdr. c. This vulnerability is due to a shaping vulnerability caused by the positive number/a negative number does not match it. An attacker can construct a special XDR header by setting the variable int size is negative, is sent to the Linux system to trigger this vulnerability. When the Linux system is an NFSv3 XDR processing program receives this is the special structure of the package, the program detects the statement will incorrectly determine the size of the package, so in the kernel copy of the huge memory, causing the kernel data is corrupted, resulting in the Linux system to crash.

Vulnerability code:

static inline u32 *

decode_fh(u32 p, struct svc_fh fhp)


int size;

fh_init(fhp, NFS3_FHSIZE);

size = ntohl(*p++);

if (size > NFS3_FHSIZE)

return NULL;

memcpy(&fhp->fh_handle. fh_base, p, size); fhp->fh_handle. fh_size = size;

return p + XDR_QUADLEN(size);


Since this memory copy of the kernel memory area is carried out, will destroy the core of the data lead to a kernel crash, so this vulnerability has not confirmed can be used for remote access to, and use of this vulnerability an attacker must be able to mount this system on the directory, the more to exploit this vulnerability increases the difficulty.

Our aim is that through this vulnerability of the features to look for this type of vulnerability and to better repair it. As you can see, the vulnerability is a very typical integer overflow vulnerability, if the kernel in the presence of such a vulnerability is very dangerous. So the Linux kernel developers for Linux kernel on the data size of the variables are processed using the unsigned int, thus avoiding the recurrence of such a typical integer overflow. Through this particular typical vulnerability principles for the analysis, the developer can at a later development to avoid this vulnerability.

IP address spoofing class vulnerability

Since tcp/ip itself of the defect, resulting in a lot ofoperating systemare there tcp/ip stack vulnerability, enable the attacker to perform ip address spoofing is very easy to implement. Linux is no exception. While IP address spoofing is not on theLinux serveritself caused a very serious impact, but on a Dolly with the Linuxoperating systemthe firewall and IDS products, this flaw is fatal.

IP address spoofing is many attack the basis, the reason for using this method is because the IP itself of the disadvantages. The IP Protocol based on the IP header the destination address to send the IP data packet. If the destination address is within the local network address, the IP packet is sent directly to the destination. If the destination address is not within the local network, the IP packet will be sent to the gateway, then the gateway decided to send it to where they are. This is IP routing IP packet method. IP routing IP packet IP header IP source address does not do any checks, that the IP header in the IP source address is to send the packet to the machine's IP address. When receiving the packet of the destination host to the source host to communicate, it to the received IP packet IP header IP source address as its sent to the IP destination address of the packet to the source host for data communication. The IP of such a data communication mode although very simple and efficient, but it is also the IP of a security risk, a lot of network Safety accidents are from the IP of the disadvantage caused.

Hackers or intruders are using fake IP address to produce a false data packet, posing as from the internal station of a packet filter, this type of attack is very dangerous. Concerning to the packet really is internal, or the external packet is packaged to look like the inside of a packet of the signs are already lost. As long as the system finds the sending address in your Range, put the packet according to the internal communication treatment and let it pass.