RootSSV:2527Linux Kernel ISDN_Net.C本地缓冲区溢出漏洞
0.0004 Low
EPSS
Percentile
8.6%
BUGTRAQ ID: 26605
CVE ID:CVE-2007-6063
CNCVE ID:CNCVE-20076063
Linux是一款开放源代码的操作系统。
Linux包含的’isdn_net_setcfg()'函数存在设计错误,本地攻击者可以利用漏洞进行缓冲区溢出攻击,可能提升特权。
在isdn_ioctl函数中会调用isdn_net_setcfg:
isdn_ioctl (drivers/isdn/i4l/isdn_common.c):
1270 isdn_ioctl(struct inode *inode, struct file file, uint cmd, ulong arg)
…
…
1410 case IIOCNETSCF:
1411 / Set configurable parameters of a
network-interface */
1412 if (arg) {
1413 if (copy_from_user(&cfg, argp,
sizeof(cfg))) *** <- cfg is user-controlled
1414 return -EFAULT;
1415 return isdn_net_setcfg(&cfg); *** <-
call isdn_net_setcfg()
1416 } else
1417 return -EINVAL;
…
在1413行,‘cfg’从用户空间读取,因此’cfg’可用户可控的数值。在1415行中,isdn_net_setcfg()被调用,’&cfg’作为参数传递给isdn_net_setcfg():
2664 isdn_net_setcfg(isdn_net_ioctl_cfg * cfg)
2665 {
…
2777 if (cfg->exclusive > 0) {
2778 unsigned long flags;
2779
2780 /* If binding is exclusive, try to grab the
channel /
2781 spin_lock_irqsave(&dev->lock, flags);
2782 if ((i = isdn_get_free_channel(ISDN_USAGE_NET,
2783 lp->l2_proto, lp->l3_proto, drvidx,
2784 chidx, lp->msn)) < 0) {
2785 / Grab failed, because desired channel is
in use /
2786 lp->exclusive = -1;
2787 spin_unlock_irqrestore(&dev->lock, flags);
2788 return -EBUSY;
2789 }
2790 / All went ok, so update isdninfo /
2791 dev->usage[i] = ISDN_USAGE_EXCLUSIVE;
2792 isdn_info_update();
2793 spin_unlock_irqrestore(&dev->lock, flags);
2794 lp->exclusive = i;
2795 } else {
2796 / Non-exclusive binding or unbind. */
2797 lp->exclusive = -1;
2798 if ((lp->pre_device != -1) && (cfg->exclusive ==
-1)) {
2799 isdn_unexclusive_channel(lp->pre_device,
lp->pre_channel);
2800 isdn_free_channel(lp->pre_device,
lp->pre_channel, ISDN_USAGE_NET);
2801 drvidx = -1;
2802 chidx = -1;
2803 }
2804 }
2805 strcpy(lp->msn, cfg->eaz); *** <- Possible overrun
of lp->msn by cfg-eaz
2806 lp->pre_device = drvidx;
2807 lp->pre_channel = chidx;
2808 lp->onhtime = cfg->onhtime;
2809 lp->charge = cfg->charge;
…
2884 return -ENODEV;
2885 }
在2805行,strcpy()函数调用,lp->msn参数大小为32,而cfg->eaz为256。由于’*cfg’数据是用户可控制,因此可导致通过cfg->eaz字符串覆盖目标字符串lp->msn。当字符串长度’cfg->eaz’超过32可触发缓冲区溢出。
Linux kernel 2.6.23
目前没有解决方案提供:
<a href=“http://www.kernel.org/” target=“_blank”>http://www.kernel.org/</a>
Related
