|
http://www.hackerschool.org/HS_Boards/zboard.php?id=advisory&no=31 [º¹»ç]
¸®´ª½º ½Ã½ºÅÛÀº ¸ðµâÀ̶ó´Â °ÍÀ» Á¦°øÇÕ´Ï´Ù.
¸ðµâÀº Ä¿³Î ·¹º§¿¡¼ ÀÛµ¿ÇÏ´Â ÇÁ·Î±×·¥ÀÌ ¸Þ¸ð¸®¿¡ µ¿ÀûÀ¸·Î
ÀûÀçµÇ¾î Ä¿³ÎÀÇ ±â´ÉÀ» º¸¿ÏÇØÁÖ´Â ¿ªÇÒÀ» ÇÕ´Ï´Ù.
´ÙÀ½ÀÇ ¸ðµâÀ» ÄÄÆÄÀÏÇÏ¿© ¸Þ¸ð¸®¿¡ ÀûÀçÇϸé ÀÌ Ãë¾àÁ¡¿¡ ´ëÇÑ
°ø°ÝÀ» ¹æ¾îÇÒ ¼ö ÀÖ½À´Ï´Ù.
[¹æ¾î ¸ðµâ ¼Ò½º ÄÚµå]
À§ Äڵ带 ¸ðµÎ º¹»çÇÏ¿© ´ÙÀ½°ú °°ÀÌ setsockopt_fix.c·Î »ý¼ºÇÕ´Ï´Ù.
================================================
[root@work root]# cat > setsockopt_fix.c
[ºÙ¿©³Ö±â]
[CTRL+D]
[root@work root]#
================================================
ȤÀº ftp³ª rz µîÀ¸·Î À§ ¼Ò½º ÆÄÀÏÀ» ¾÷·ÎµåÇÏ¿©µµ µË´Ï´Ù.
ÆÄÀÏ »ý¼º ÈÄ¿¡´Â ´ÙÀ½°ú °°ÀÌ ÄÄÆÄÀÏ ÇÕ´Ï´Ù.
================================================
[root@work root]# gcc -c -O3 -fomit-frame-pointer setsockopt_fix.c
[root@work root]# ls setsockopt_fix.o
setsockopt_fix.o
[root@work root]#
================================================
À§Ã³·³ setsockopt_fix.o¶ó´Â ÆÄÀÏÀÌ »ý¼ºµÇ¾ú´Ù¸é ÄÄÆÄÀÏÀÌ ¼º°øÇÑ
°ÍÀÔ´Ï´Ù. ¹Ý¸é¿¡, ´ÙÀ½°ú °°Àº ¿¡·¯°¡ Ãâ·ÂµÇ¸é¼ ÄÄÆÄÀÏ¿¡
½ÇÆÐÇÏ´Â °æ¿ìµµ ÀÖ½À´Ï´Ù.
==============================================================
[root@work root]# gcc -c -O3 -fomit-frame-pointer setsockop_fix.c
In file included from setsockopt_fix.c:7:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in user
space
In file included from /usr/include/linux/fs.h:23,
from /usr/include/linux/capability.h:17,
from /usr/include/linux/binfmts.h:5,
from /usr/include/linux/sched.h:9,
from setsockopt_fix.c:17:
/usr/include/linux/string.h:8:2: warning: #warning Using kernel header in userla
nd!
In file included from /usr/include/linux/sched.h:14,
from setsockopt_fix.c:17:
/usr/include/linux/timex.h:173: field `time' has incomplete type
In file included from /usr/include/linux/bitops.h:69,
from /usr/include/asm/system.h:7,
from /usr/include/linux/sched.h:16,
from setsockopt_fix.c:17:
.. »ý·« ..
[root@work root]#
==============================================================
ÀÌ °æ¿ì´Â ÄÄÆÄÀÏ¿¡ ÇÊ¿äÇÑ Çì´õ°¡ ¼³Ä¡µÇÁö ¾Ê¾Ò±â ¶§¹®À̸ç,
´ÙÀ½ ¾ÐÃà ÆÄÀÏÀ» ´Ù¿î¹Þ¾Æ ÇöÀç Æú´õ¿¡ º¹»çÇØ ³Ö½À´Ï´Ù.
[Çì´õ ÆÄÀÏ ¸ðÀ½]
¹Þ¾Ò´Ù¸é, ´ÙÀ½°ú °°ÀÌ ¾ÐÃàÀ» ÇØÁ¦ÇÕ´Ï´Ù.
============================================
[root@work root]# tar xvfz include.gzip
include/acpi/
include/acpi/actypes.h
include/acpi/actbl2.h
include/acpi/actbl1.h
... »ý·« ...
[root@work root]#
============================================
¾ÐÃàÇØÁ¦ ÈÄ¿¡ ´Ù½Ã ´ÙÀ½°ú °°ÀÌ -I ¿É¼ÇÀ» Ãß°¡ÇÏ¿© ÄÄÆÄÀÏÇÕ´Ï´Ù.
-I´Â ´ë¹®ÀÚ '¾ÆÀÌ'À̸ç, Çì´õ ÆÄÀÏÀÇ À§Ä¡¸¦ ÁöÁ¤ÇÕ´Ï´Ù.
========================================================
[root@work root]# gcc -c -O3 -fomit-frame-pointer setsockopt_fix.c -I./include
[root@work root]# ls setsockopt_fix.o
setsockopt_fix.o
[root@work root]#
========================================================
ÀÌÁ¦ ´ÙÀ½°ú °°ÀÌ ÄÄÆÄÀÏµÈ ¸ðµâÀ» ÀûÀçÇÕ´Ï´Ù.
==========================================
[root@work root]# insmod setsockopt_fix.o
Module brk_fix loaded.
[root@work root]#
==========================================
¸¸¾à ´ÙÀ½°ú °°ÀÌ Ä¿³Î ¹öÁ¯ÀÌ ¸ÂÁö ¾Ê´Â´Ù´Â ¿¡·¯ ¸Þ½ÃÁö°¡
Ãâ·ÂµÈ´Ù¸é, --force ¿É¼ÇÀ» Ãß°¡·Î ºÙ¿© ¿¡·¯¸¦ ¹«½ÃÇϵµ·Ï ÇÕ´Ï´Ù.
setsockopt_fix.o: kernel-module version mismatch
setsockopt_fix.o was compiled for kernel version 2.4.23
while this kernel is version 2.4.20-8.
==========================================================
[root@work root]# insmod setsockopt_fix.o --force
Warning: kernel-module version mismatch
setsockopt_fix.o was compiled for kernel version 2.4.23
while this kernel is version 2.4.20-8
Warning: loading setsockopt_fix.o will taint the kernel: forced load
See http://www.tux.org/lkml/#export-tainted for information about tainted modu
les
Module setsockopt_fix loaded, with warnings
[root@work root]#
==========================================================
ȤÀº, ¸ðµâÀ» ÀûÀçÇÒ ¶§ ¸¸¾à ´ÙÀ½°ú °°Àº ¿¡·¯ ¸Þ½ÃÁö°¡ Ãâ·Â
µÈ´Ù¸é Ä¿³Î ÀÚü¿¡ ½Ã½ºÅÛ ÄÝ ÈÄÅ· ±â´ÉÀÌ Á¦°øµÇÁö ¾Ê´Â °ÍÀÌ´Ï
"Ä¿³Î ¾÷±×·¹À̵å"¸¦ ÅëÇÑ ÆÐÄ¡¸¦ ÁøÇàÇÒ °ÍÀ» ±ÇÀåÇÕ´Ï´Ù.
==================================================
[root@work root]# insmod setsockopt_fix.o
setsockopt_fix.o: unresolved symbol __start___kallsyms
[root@work root]#
==================================================
¹æ¾î ¸ðµâÀ» ÀÌ¿ëÇÑ ÆÐÄ¡ ÀÛ¾÷À» ¿Ï·áÇÏ¿´´Ù¸é, ´ÙÀ½°ú
°°ÀÌ ¸ðµâ ¸ñ·Ï¿¡ Æ÷ÇÔµÈ setsockopt_fix¸¦ È®ÀÎÇÒ ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù.
====================================================
[root@work root]# lsmod | grep setsockopt_fix
setsockopt_fix 1204 1
[root@work root]#
====================================================
ÀÌÁ¦ ¸¸¾à °ø°ÝÀÚ°¡ exploitÀ» ÀÌ¿ëÇÏ¿© root ±ÇÇÑÀ» ȹµæÇÏ·Á
ÇÑ´Ù¸é ´ÙÀ½°ú °°Àº Çö»óÀÌ ¹ß»ýÇÏ¸é¼ °ø°Ý¿¡ ½ÇÆÐÇÏ°Ô µË´Ï´Ù.
=============================================================
[user@work user]$ ./kernelbug
Calling setsockopt(), this should crash the box...
Invalid setsockopt: : No buffer space available
[user@work user]$
=============================================================
¶ÇÇÑ, ¼¹ö °ü¸®ÀÚ´Â ´ÙÀ½°ú °°ÀÌ ÄÜ¼Ö È¸éÀ» È®ÀÎÇÏ´Â ¹æ¹ýÀ¸·Î
°ø°Ý ½Ãµµ°¡ ÀÖ¾ú´ÂÁöÀÇ ¿©ºÎ¸¦ È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.
==============================================
[root@work root]# cat /dev/vcs1 (ȤÀº vcs2)
setsockopt exploit halted. abused by uid 1000 with process kernelbug
[root@work root]#
==============================================
¸¶Áö¸·À¸·Î, ¼¹ö°¡ ÀçºÎÆÃµÉ ¶§¸¶´Ù ÀÚµ¿À¸·Î ¸ðµâÀÌ ÀûÀçµÇµµ·Ï
/etc/rc.d/rc.local ÆÄÀÏÀÇ ³¡ ºÎºÐ¿¡ ´ÙÀ½ÀÇ ¸í·ÉÀ» Ãß°¡ÇØ ³Ö½À´Ï´Ù.
insmod /root/setsockopt_fix.o --force
|
Hit : 3439 Date : 2004/05/20 01:27
|
25, 
1/1 
¸Û¸Û
