http://www.hackerschool.org/HS_Boards/zboard.php?id=advisory&no=7 [º¹»ç]
¸®´ª½º ½Ã½ºÅÛÀº ¸ðµâÀ̶ó´Â °ÍÀ» Á¦°øÇÕ´Ï´Ù.
¸ðµâÀ̶õ, Ä¿³Î ·¹º§¿¡¼ ÀÛµ¿ÇÏ´Â ÇÁ·Î±×·¥ÀÌ ¸Þ¸ð¸®¿¡ µ¿ÀûÀ¸·Î
ÀûÀçµÇ¾î Ä¿³ÎÀÇ ±â´ÉÀ» º¸¿ÏÇØÁÖ´Â ¿ªÇÒÀ» ÇÕ´Ï´Ù.
´ÙÀ½ÀÇ ¸ðµâÀ» ÄÄÆÄÀÏÇÏ¿© ¸Þ¸ð¸®¿¡ ÀûÀçÇϸé ÀÌ Ãë¾àÁ¡¿¡ ´ëÇÑ
°ø°ÝÀ» ¹æ¾îÇÒ ¼ö ÀÖ½À´Ï´Ù.
[¹æ¾î ¸ðµâ ¼Ò½º ÄÚµå]
À§ Äڵ带 ¸ðµÎ º¹»çÇÏ¿© ´ÙÀ½°ú °°ÀÌ brk_fix.c·Î »ý¼ºÇÕ´Ï´Ù.
================================================
[root@work root]# cat > brk_fix.c
[ºÙ¿©³Ö±â]
[CTRL+D]
[root@work root]#
================================================
ȤÀº ftp³ª rz µîÀ¸·Î À§ ¼Ò½º ÆÄÀÏÀ» ¾÷·ÎµåÇÏ¿©µµ µË´Ï´Ù.
ÆÄÀÏ »ý¼º ÈÄ¿¡´Â ´ÙÀ½°ú °°ÀÌ ÄÄÆÄÀÏ ÇÕ´Ï´Ù.
================================================
[root@work root]# gcc -c brk_fix.c
[root@work root]# ls brk_fix.o
brk_fix.o
[root@work root]#
================================================
À§Ã³·³ brk_fix.o¶ó´Â ÆÄÀÏÀÌ »ý¼ºµÇ¾ú´Ù¸é ÄÄÆÄÀÏÀÌ ¼º°øÇÑ
°ÍÀÔ´Ï´Ù. ¹Ý¸é¿¡, ´ÙÀ½°ú °°Àº ¿¡·¯°¡ Ãâ·ÂµÇ¸é¼ ÄÄÆÄÀÏ¿¡
½ÇÆÐÇÏ´Â °æ¿ìµµ ÀÖ½À´Ï´Ù.
==============================================================
[root@work root]# gcc -c brk_fix.c
brk_fix.c: In function `init_module':
brk_fix.c:74: `PAGE_OFFSET' undeclared (first use in this function)
brk_fix.c:74: (Each undeclared identifier is reported only once
brk_fix.c:74: for each function it appears in.)
brk_fix.c:83: `do_brk' undeclared (first use in this function)
brk_fix.c:114: union has no member named `usecount'
brk_fix.c: In function `my_brk':
brk_fix.c:136: `PAGE_OFFSET' undeclared (first use in this function)
brk_fix.c:141: `do_brk' used prior to declaration
[root@work root]#
==============================================================
ÀÌ °æ¿ì´Â ÄÄÆÄÀÏ¿¡ ÇÊ¿äÇÑ Çì´õ°¡ ¼³Ä¡µÇÁö ¾Ê¾Ò±â ¶§¹®À̸ç,
´ÙÀ½ ¾ÐÃà ÆÄÀÏÀ» ´Ù¿î¹Þ¾Æ ÇöÀç Æú´õ¿¡ º¹»çÇØ ³Ö½À´Ï´Ù.
[Çì´õ ÆÄÀÏ ¸ðÀ½]
¹Þ¾Ò´Ù¸é, ´ÙÀ½°ú °°ÀÌ ¾ÐÃàÀ» ÇØÁ¦ÇÕ´Ï´Ù.
============================================
[root@work root]# tar xvfz include.gzip
include/acpi/
include/acpi/actypes.h
include/acpi/actbl2.h
include/acpi/actbl1.h
... »ý·« ...
[root@work root]#
============================================
¾ÐÃàÇØÁ¦ ÈÄ¿¡ ´Ù½Ã ´ÙÀ½°ú °°ÀÌ -I ¿É¼ÇÀ» Ãß°¡ÇÏ¿© ÄÄÆÄÀÏÇÕ´Ï´Ù.
-I´Â ´ë¹®ÀÚ '¾ÆÀÌ'À̸ç, Çì´õ ÆÄÀÏÀÇ À§Ä¡¸¦ ÁöÁ¤ÇÕ´Ï´Ù.
========================================================
[root@work root]# gcc -c brk_fix.c -I./include
[root@work root]# ls brk_fix.o
brk_fix.o
[root@work root]#
========================================================
ÀÌÁ¦ ´ÙÀ½°ú °°ÀÌ ÄÄÆÄÀÏµÈ ¸ðµâÀ» ÀûÀçÇÕ´Ï´Ù.
==========================================
[root@work root]# insmod brk_fix.o
Module brk_fix loaded.
[root@work root]#
==========================================
¸¸¾à ´ÙÀ½°ú °°ÀÌ Ä¿³Î ¹öÁ¯ÀÌ ¸ÂÁö ¾Ê´Â´Ù´Â ¿¡·¯ ¸Þ½ÃÁö°¡
Ãâ·ÂµÈ´Ù¸é, --force ¿É¼ÇÀ» Ãß°¡·Î ºÙ¿© ¿¡·¯¸¦ ¹«½ÃÇϵµ·Ï ÇÕ´Ï´Ù.
brk_fix.o: kernel-module version mismatch
brk_fix.o was compiled for kernel version 2.4.23
while this kernel is version 2.4.20-8.
==========================================================
[root@work root]# insmod brk_fix.o --force
Warning: kernel-module version mismatch
brk_fix.o was compiled for kernel version 2.4.23
while this kernel is version 2.4.20-8
Warning: loading brk_fix.o will taint the kernel: forced load
See http://www.tux.org/lkml/#export-tainted for information about tainted modu
les
Module brk_fix loaded, with warnings
[root@work root]#
==========================================================
ȤÀº, ¸ðµâÀ» ÀûÀçÇÒ ¶§ ¸¸¾à ´ÙÀ½°ú °°Àº ¿¡·¯ ¸Þ½ÃÁö°¡ Ãâ·Â
µÈ´Ù¸é Ä¿³Î ÀÚü¿¡ ½Ã½ºÅÛ ÄÝ ÈÄÅ· ±â´ÉÀÌ Á¦°øµÇÁö ¾Ê´Â °ÍÀÌ´Ï
"Ä¿³Î ¾÷±×·¹À̵å"¸¦ ÅëÇÑ ÆÐÄ¡¸¦ ÁøÇàÇÒ °ÍÀ» ±ÇÀåÇÕ´Ï´Ù.
==================================================
[root@work root]# insmod brk_fix.o
brk_fix.o: unresolved symbol __start___kallsyms
[root@work root]#
==================================================
¹æ¾î ¸ðµâÀ» ÀÌ¿ëÇÑ ÆÐÄ¡ ÀÛ¾÷À» ¿Ï·áÇÏ¿´´Ù¸é, ´ÙÀ½°ú
°°ÀÌ ¸ðµâ ¸ñ·Ï¿¡ Æ÷ÇÔµÈ brk_fix¸¦ È®ÀÎÇÒ ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù.
====================================================
[root@work root]# lsmod | grep brk_fix
brk_fix 1204 1
[root@work root]#
====================================================
ÀÌÁ¦ ¸¸¾à °ø°ÝÀÚ°¡ exploitÀ» ÀÌ¿ëÇÏ¿© root ±ÇÇÑÀ» ȹµæÇÏ·Á
ÇÑ´Ù¸é ´ÙÀ½°ú °°Àº Çö»óÀÌ ¹ß»ýÇÏ¸é¼ °ø°Ý¿¡ ½ÇÆÐÇÏ°Ô µË´Ï´Ù.
=============================================================
[user@work user]$ ./kernelbug
[-] Unable to change page protection: Cannot allocate memory
[-] Unable to exit, entering neverending loop.
[1]+ Stopped ./kernelbug
[user@work user]$
=============================================================
¶ÇÇÑ, ¼¹ö °ü¸®ÀÚ´Â ´ÙÀ½°ú °°ÀÌ ÄÜ¼Ö È¸éÀ» È®ÀÎÇÏ´Â ¹æ¹ýÀ¸·Î
°ø°Ý ½Ãµµ°¡ ÀÖ¾ú´ÂÁöÀÇ ¿©ºÎ¸¦ È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.
==============================================
[root@work root]# cat /dev/vcs1 (ȤÀº vcs2)
caught do_brk exploit!!!
caught do_brk exploit!!!
caught do_brk exploit!!!
caught do_brk exploit!!!
caught do_brk exploit!!!
[root@work root]#
==============================================
¸¶Áö¸·À¸·Î, ¼¹ö°¡ ÀçºÎÆÃµÉ ¶§¸¶´Ù ÀÚµ¿À¸·Î ¸ðµâÀÌ ÀûÀçµÇµµ·Ï
/etc/rc.d/rc.local ÆÄÀÏÀÇ ³¡ ºÎºÐ¿¡ ´ÙÀ½ÀÇ ¸í·ÉÀ» Ãß°¡ÇØ ³Ö½À´Ï´Ù.
insmod /root/brk_fix.o --force
|
Hit : 4018 Date : 2003/12/17 10:24
|