Shulou(Shulou.com)06/01 Report--

Linux create_elf_tables function how to use, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Overview

During a recent security analysis, we found an integer overflow vulnerability in the create_elf_tables () function in the 64-bit Linux kernel, which can be exploited by a local attacker through a copy of SUID-root code and gain full root privileges on the target device.

Currently, Linux distributions affected by this vulnerability are Red Hat Linux Enterprise, CentOS, and Debian 8.

Vulnerability analysis 150#define STACK_ROUND (sp, items)\ 151 (unsigned long) (sp-items)) & ~ 15UL)... 165 create_elf_tables (struct linux_binprm*bprm, struct elfhdr * exec,... 169int argc = bprm- > argc; 170int envc = bprm- > envc; 171elf_addr_t _ user * sp;. 178 int items ... 190 p = arch_align_stack (p);... 287 items = (argc + 1) + (envc + 1) + 1; 288 bprm- > p = STACK_ROUND (sp, items);... 295 sp = (elf_addr_t _ user *) bprm- > p

"argc" represents the number of command-line parameters passed to the execve () system call, which is limited by MAX_ARG_STRINGS in fs/exec.c; "envc" represents the number of environment variables passed to execve (), which is also limited by MAX_ARG_STRINGS; but because MAX_ARG_STRINGS is 0x7FFFFFFF, we can overflow the integer "items" and invalidate the program.

At this point, we can increase the user-mode stack pointer, then point the user-state stack pointer to our parameter and environment variable strings, and finally rewrite these strings when the SUID-root code is executed in user mode.

Vulnerability exploitation

When running SUID-root code with execve (), our "items" value is 0x80000000, the parameter pointer is about 0x80000000 * sizeof (char *) = 16GB, the parameter string is 16GB, and the environment string is also 16GB, so our exploit environment "only" needs 2 * 16GB = 32GB memory, not 3 * 16GB = 48GB or more, because we use some tricks to reduce memory fingerprints.

The following chart represents our user-state stack structure after the SUID-root code starts execution:

The stack space allocated to create_elf_tables () by "A" ("alpha") is approximately 512 bytes (lines 190,287).

-"sprand" is the random stack space size allocated by create_elf_tables (), ranging from 0 to 8192 bytes.

The "protect" parameter numeric string is a very important command line argument & option, which must not be affected by memory corruption.

-the "padding" parameter numeric string takes up approximately 16GB stack space.

The "protect" environment string is an important environment variable and must not be affected by memory corruption.

The "scratch" environment string is 1MB.

-the "onebyte" environment string is 256KB, and some of its data will be overwritten by the fname [] buffer.

-"B" ("beta") the amount of stack space allocated for ld.so.

At this point, ld.so rewrites some of the data in the "onebyte" environment variable with the data from the fname [] buffer in handle_ld_preload () and invalidates filters such as UNSECURE_ECVVARS in process_envvars ().

Our POC code can take advantage of this integer overflow vulnerability in create_elf_tables (), as shown in the following example:

# gcc-O0-o poc-suidbin poc-suidbin.c#chown root poc-suidbin#chmod 4555 poc-suidbin $gcc-o poc-exploit poc-exploit.c$time. / poc-exploit...ERROR:ld.so: object 'LD_LIBRARY_PATH=.0LD_LIBRARY_PATH=.0LD_LIBRARY_PATH=.' FromLD_PRELOAD cannot be preloaded:ignored.ERROR:ld.so: object 'LD_LIBRARY_PATH=.0LD_LIBRARY_PATH=.' From LD_PRELOAD cannot bepreloaded: ignored.ERROR:ld.so: object 'LD_LIBRARY_PATH=.' From LD_PRELOAD cannot be preloaded: ignored.argc2147090419stack0x7ffbe115008f < 0x7ffbe1150188 < 0x7fffe0e50128 < 0x7ff7e11503ea

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.