Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "how to understand Linux X.25 socket stack cross-boundary reading and writing vulnerabilities". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

25 introduction 25 introduction to the protocol

X.25 interface protocol was first proposed in 1976. It is based on the relevant standards of DATAPAC public packet network in Canada, and has been modified many times in 1980, 1984, 1988 and 1993. It is the most widely used packet switching protocol at present. X.25 protocol is the interface protocol between data terminal equipment (DTE) and data circuit termination equipment (DCE). The formulation of this protocol standardizes the interface protocol, so that all kinds of DTE can freely connect to all kinds of packet switching network. As an interface protocol between user equipment and network, X.25 protocol mainly defines the standards to be followed in the process of establishing, maintaining and releasing data transmission paths. the mechanism of error control and flow control in the process of data transmission, as well as the basic services and optional services provided.

X.25 protocol adopts a hierarchical architecture and is divided into three layers from bottom to top: physical layer, data link layer and packet layer, corresponding to the lower three layers of the OSI reference model. Each layer is functionally independent of each other, each layer receives the services provided by the next layer, but also provides services for the upper layer, and the adjacent layers communicate through primitives. Negotiation, control and transmission of information exchange are carried out between the peer layers of the interface through the communication protocols between the peer layers.

Introduction to Linux X.25 socket

In 1996, the 2.1.16 version of the Linux kernel was released. The support for X.25 protocol was introduced for the first time and the AF_NFC address family was defined.

# define AF_X25 9 / * Reserved for X.25 project * /

X25 sockets provides an interface for the X.25 packet layer Protocol (packet layer protocol). Applications can communicate over the public X.25 data network using the standard ITU X.25 recommendation (X.25 DTE-DCE mode). The AF_X25 socket address family uses struct sockaddr_x25 to represent the network address defined in the ITU-T X.121 specification.

Struct x25_address {char x25_addr [16];}; struct sockaddr_x25 {sa_family_t sx25_family; / * must be AF_X25 * / x25_address sx25_addr; / * X.121 address * /}

Sx25_addr contains a string x25_addr [] that ends with an empty zero. Sx25_addr.x25_addr [] consists of up to 15 ASCII characters (excluding the ending 0) to form the X.121 address. You can only use the numbers `0' to `9'.

X.25 sockets only support SOCK_SEQPACKET types. When creating X.25 sockets, the parameters for the socket () call are as follows

X25_socket = socket (PF_X25, SOCK_SEQPACKET, 0)

Corresponding struct proto and struct proto_ops in the Linux kernel:

Static struct proto x25_proto = {.name = "X25", .owner = THIS_MODULE,.obj_size = sizeof (struct x25_sock),} Static const struct proto_ops x25_proto_ops = {. Family = AF_X25,.owner = THIS_MODULE,.release = x25 releases CONFIG_COMPAT.compat_ioctl. Connect = x25 contacts connect.socketpair = sock_no_socketpair,.accept = x25 accountnames. Getname = x25 contacts getname.poll = datagram_poll,.ioctl = x25 examples ioctllegence ifdef CONFIG_COMPAT.compat_ioctl = compat_x25_ioctl,#endif.gettstamp = sock_gettstamp,.listen = x25 examples listencatal.shutdown = sock_no_shutdown .setsockopt = x25roomsetsockopt.getsockopt = x25roomgetsockoptre.sendmsg = x25roomsendmsg.recvmsg = x25roomrecvmssg.mmap = sock_no_mmap,.sendpage = sock_no_sendpage,} Linux X.25 socket stack out of bounds read vulnerability

The flaw is located in the x25_bind function. Take the latest stable version of Linux kernel 5.9.8 as an example, https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/x25/af_x25.c?h=v5.9.8#n677

Static int x25_bind (struct socket * sock, struct sockaddr * uaddr, int addr_len) 678 {679 struct sock * sk = sock- > sk;680 struct sockaddr_x25 * addr = (struct sockaddr_x25 *) uaddr;. 692 len = strlen (addr- > sx25_addr.x25_addr); 693for (I = 0; I)

Sx25_addr.x25_ addr [I]) {695 rc =-EINVAL;696 goto out;697} 698}.

X25_bind has three parameters, and the second parameter, uaddr, is the socket address passed by the application layer

At line 680, uaddr changes to the X.25 socket address pointer

On line 692, call the strlen function to get the length of addr- > sx25_addr.x25_addr

The for loop, starting at line 693, determines in turn whether the addr- > sx25_addr.x25_addr string is full of numbers. According to the ITU-T X.121 specification, socket addresses can only be represented by numbers `0' to `9', not other characters.

Let's take another look at the sockaddr_x25 structure definition:

Struct x25_address {char x25_addr [16];}; struct sockaddr_x25 {sa_family_t sx25_family; / * must be AF_X25 * / x25_address sx25_addr; / * X.121 address * /}

The structure struct x25_address corresponding to the X.121 address is actually an array of ascii strings with a size of 16.

The X.121 address is up to 15 ascii characters, and the size of the x25_addr string array in struct x25_address is 16, so the last is used to store the empty characters at the end of the string.

The flaw in the x25_bind function is that it is not determined whether the x25_addr string in the struct x25_address ends with an empty character before calling the strlen function. If the end is not a null character, then the length obtained by the strlen function will be greater than 16, and in the following for loop, the data beyond the normal range of addr will be read out of bounds.

Linux X.25 socket stack out of bounds write vulnerability

The vulnerability is a combination of multiple X.25 socket related vulnerabilities, and still takes the latest stable version of the Linux kernel 5.9.8 as an example. Starting with the x25_connect function, the source code can be found in: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/x25/af_x25.c?h=v5.9.8#n744

Static int x25_connect (struct socket * sock, struct sockaddr * uaddr,745 int addr_len, int flags) 746 {747 struct sock * sk = sock- > sk;748 struct x25_sock * x25 = x25_sk (sk); 749 struct sockaddr_x25 * addr = (struct sockaddr_x25 *) uaddr;. 803 x25-> dest_addr = addr- > sx25_addr;. 811 x25_write_internal (sk, X25_CALL_REQUEST)

X25_connect has four parameters. The second parameter, uaddr, is the socket address passed by the application layer.

At line 749, uaddr changes to the X.25 socket address pointer

At line 803, addr- > sx25_addr is assigned to the dest_addr of the x25 socket as the destination address for the connection

On line 811, the x25_write_internal function is called

For more information on the source code of x25_write_internal function, please see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/x25/x25_subr.c?h=v5.9.8#n109

109 void x25_write_internal (struct sock * sk, int frametype) 110 {111struct x25_sock * x25 = x25_sk (sk);. 115 unsigned char addresses [1 + X25_ADDR_LEN]; 179 switch (frametype) {180181 case X25_CALL_REQUEST:182 dptr = skb_put (skb, 1); 183 * dptr++ = X25 CALLLTREQUESTATIO184 len = x25_addr_aton (addresses, & x25-> dest_addr,185 & x25-> source_addr)

111line, sk socket is converted to x25 socket pointer

115lines, declaring a string array addresses on the stack with a length of 1 + X25_ADDR_LEN, or 17

The second parameter frametype of the x25_write_internal function passed in is X25_CALL_REQUEST, which starts processing at line 181

Line 184, calling the x25_addr_aton function, passing the dest_addr and source_addr of the string array addresses,x25 socket declared on the stack

Dest_addr is assigned in the x25_connect function

Source_addr is assigned in the x25_bind function

Move on to the x25_addr_aton source code: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/net/x25/af_x25.c?h=v5.9.8#n154

1554 int x25_addr_aton (unsigned char * p, struct x25_address * called_addr,155 struct x25_address * calling_addr) 1567 {157unsigned int called_len, calling_len;158 char * called, * calling;159 int iTracter160161 called = called_addr- > x25addrterter162 calling = calling_addr- > x25addritter163164 called_len = strlen (called); 165calling_len = strlen (calling); 166167 * paired + = (calling_len)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.