|
|
|
|
Strumenti |
22-03-2005, 00:18 | #1 |
Senior Member
Iscritto dal: Sep 2004
Messaggi: 3966
|
grossa falla di sicurezza nei kernel fino al 2.6.11
In un altro forum , ho trovato questo link in cui si spiega che inserendo un cd con codice malevolo a bordo, non c'è bisogno ne di montarlo ne di essere root per rovinare il sistema. Purtroppo l'articolo è in tedesco:
http://www.heise.de/newsticker/meldung/57753
__________________
Dai wafer di silicio nasce: LoHacker... il primo biscotto Geek |
22-03-2005, 00:43 | #2 |
Bannato
Iscritto dal: May 2003
Città: Roma
Messaggi: 3642
|
pare che il cd cmq debba essere montato...
leggiamo qui: There appears to be a fair number of kernel-level range checking flaws in ISO9660 filesystem handler (and Rock Ridge / Juliet extensions) in Linux up to and including 2.6.11. These bugs range from DoS conditions to potentially exploitable memory corruption - all this whenever a specially crafted filesystem is mounted or directories are examined. Most apparent flaws are expected to be fixed in Linux 2.6.12 (rc to show up by tomorrow or so), although, as per Linus words, "that code is horrid", and it may take some time to work out all the issues. The impact is not dramatic, but there are two obvious ways such flaws can be used to benefit remote attackers: 1) Bugs in removable media filesystems may be used to automatically compromise any system whose owner decided to examine a newly acquired CD-ROM, even if extreme caution is observed (that is, autorun is disabled, and no files are executed). 2) For all types of filesystems, such problems can be additionally used to subvert forensic analysis efforts. Disk images from compromised machine may infect forensic examiner's system and alter results, or simply render the machine unusable. Attached is a trivial fuzz script that can be used to test fs drivers against most obvious fault conditions. With little effort, it can be further altered to test filesystems other than ISO9660, and OSes other than Linux. Regards, Michal Zalewski Obligatory plug: http://lcamtuf.coredump.cx/silence/ #!/bin/bash cd /tmp || exit 1 echo '[*] Compiling mangler...' cat >mangle.c <<_EOF_ char buf[10240]; main() { int i,x; srand(time(0) ^ getpid()); while ( (i = read(0,buf,sizeof(buf))) > 0) { x = rand() % (i/20); while (x--) buf[rand() % i] = rand(); write(1,buf,i); } } _EOF_ gcc -O3 mangle.c -o mangle || exit 1 rm -f mangle.c echo '[*] Preparing ISO master (feel free to alter this code)...' mkdir cd_dir || exit 1 cd cd_dir CNT=0 while [ "$CNT" -lt "200" ]; do mkdir A; cd A CNT=$[CNT+1] done cd /tmp/cd_dir A=`perl -e '{print "A"x255}' 2>/dev/null` CNT=0 while [ "$CNT" -lt "3" ]; do mkdir "$A"; cd "$A" CNT=$[CNT+1] done cd /tmp echo '[*] Creating image (alter filesystem or parameters as needed)...' mkisofs -U -R -J -o cd.iso cd_dir 2>/dev/null || exit 1 rm -rf cd_dir echo '[*] STRESS TEST PHASE...' while :; do DIR="/tmp/cdtest-$$-$RANDOM" mkdir "$DIR" dmesg -c 2>/dev/null cat cd.iso | ./mangle >cd_mod.iso mount -t iso9660 -o loop,ro /tmp/cd_mod.iso "$DIR" 2>/dev/null # ls -lAR "$DIR" - Uncomment if you like when it HURTS... umount "$DIR" 2>/dev/null rm -rf "$DIR" 2>/dev/null FAULT=`dmesg | grep -Ei 'oops|unable to handle'` test "$FAULT" = "" || break done dmesg | tail -30 echo '[+] Something found (/tmp/cd-mod.iso)...' rm -f cd.iso mangle exit 0 |
22-03-2005, 07:58 | #3 |
Senior Member
Iscritto dal: Apr 2000
Città: Roma
Messaggi: 15625
|
Sposto nella sezione news
__________________
0: or %edi, %ecx; adc %eax, (%edx); popf; je 0b-22; pop %ebx; fadds 0x56(%ecx); lds 0x56(%ebx), %esp; mov %al, %al andeqs pc, r1, #147456; blpl 0xff8dd280; ldrgtb r4, [r6, #-472]; addgt r5, r8, r3, ror #12 |
22-03-2005, 11:35 | #4 | |
Senior Member
Iscritto dal: Sep 2004
Messaggi: 3966
|
Quote:
__________________
Dai wafer di silicio nasce: LoHacker... il primo biscotto Geek |
|
22-03-2005, 12:08 | #5 |
Senior Member
Iscritto dal: Apr 2000
Città: Roma
Messaggi: 15625
|
Alcune fix preliminari sono già presenti in 2.6.12-rc1.
__________________
0: or %edi, %ecx; adc %eax, (%edx); popf; je 0b-22; pop %ebx; fadds 0x56(%ecx); lds 0x56(%ebx), %esp; mov %al, %al andeqs pc, r1, #147456; blpl 0xff8dd280; ldrgtb r4, [r6, #-472]; addgt r5, r8, r3, ror #12 |
Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 06:58.