|
Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
|
|
|
|
| ÀÌÀü ÁÖÁ¦ º¸±â :: ´ÙÀ½ ÁÖÁ¦ º¸±â |
| ±Û¾´ÀÌ |
¸Þ½ÃÁö |
bird72
°¡ÀÔ: 2003³â 9¿ù 24ÀÏ
¿Ã¸° ±Û: 77
|
 ¿Ã·ÁÁü: 2004.2.20 ±Ý, 4:12 pm ÁÖÁ¦: ¸ðµç ¸®´ª½º kernel¿¡ ¶Ç´Ù½Ã º¸¾È°áÇÔ ¹ß°ß |
 |
|
¾È³çÇϼ¼¿ä...
¶Ç Ãë¾àÁ¡ÀÌ Ä¿³Î¿¡¼ ¹ß°ßÀÌ µÇ¾ú³×¿ä...
»¡¸® »¡¸® ÆÐÄ¡Çϼ¼¿ä...
¾Æ·¡´Â cert.co.krÀÇ ¸ÞÀϸµ ¸®½ºÆ®ÀÔ´Ï´Ù.
| ÄÚµå: |
¾È³çÇϽʴϱî? ¿À´Ã°ú³»ÀÏÀÇ È«¼®¹üÀÔ´Ï´Ù.
ÇÑ´Þ¿©Àü¿¡ ¹ß°ßµÈ ¸®´ª½º Ä¿³ÎÀÇ ¸Þ¸ð¸® °ü¸® ÄÚµåÀÎ mremap ¿¡¼ÀÇ Ãë¾à¼º¿¡ À̾î
À̹ø¿¡´Â °°Àº Äڵ忡¼ return value ¸¦ üũÇÏÁö ¾Ê´Â ¹®Á¦·Î ÀÎÇÏ¿© ÀϹÝÀ¯Àú ±ÇÇÑÀ¸·Î
local ¿¡¼ root ±ÇÇÑÀ» ȹµæÇÒ ¼ö ÀÖ´Â ½É°¢ÇÑ Ãë¾à¼ºÀÌ ¹ß°ßµÇ¾ú½À´Ï´Ù.
ÀÌ·Î½á ±Ý¹ø±îÁö 3´Þ ¿¬¼Ó ¾à ÇÑ ´ÞÀ» ÁÖ±â·Î ½É°¢ÇÑ
¸®´ª½º Ä¿³Î Ãë¾à¼ºÀÌ ¹ß°ßµÇ°í ÀÖ½À´Ï´Ù.
12¿ùÃʼø : do_brk() ÇÔ¼ö¿¡¼ÀÇ Ãë¾à¼º (2.4.22 ÀÌÇÏ ¹öÀü Ãë¾à)
1¿ù Áß¼ø : mremap ¿¡¼ bound üŷ Ãë¾à¼º (2.4.23 ÀÌÇÏ ¹öÀü Ãë¾à)
2¿ùÁß¼ø : mremap ¿¡¼ return value Ãë¾à¼º (2.4.24 ÀÌÇÏ ¹öÀü Ãë¾à)
À̹ø Ãë¾à¼º ¿ª½Ã ÇöÁ¸ÇÏ´Â ¸ðµç ¸®´ª½º Ä¿³Î¿¡ ÇØ´çÇϸç
Ãë¾àÇÑ ¹öÀü°ú ¾ÈÀüÇÑ ¹öÀüÀº °¢°¢ ´ÙÀ½°ú °°½À´Ï´Ù.
-------------------------------------------------------------
Ãë¾àÇÑ ¹öÀü | ÆÐÄ¡¹öÀü
-------------------------------------------------------------
* Ä¿³Î 2.2.25 ¸¦ Æ÷ÇÔÇÑ 2.2.25 ÀÌÀü ¹öÀü --> ÆÐÄ¡¹öÀü ¹ÌÁ¦°ø
* Ä¿³Î 2.4.24 ¸¦ Æ÷ÇÔÇÑ 2.4.24 ÀÌÀü ¹öÀü --> 2.4.25
* Ä¿³Î 2.6.2 ¸¦ Æ÷ÇÔÇÑ 2.6.2 ¹öÀü --> 2.6.3
--------------------------------------------------------------
Âü°í·Î ±Ý¹ø Ãë¾à¼º°ú °ü·ÃµÈ ÆÐÄ¡´Â ¾Æ·¡¿Í °°½À´Ï´Ù.
--- linux-2.4.20/mm/mremap.c~ 2004-02-05 00:17:20.000000000 +0000
+++ linux-2.4.20/mm/mremap.c 2004-02-05 00:22:32.000000000 +0000
@@ -305,7 +305,9 @@
if ((addr <= new_addr) && (addr+old_len) > new_addr)
goto out;
- do_munmap(current->mm, new_addr, new_len);
+ ret = do_munmap(current->mm, new_addr, new_len);
+ if (ret && new_len)
+ goto out;
}
/*
@@ -313,9 +315,11 @@
* the unnecessary pages..
* do_munmap does all the needed commit accounting
*/
- ret = addr;
if (old_len >= new_len) {
- do_munmap(current->mm, addr+new_len, old_len - new_len);
+ ret = do_munmap(current->mm, addr+new_len, old_len - new_len);
+ if (ret && old_len != new_len)
+ goto out;
+ ret = addr;
if (!(flags & MREMAP_FIXED) || (new_addr == addr))
goto out;
old_len = new_len;
Ä¿³Î¼Ò½º ´Ù¿î·Îµå : ftp://ftp.kr.kernel.org/pub/linux/kernel/
¸¸¾à rpm À¸·Î Ä¿³ÎÀ» ÆÐÄ¡ÇϽ÷Á¸é °¢°¢ ¾Æ·¡ÀÇ URL À» Âü°íÇϽñ⠹ٶø´Ï´Ù.
* ·¹µåÇÞ 9.0
https://rhn.redhat.com/errata/RHSA-2004-065.html
* ·¹µåÇÞ 7.2 / 7.3/ 8.0 (°ð Á¦°øµÉ ¿¹Á¤)
http://download.fedoralegacy.org/
Âü°í·Î, ¾Æ·¡ URL ¿¡¼´Â ·¹µåÇÞ 7.2/7.3/8.0 ¿¡ ´ëÇØ À¯·á·Î rpm ÆÐÄ¡¸¦ Á¦°øÇÏ°í ÀÖ±º¿ä.
http://transition.progeny.com/
ÆÐÄ¡°¡ Á¾·áµÈ ÈÄ ½Ã½ºÅÛÀÌ Ãë¾àÇÑ Áö ¿©ºÎ´Â ´ÙÀ½°ú °°ÀÌ È®ÀÎ °¡´ÉÇÕ´Ï´Ù.
(´ÜÁö, Proof Of Concept ÀÏ »Ó ½Ã½ºÅÛ¿¡ ¿µÇâÀ» ÁÖÁö´Â ¾Ê½À´Ï´Ù.)
¼Ò½ºÄÚµå ´Ù¿î·Îµå : http://www.security.nnov.ru/files/mremap_poc_2.c
$ gcc -o mremap_poc_2 mremap_poc_2.c //ÄÄÆÄÀÏ
## Ãë¾àÇÑ Ä¿³Î ¹öÀü(2.4.24)ÀÇ °æ¿ì
$ ./mremap_poc_2
mmap: Cannot allocate memory
created ~65530 VMAs
now mremapping 0x3FFE5000 at 0x3FFE1000Segmentation fault
ÀÌÈÄ dmesg ¶Ç´Â /var/log/messages ÆÄÀÏÀ» È®ÀÎÇÏ¸é ´ÙÀ½°ú °°Àº
·Î±×°¡ º¸ÀÌ°Ô µË´Ï´Ù.
$ dmesg | tail -n 15 ¶Ç´Â tail -15 /var/log/messages
kernel BUG at mmap.c:1188!
invalid operand: 0000
CPU: 0
EIP: 0010:[<c0123201>] Not tainted
EFLAGS: 00010287
eax: 3ffe2000 ebx: cead2140 ecx: cead3ec0 edx: cead3f60
esi: cead2124 edi: cead20e0 ebp: cead2140 esp: cf6b1f48
ds: 0018 es: 0018 ss: 0018
Process mremap_poc_2 (pid: 24785, stackpage=cf6b1000)
Stack: cead2140 cead2124 cead20e0 00000002 00000002 c0127f84 ce3be780 c0127ff4
ce3be780 cead2140 cf6b0000 00001000 3ffe5000 ce3be79c ce3be780 3ffe2000
cf6b0000 cead20e0 cead3f00 c01280ab 3ffe5000 00001000 00001000 00000003
Call Trace: [<c0127f84>] [<c0127ff4>] [<c01280ab>] [<c01086e7>]
Code: 0f 0b a4 04 01 e7 1e c0 8b 7c 24 10 8b 74 24 14 8b 5c 24 18
## Ãë¾àÇÏÁö ¾ÊÀº Ä¿³Î ¹öÀü(2.4.25)ÀÇ °æ¿ì
$ ./mremap_poc_2
mmap: Cannot allocate memory
created ~65530 VMAs
now mremapping 0x3FFE5000 at 0x3FFE1000
kernel may not be vulnerable
dmesg ¿¡ ¾Æ¹«·± ·Î±×°¡ ³²Áö ¾ÊÀ½.
º» Ãë¾à¼º¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ³»¿ëÀº ¾Æ·¡ÀÇ URL À» Âü°íÇϽñ⠹ٶø´Ï´Ù.
http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077
°¨»çÇÕ´Ï´Ù.
|
_________________
ilovesusu
bird72 °¡ 2004.2.20 ±Ý, 5:09 pm¿¡ ¼öÁ¤ÇÔ, ÃÑ 1 ¹ø ¼öÁ¤µÊ |
|
| À§·Î |
|
 |
gnobus
°¡ÀÔ: 2003³â 9¿ù 25ÀÏ
¿Ã¸° ±Û: 24
|
| ¿Ã·ÁÁü: 2004.2.20 ±Ý, 5:08 pm ÁÖÁ¦: Re: ¸ðµç ¸®´ª½º kernel¿¡ ¶Ç´Ù½Ã º¸¾È°áÇÔ ¹ß°ß |
|
|
Èå¹Ì.. ÀÚ²Ù ¿Ö ÀÌ·±´ô..
Àú¾ß ¹¹ ³ª¿À´Â Á·Á· ³Ê Àß ¸¸³µ´Ù ÇÏ¸é¼ ¾÷±×·¹À̵åÇؼ ¸®ºÎÆà ÇØ ¹ö¸®´Ï±î ÀüÇô ¹®Á¦µÉ °ÍÀÌ ¾øÁö¸¸ ¼¹ö ¿î¿µÀÚµéÀº ¸Ó¸® Á» ¾ÆÇÁ°Ú½À´Ï´Ù. 
ÀÌ·¯´Ù°¡ ¹» ¸ð¸£´Â »ç¶÷µéÀÌ ¸®´ª½º¿¡ ´ëÇÑ ¾È ÁÁÀº ÀνÄÀ» °®°Ô µÉ±î °ÆÁ¤½º·´½À´Ï´Ù. |
|
| À§·Î |
|
|
applewhy
°¡ÀÔ: 2004³â 4¿ù 18ÀÏ
¿Ã¸° ±Û: 9
|
| ¿Ã·ÁÁü: 2004.4.18 ÀÏ, 4:29 pm ÁÖÁ¦: |
|
|
·¹µåÇòÀ» óÀ½ ±ò¾ÆºÃ´Âµ¥ ·¹µåÇò¿¡¼ Á¦°øµÇ´Â ¾÷µ¥ÀÌÅÍ ÇÁ·Î±×·¥À¸·Îµµ
»õ Ä¿³ÎÀ» °»½ÅÇÒ¼ö Àִ°ǰ¡¿ä? |
|
| À§·Î |
|
|
123
¼Õ´Ô
|
| ¿Ã·ÁÁü: 2004.9.03 ±Ý, 1:21 am ÁÖÁ¦: 123 |
|
|
      [b][i]12312312312[quote]123[code]123[list]23[list=]3[img]3[/img][url]3123123[embed]123[/embed] |
|
| À§·Î |
|
|
|
|
»õ·Î¿î ÁÖÁ¦¸¦ ¿Ã¸± ¼ö ÀÖ½À´Ï´Ù
´ä±ÛÀ» ¿Ã¸± ¼ö ÀÖ½À´Ï´Ù
ÁÖÁ¦¸¦ ¼öÁ¤ÇÒ ¼ö ¾ø½À´Ï´Ù
¿Ã¸° ±ÛÀ» »èÁ¦ÇÒ ¼ö ¾ø½À´Ï´Ù
ÅõÇ¥¸¦ ÇÒ ¼ö ¾ø½À´Ï´Ù
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
°Ë»ö
¸â¹ö¸®½ºÆ®
»ç¿ëÀÚ ±×·ì
»ç¿ëÀÚ µî·ÏÇϱâ
°³ÀÎ Á¤º¸
ºñ°ø°³ ¸Þ½ÃÁö¸¦ È®ÀÎÇÏ·Á¸é ·Î±×ÀÎÇϽʽÿÀ
·Î±×ÀÎ
°¡ÀÔ¾øÀÌ ´©±¸³ª ±ÛÀ» ¾µ ¼ö ÀÖ½À´Ï´Ù. °øÁö»çÇ׿¡ ´ëÇÑ ´ñ±Û±îÁöµµ..
BBS >>
¼³Ä¡, ¿î¿µ Q&A |
³×Æ®¿÷, º¸¾È Q&A |
ÀÏ¹Ý Q&A ||
Á¤º¸¸¶´ç |
AWS ||
ÀÚÀ¯°Ô½ÃÆÇ |
±¸Àα¸Á÷ ||
°øÁö»çÇ× |
ÀÇ°ßÁ¦½Ã
