Reproduced Analysis of Linux kernel vulnerabilities __linux

Analysis of Linux kernel vulnerabilitiesArticle Properties: Reprint (http://www.xfocus.net/articles/200410/746.html)


Linux is considered to have better security and other extended performance than Windows. These features make Linux become more and more important in the field of operating system. As the number of Linux applications increases, its security is increasingly being watched by the public or even hackers. So, is Linux really as secure as its support vendors claim? This period we have invited to the Venus Chen Information Technology Co., Ltd. Active Defense laboratory engineer Zhao Wei, Linux for Professional vulnerability technology analysis.


Linux kernel short, high stability, scalability, low hardware requirements, free, network features rich, suitable for a variety of CPU characteristics, so that in the field of operating systems. Its unique charm makes it not only occupies a certain portion of the PC, but is increasingly used in various embedded devices, and is used as a professional router, firewall, or high-end server OS. Various types of Linux distributions have sprung up, but the domestic is a boom in the use of Linux, many government departments for security needs are also required to use Linux. It is because Linux is being used more and more, its security also gradually receives the public attention, certainly, also receives the hacker's attention more. In general, we discuss Linux system security from the perspective of Linux Security Configuration or the security features of Linux, and this time we turn to the perspective of the Linux system from the vulnerabilities and the impact of these vulnerabilities to discuss the security of Linux.


First of all to explain this time we discuss the scope of Linux system security, in fact, we usually refer to Linux refers to the Gnu/linux system, Linux is the system used in the operating system kernel. This time we focus on the security of Linux systems from a few of the most characteristic vulnerabilities that exist in the Linux kernel.



Privilege Elevation Class Vulnerability


In general, it is easy for an attacker to gain administrator privileges locally on a Linux server by using a logical flaw or buffer overflow of some programs on the system, and in some remote situations, the attacker would take advantage of some defective system daemon performed as root to obtain root privileges. Or take advantage of a flawed service process vulnerability to gain normal user privileges to log on to the server remotely. Many Linux servers are now improving their security by shutting down a variety of unwanted services and processes, but as long as some services are running on the server, attackers can find a way to elevate their privileges. The following is a relatively new vulnerability that leads to elevation of privilege.


The DO_BRK () boundary Check vulnerability was discovered by Linux kernel developers in September 2003 and patched in the Linux kernel 2.6.0-test6 released at the end of September. But the Linux kernel developer was unaware of the vulnerability, so there was no notification, and some security experts and hackers saw the power of the vulnerability. In November 2003 hackers exploited an undisclosed heap overflow in rsync to match this vulnerability, successfully attacking multiple Debian and Gentoo Linux servers.


Let's briefly describe the vulnerability. The vulnerability was found in the BRK system call. BRK system calls can manipulate the size of the heap of a user process, extending or shrinking the heap. The internal BRK is directly using the DO_BRK () function to do the specific operations, the DO_BRK () function in the sizing process heap is neither the parameter Len any check (do not check the size nor check the positive or negative), there is no addr+len over task_size do check. So we can submit to it any size parameter len, so that the size of the user process can be arbitrarily changed to exceed the task_size limit, so that the system believes that the kernel-wide memory space can be accessed by users, so that ordinary users can access to the kernel of the memory area. With certain actions, an attacker can gain administrator privileges. This vulnerability is extremely risky, and exploiting this vulnerability could allow attackers to operate directly on the kernel zone, bypassing many of the security modules in the Linux system.


The discovery of this vulnerability presents a new concept of vulnerability that extends the user's memory space to the system kernel's memory space to elevate permissions. When this vulnerability was discovered, we thought that there would be similar vulnerabilities in the kernel, and that a few months later the hackers found similar vulnerabilities in the Linux kernel with BRK. Through this successful prediction, it is confirmed that the research on this new type of conceptual vulnerability will help security personnel discover new vulnerabilities in the system.



Denial of service class vulnerability


Denial of service attacks are currently the most popular way to attack, it does not take the server permissions, but the server crashes or loss of response. The denial of service to Linux most of the system can not be logged on to launch a denial of service attacks, the system or related applications crash or loss of responsiveness, which is the use of the system itself vulnerabilities or its daemon defects and incorrect settings to attack.


Alternatively, an attacker who logs on to a Linux system can exploit such vulnerabilities to crash the system itself or the application. This vulnerability is mainly caused by procedural errors of the program, such as not checking the existence of files before writing temporary files, blindly following links, and so on.


Below, let's briefly describe the denial of service vulnerabilities that occur when Linux handles registers in an Intel IA386 CPU. The flaw is due to the MXCSR characteristics of the registers used by the IA386 multimedia instruction. Because the IA386 CPU rules MXCSR registers high 16 bits cannot have any bit to be placed bit, otherwise the CPU will be the error cause system crashes. In order to ensure the normal operation of the system, there is a piece of code in the Linux system specifically for the MXCSR of this feature, and this piece of code in a particular case will be wrong, resulting in the MXCSR high 16 bits are not cleared zero, so that the system crashes. If an attacker created this "extreme" memory condition, it would have a DOS effect on the system.


By invoking the Get_fpxregs function, an attacker can read a multimedia register to user space so that the user can obtain the value of the MXCSR register. Call the Set_fpxregs function to assign values to the MXCSR registers using data provided by the user space. The IA386 CPU is ensured by clearing 0 of the high 16 bits of the MXCSR. If a limit effect is generated so that the program skips the line, the high 16 bits of the MXCSR register are not cleared 0, and the system crashes immediately if the MXCSR register has any bits in the high 16 bit position.


Because the vulnerability of the attacker also need to log into the system, this vulnerability will not allow the attacker to elevate privileges, only to achieve the effect of DOS, so the harm of this vulnerability is relatively small. But there's no point in analyzing this loophole. In fact, the analysis of this vulnerability can be seen: when the Linux kernel development member failed to consider the error in this memory copy, the vulnerability was created, and after analyzing the vulnerability, a new type emerged in the exploit, which we could try to avoid in future development.


Next, let's look at a vulnerability on a Linux kernel algorithm. Let's start with a brief introduction to this vulnerability, when the Linux system receives a specially constructed package from the attacker, which causes the hash table to be compromised and the server resource is depleted. The hash conflict here means that many values are the same after a hash algorithm operation, and that these values are stored in the same hash slot, which makes the hash table a one-way list. The insert operation on this hash table changes from the original complexity O (n) to O (n*n). This causes the system to consume a large amount of CPU resources, resulting in a Dos attack effect.

Let's take a look at the hash algorithm used in Linux, which is used in indexing and fragmentation of Linux route catch. In May this year, Scott Crosby and Dan S. Wallach, of Rice University computer Science, presented a new low bandwidth Dos attack that attacks the vulnerability of the hash algorithm used by the application. This method proposes that if the hash algorithm used by the application has a weakness, that is, the hash algorithm can not effectively hash the data, the attacker could create a special value to cause the hash algorithm to generate a conflict of Dos attacks.


202

203 Static __inline__ unsigned rt_hash_code (u32 daddr, u32 saddr, U8 tos)

204 {

205 Unsigned hash = ((Daddr & 0xf0f0f0f0) >> 4) │

206 ((Daddr & 0x0f0f0f0f) << 4);

207 Hash ^= saddr ^ tos;

^= Hash (hash >> 16);

209 return (hash ^ (hash >> 8)) & Rt_hash_mask;

210}


The code above is the algorithm that Linux uses when routing or reorganizing IP packets. Because the algorithm is too simple to hash the route cache efficiently, a DOS vulnerability is generated. Now let's analyze this function.


203 lines for this function, the function name and the entry parameter, U32 daddr is a 32-bit destination address, and U32 Saddr is the 32-bit original address, TOS is the protocol.

The 205 line-206 line converts the byte before and after the destination address.

207 lines to the original address and TOS will be different or after the hash or then assign a value to the hash.

Row 208 shifts the value of the hash to the right by 16 digits and then hashes or assigns the hash.

Line 209 is the value that this function returns a hash that is different from the value of its own 8-bit offset to the right, and then with Rt_hash_mask.


This attack is a rare form of denial of service because it exploits vulnerabilities in the system's own algorithms. The vulnerability also represents a new direction of vulnerability discovery, which is to exploit the hash algorithm used by the application software or the system. Therefore, this approach to hash table attacks will have an impact not only on Linux but also on many applications, such as the hash algorithm used by PERL5 in this version of Perl, which makes it easy for attackers to exploit carefully filtered data Hash tables used by applications that use PERL5 to generate hash conflicts, including proxy server software, even some IDs software, firewalls, etc., are affected by this attack using the Linux kernel.



Integer overflow vulnerabilities in the Linux kernel


Linux Kernel 2.4 NFSv3 XDR Processor Example Cheng Denial of service vulnerability was announced on July 29, 2003, affecting all Linux kernel versions under Linux Kernel 2.4.21.


The vulnerability exists in the XDR processor routine, and the associated kernel source code file is nfs3xdr.c. This vulnerability is caused by a cosmetic vulnerability (positive/negative number mismatch). An attacker can construct a special XDR header that is sent to a Linux system by setting a variable int size to a negative number to trigger this vulnerability. When the Linux system's NFSV3 XDR handler receives this specially constructed package, the detection statements in the program incorrectly determine the size of the package, thereby copying huge memory in the kernel, causing the kernel data to be corrupted and the Linux system crashing.


Vulnerability Code:

Static inline U32 *

DECODE_FH (u32 *p, struct SVC_FH *fhp)

{

int size;

Fh_init (FHP, nfs3_fhsize);

Size = Ntohl (*p++);

if (Size > Nfs3_fhsize)

return NULL;


memcpy (&fhp->fh_handle.fh_base, p, size); fhp->fh_handle.fh_size = size;

return p + xdr_quadlen (size);

}


Because this memory copy is done in the kernel memory area, destroying the kernel data causing the kernel to crash, this vulnerability does not confirm that it can be used to remotely obtain permissions, and an attacker must be able to mount the directory on the system to exploit this vulnerability to increase the difficulty.

Our aim is to find this type of vulnerability and to better fix it by looking at the characteristics of this vulnerability. As you can see, this vulnerability is a very typical integer overflow vulnerability, which is very dangerous if there is such a vulnerability in the kernel. So Linux kernel developers are working on the data size variables in the Linux kernel (using the unsigned int), which avoids the recurrence of this typical integer overflow. By analyzing this particularly typical vulnerability principle, developers can avoid this vulnerability in future development.



IP Address Spoofing Class vulnerability


TCP/IP stack vulnerabilities are present in many operating systems due to the limitations of TCP/IP itself, making it easy for an attacker to cheat on them. Linux is no exception. Although IP address spoofing does not have a serious impact on the Linux server itself, the vulnerability is fatal for many firewalls and IDs products that use Linux for operating systems.


IP address spoofing is the basis of many attacks, and the reason for using this method is because of the shortcomings of IP itself. The IP protocol sends IP packets based on the destination address entry in the IP header. If the destination address is an address within the local network, the IP packet is sent directly to the destination. If the destination address is not within the local network, the IP packet is sent to the gateway and the gateway decides where to send it. This is the IP routing ip packet method. IP routing IP packets to the IP header provided in the IP source address does not do any check, the IP header in the IP source address is the IP address of the machine that sent the packet. When the destination host receiving the packet is to communicate with the source host, it communicates with the source host with the IP source address in the IP header of the IP packet received as the destination address of the IP packet it sends. Although this kind of data communication method of IP is very simple and efficient, but it is also a security hidden danger of IP, many network security accidents are caused by this shortcoming of IP.


This type of attack is very dangerous when hackers or intruders use spoofed IP forwarding addresses to produce bogus data groupings disguised as packet filters from internal stations. The signs that the groups involved are really internal, or that external groupings are packaged to look like internal groupings, have been lost. As long as the system discovers that the sending address is within its own scope, the packet is treated and passed by internal communication.


Typically, the TCP connection between host A and Host B is established through host a requesting host B, while the confirmation of A and B is based solely on the initial serial number isn by host a and verified by Host B. Three steps are specific.


Host a generates its isn, transmits it to host B, requests to establish the connection, B receives the ISN with the SYN flag from a, and returns the ISN with the reply message ack to A;a and returns the ISN and the reply message ack to B. At this point, normally, the TCP connection between host A and B is established.


B----SYN----> A

B <----syn+ack----A

B----ACK----> A


Suppose C tries to attack a, because A and B are mutually trusted, and if C already knows B that is trusted by a, then find a way to disable the network function of B and prevent other things from interfering with their attacks. The SYN Flood is commonly used here. The attacker sent many Tcp-syn packets to the attacked host. The source address of these Tcp-syn packages is not the IP address of the host on which the attacker resides, but rather the IP address that the attacker fills in. When the attacked host receives the Tcp-syn packets sent by the attacker, assigns a certain resource to a TCP connection and sends a tcp-(Syn+ack) Reply packet to the destination host for the destination address of the source address in the received packet (that is, the attacker's own spoofed IP address). Because the attacker's own spoofed IP address must be a carefully chosen non-existent address, the attacking host will never receive the tcp-packet that it sends out, and the TCP state machine of the attacking host is in the waiting state. If the TCP state machine of the attacked host has time-out control, the resources allocated for the connection are reclaimed until the timeout is exceeded. Therefore, if an attacker sends enough TCP-SYN packets to the attacked host and is fast enough, the TCP module of the attacked host must be denied service because it cannot allocate the new TCP connection to the system resources. The attacker's packet cannot be judged by the source address information of the IP header, even if the administrator of the network on which the attack host is located.


When the network function of B is temporarily paralyzed, C must find ways to determine the current isn of a. Connect to port 25 first, because SMTP has no security check mechanism, similar to the previous one, but this time you need to record the isn of a, as well as the approximate RTT (round) for C to a. This step repeats several times to find the average of the RTT. Once c knows the isn base value of a and increases the rule, it is possible to calculate the time from C to a RTT/2. Then immediately into the attack, otherwise between this there are other hosts with a connection, isn will be more than expected.


C sends a data segment request connection with a SYN flag to a, but the source IP is changed to B. A to B loopback syn+ack data segment, B has been unable to respond, B's TCP layer simply discards A's loopback data segment. This time C needs to suspend for a short while, let a have enough time to send Syn+ack, because C can't see this package. Then c again disguised as B to send an ACK to a, at which time the data segment sent with C predicted a isn+1. If the prediction is accurate, the connection is established and data transfer begins. The problem is that even if the connection is established, a still sends the data to B, rather than c,c still can't see the data segment A to B, and C must send a command to a by the protocol standard fake B, and the attack completes. If the prediction is inaccurate, a will send a data segment with the RST flag to terminate the connection abnormally, C only to start over. With the isn of correcting predictions, an attacker would eventually establish a meeting with the target host. In this way, an attacker can log on to the target host as a legitimate user without further confirmation. If repeated tests allow the target host to receive root logins to the network, the entire network can be fully controlled.


C (B)----SYN----> A

B <----syn+ack----A

C (B)----ACK----> A

C (B)----PSH----> A


IP spoofing attacks take advantage of the fact that the RPC server relies only on the IP address of the source for security verification, and the most difficult part of the attack is to predict the isn of a. The attack is more difficult, but the likelihood of success is great. C must accurately foresee information that may be sent from a to B, and what response information a expects from B, which requires the attacker to be quite familiar with the protocol itself. It also needs to be understood that this attack cannot be done in an interactive state and must be written to complete. In the preparation phase, of course, you can use tools such as NetXRay for protocol analysis.



Summary


By analyzing a few of the above vulnerabilities, you can see that Linux is not perfect, there are many places to improve. Some vulnerabilities greatly affect the promotion and use of Linux, such as the vulnerability of the Linux hash table above, because some IDs vendors and firewall vendors develop their own products based on the Linux kernel. If the Linux itself is still used by the hash algorithm will be affected by this vulnerability, very vulnerable to the attacker to Dos attacks. Because firewalls, IDs themselves are security products, and if they are attacked can cause great loss to the user, we need to trace these vulnerabilities to analyze, and by understanding their characteristics to avoid in the system to generate these types of vulnerabilities, through the prediction of these types of vulnerabilities, So that we can actively defend against hacker attacks and damage.


Author Introduction


Zhao Wei 2003 inauguration in the active Defense Laboratory of Venus, SST member, National computer Network security Incident Response Team (CNCERT/CC) members. Main Research directions: Unix/linux Vulnerability Mining, Unix/linux application system security, Linux Kernel Vulnerability Mining, Linux HIDS development and event research, XML-related security. Involved in a number of computer crime forensics, computer disaster-tolerant systems and other related national projects and 863 projects.