BUGTRAQ ID: 42254 CVE ID: CVE-2010-1893 Microsoft Windows是微软发布的非常流行的操作系统。 Windows系统中TCP/IP实现的IppSortDestinationAddresses()函数在处理SOCKET_ADDRESS_LIST 结构时存在整数溢出漏洞,本地用户可以通过调用WSAIoctl和使用SIO_ADDRESS_LIST_SORT IOCTL破坏内核内存,以系统级权限执行任意代码。 在IppSortDestinationAddresses()函数的开始处存在以下伪代码: DestinationAddresses = ExAllocatePoolWithTag(NumberOfDestinationAddresses * sizeof(SOCKADDR_IN6)); // sizeof(SOCKADDR_IN6) = 0x1C NtStatus = IppFlattenAddressList(SocketAddressList, DestinationAddresses); if (!NT_SUCCESS(NtStatus)) ExFreePoolWithTag(DestinationAddresses); 整数溢出是由IppSortDestinationAddresses()函数和IppFlattenAddressList()函数中的内核域池溢出导致的。以下伪代码仅包含有函数的最重要部分: NTSTATUS IppFlattenAddressList(IN PSOCKET_ADDRESS_LIST SocketAddressList, OUT PSOCKADDR_IN6 FlattenAddressList) { PSOCKADDR_IN6 Address; // [...] for (Index = 0; Index < SocketAddressList->iAddressCount; Index += 1) { if (SocketAddressList->Address[Index].iSockaddrLength != sizeof(SOCKADDR_IN6)) return STATUS_INVALID_PARAMETER; Address =...
BUGTRAQ ID: 42254 CVE ID: CVE-2010-1893 Microsoft Windows是微软发布的非常流行的操作系统。 Windows系统中TCP/IP实现的IppSortDestinationAddresses()函数在处理SOCKET_ADDRESS_LIST 结构时存在整数溢出漏洞,本地用户可以通过调用WSAIoctl和使用SIO_ADDRESS_LIST_SORT IOCTL破坏内核内存,以系统级权限执行任意代码。 在IppSortDestinationAddresses()函数的开始处存在以下伪代码: DestinationAddresses = ExAllocatePoolWithTag(NumberOfDestinationAddresses * sizeof(SOCKADDR_IN6)); // sizeof(SOCKADDR_IN6) = 0x1C NtStatus = IppFlattenAddressList(SocketAddressList, DestinationAddresses); if (!NT_SUCCESS(NtStatus)) ExFreePoolWithTag(DestinationAddresses); 整数溢出是由IppSortDestinationAddresses()函数和IppFlattenAddressList()函数中的内核域池溢出导致的。以下伪代码仅包含有函数的最重要部分: NTSTATUS IppFlattenAddressList(IN PSOCKET_ADDRESS_LIST SocketAddressList, OUT PSOCKADDR_IN6 FlattenAddressList) { PSOCKADDR_IN6 Address; // [...] for (Index = 0; Index < SocketAddressList->iAddressCount; Index += 1) { if (SocketAddressList->Address[Index].iSockaddrLength != sizeof(SOCKADDR_IN6)) return STATUS_INVALID_PARAMETER; Address = SocketAddressList->Address[Index].lpSockaddr; // Of course, there is a ProbeForRead + __try if the function is called from Userland FlattenAddressList[Index] = *Address; // <--- Pool Overflow is occuring here. // // The following part is important if you want to proceed to the overflow. // if (FlattenAddressList[Index].sin6_family != AF_INET6) return STATUS_INVALID_PARAMETER; } // [...] } 由于SocketAddressList->iAddressCount会拥有过高的值,循环会继续向内核池拷贝数据,直至sin6_family 与AF_INET6不同或iSockaddrLength与sizeof(SOCKADDR_IN6)不同。在这两种情况下 IppFlattenAddressList()函数都会返回STATUS_INVALID_PARAMETER强制调用程序释放内核池。 sin6_family是SOCKADDR_IN6结构中的第一个字段,在从链表中摘除期间会读取为POOL_HEADER结构的PreviousSize字段,导致较难利用这个漏洞。 Microsoft Windows Vista SP1 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2008 Microsoft Windows 7 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-058)以及相应补丁: MS10-058:Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-058.mspx?pf=true
