Cov kws tshawb fawb txog kev nyab xeeb los ntawm Qualys tau tshaj tawm cov ntsiab lus ntawm ob qhov tsis muaj peev xwm cuam tshuam rau Linux ntsiav thiab tus tswj hwm qhov systemd. Qhov tsis zoo hauv cov ntsiav (CVE-2021-33909) tso cai rau ib tus neeg siv hauv zos kom ua tiav cov cai ua tiav nrog cov cai hauv paus los ntawm kev tswj hwm cov npe ntawm cov nested heev.
Qhov txaus ntshai ntawm qhov tsis zoo yog qhov hnyav dua los ntawm qhov tseeb tias cov kws tshawb fawb tau tuaj yeem npaj cov kev ua haujlwm uas ua haujlwm ntawm Ubuntu 20.04 / 20.10 / 21.04, Debian 11 thiab Fedora 34 nyob rau hauv lub neej ntawd configuration. Nws tau raug sau tseg tias lwm yam kev faib tawm tsis tau sim, tab sis yog theoretically kuj raug rau qhov teeb meem thiab tuaj yeem tawm tsam. Tag nrho cov cai ntawm exploits tau cog lus tias yuav tsum luam tawm tom qab qhov teeb meem raug tshem tawm txhua qhov chaw, tab sis tam sim no tsuas yog ib qho qauv ntawm kev ua haujlwm tsawg, ua rau lub kaw lus poob. Qhov teeb meem tau tshwm sim txij thaum Lub Xya Hli 2014 thiab cuam tshuam rau cov ntsiav tso tawm pib txij li 3.16. Kev kho qhov tsis zoo tau koom tes nrog cov zej zog thiab tau lees paub rau hauv cov ntsiav thaum Lub Xya Hli 19th. Cov kev faib tawm tseem ceeb twb tau tsim kho tshiab rau lawv cov pob khoom (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch).
Qhov tsis zoo yog tshwm sim los ntawm kev tsis tuaj yeem tshawb xyuas qhov tshwm sim ntawm size_t rau int hloov dua siab tshiab ua ntej ua haujlwm hauv seq_file code, uas tsim cov ntaub ntawv los ntawm cov ntaub ntawv sib lawv liag. Kev tsis tuaj yeem kuaj xyuas yuav ua rau tsis muaj kev txwv tsis pub sau thaum tsim, mounting, thiab tshem tawm cov qauv hauv phau ntawv txheeb ze heev (txoj kev loj dua 1 GB). Raws li qhov tshwm sim, tus neeg tawm tsam tuaj yeem ua tiav 10-byte txoj hlua "// deleted" sau ntawm qhov offset ntawm "-2 GB - 10 bytes" taw tes rau thaj chaw tam sim ua ntej cov kev faib tsis.
Qhov kev npaj siv yuav tsum tau 5 GB ntawm lub cim xeeb thiab 1 lab dawb inodes ua haujlwm. Kev siv ua haujlwm los ntawm kev hu rau mkdir() los tsim cov hierarchy ntawm txog ib lab subdirectories kom ua tiav cov ntaub ntawv loj dua 1 GB. Cov ntawv teev npe no tau teeb tsa los ntawm khi-mount nyob rau hauv ib qho chaw siv cais, tom qab uas rmdir() muaj nuj nqi khiav kom tshem tawm nws. Nyob rau hauv parallel, ib tug xov yog tsim uas loads ib tug me me eBPF kev pab cuam, uas yog thaiv nyob rau hauv lub theem tom qab kuaj lub eBPF pseudocode, tab sis ua ntej nws JIT compilation.
Nyob rau hauv lub unprivileged userid namespace, cov ntaub ntawv /proc/self/mountinfo yog qhib thiab lub ntev pathname ntawm khi-mounted directory yog nyeem, uas ua rau cov hlua "// deleted" raug sau mus rau qhov chaw ua ntej pib ntawm qhov tsis. Txoj hauj lwm rau kev sau kab yog xaiv kom nws overwrites cov lus qhia nyob rau hauv lub twb sim lawm tab sis tseem tsis tau muab tso ua ke qhov kev pab cuam eBPF.
Tom ntej no, ntawm qib eBPF qhov kev pab cuam, tsis muaj kev tswj hwm kev sau ntawv tsis raug hloov pauv mus rau kev tswj hwm kev nyeem ntawv thiab sau rau lwm cov qauv hauv cov ntsiav los ntawm kev tswj hwm ntawm btf thiab map_push_elem cov qauv. Raws li qhov tshwm sim, qhov kev siv tau txiav txim siab qhov chaw ntawm modprobe_path[] tsis nyob hauv lub cim xeeb kernel thiab overwrites "/ sbin / modprobe" txoj hauv nws, uas tso cai rau koj los pib tsim cov ntaub ntawv ua tiav nrog cov cai hauv paus hauv qhov xwm txheej. request_module() hu, uas raug tua, piv txwv li, thaum tsim netlink qhov (socket).
Cov kws tshawb fawb muab ntau qhov kev daws teeb meem uas tsuas yog siv tau rau qee qhov kev siv, tab sis tsis tshem tawm qhov teeb meem nws tus kheej. Nws raug nquahu kom teeb "/proc/sys/kernel/unprivileged_userns_clone" rau 0 rau lov tes taw mounting directories nyob rau hauv ib tug cais user ID namespace, thiab "/proc/sys/kernel/unprivileged_bpf_disabled" rau 1 mus lov tes taw loading eBPF cov kev pab cuam rau hauv lub ntsiav.
Nws yog ib qho tseem ceeb uas thaum txheeb xyuas lwm qhov kev tawm tsam uas cuam tshuam nrog kev siv FUSE mechanism es tsis txhob khi-mound rau mount ib phau ntawv loj, cov kws tshawb fawb tau hla lwm qhov tsis zoo (CVE-2021-33910) cuam tshuam rau tus tswj hwm qhov systemd. Nws muab tawm tias thaum sim mount ib daim ntawv teev npe nrog txoj kev loj tshaj 8 MB ntawm FUSE, cov txheej txheem tswj kev pib (PID1) khiav tawm ntawm pawg nco thiab sib tsoo, uas ua rau lub kaw lus nyob rau hauv lub xeev "kev ntshai".
Qhov teeb meem yog qhov systemd taug qab thiab txheeb xyuas cov ntsiab lus ntawm /proc/self/mountinfo, thiab ua txhua qhov mount point hauv unit_name_path_escape() muaj nuj nqi, uas ua haujlwm strdupa() uas tso cov ntaub ntawv rau ntawm pawg ntau dua li hauv kev faib cov cim xeeb dynamically. . Txij li cov pawg loj tshaj plaws yog txwv ntawm RLIMIT_STACK, kev ua haujlwm loj dhau mus rau qhov taw tes mount ua rau PID1 txheej txheem tsoo thiab nres lub kaw lus. Rau kev tawm tsam, koj tuaj yeem siv qhov yooj yim FUSE module ua ke nrog kev siv cov ntaub ntawv nested heev li qhov taw tes mount, txoj kev loj tshaj 8 MB.
Qhov teeb meem tau tshwm sim txij li systemd 220 (Lub Plaub Hlis 2015), twb tau kho nyob rau hauv lub ntsiab systemd repository thiab tsau nyob rau hauv distributions (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch). Qhov tseem ceeb, hauv systemd tso tawm 248 qhov kev siv tsis ua haujlwm vim muaj kab laum hauv systemd code uas ua rau kev ua haujlwm ntawm /proc/self/mountinfo ua tsis tiav. Nws tseem yog qhov nthuav tias xyoo 2018, qhov xwm txheej zoo sib xws tau tshwm sim thiab thaum sim sau qhov kev siv rau CVE-2018-14634 qhov tsis zoo hauv Linux ntsiav, Qualys cov kws tshawb fawb tau hla peb qhov tsis zoo ntawm qhov systemd.
Tau qhov twg los: opennet.ru