Abaphandi bokhuseleko abavela kwi-Qualys baveze iinkcukacha zobuthathaka obubini obuchaphazela i-Linux kernel kunye nomphathi wenkqubo ye-systemd. Ukuba semngciphekweni kwi-kernel (CVE-2021-33909) ivumela umsebenzisi wasekhaya ukuba afezekise ukuphunyezwa kwekhowudi ngamalungelo eengcambu ngokukhohlisa abalawuli abafakwe kakhulu.
Ingozi yokuba sesichengeni iqiniswe kukuba abaphandi bakwazi ukulungiselela ukuxhaphazwa okusebenzayo okusebenzayo ku-Ubuntu 20.04 / 20.10 / 21.04, i-Debian 11 kunye ne-Fedora 34 kwi-default configuration. Kuqatshelwe ukuba ezinye izinikezelo azikavavanywa, kodwa ngokwethiyori zikwachaphazeleka nengxaki kwaye zinokuhlaselwa. Ikhowudi epheleleyo yokuxhaphaza ithembisa ukuba iya kupapashwa emva kokuba ingxaki ipheliswe kuyo yonke indawo, kodwa okwangoku kuphela iprototype yokusebenza okulinganiselweyo ekhoyo, ebangela ukuba inkqubo iphazamiseke. Ingxaki ikhona ukususela ngoJulayi 2014 kwaye ichaphazela ukukhutshwa kwe-kernel ukusuka kwi-3.16. Ukulungiswa kobuthathaka kwalungelelaniswa noluntu kwaye kwamkelwa kwi-kernel nge-19 kaJulayi. Ulwabiwo oluphambili sele luvelise ukuhlaziywa kwiiphakheji zabo ze-kernel (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch).
Ubuthathaka bubangelwa ukungaphumeleli ukujonga umphumo we-size_t kwi-int conversion ngaphambi kokwenza imisebenzi kwikhowudi yefayile ye-seq, eyenza iifayile ukusuka kulandelelwano lweerekhodi. Ukungaphumeleli ukujonga kunokukhokelela ekubhaleni ngaphandle kwemida kwi-buffer xa usenza, unyuswa, kwaye ucima isakhiwo solawulo esinendlwane kakhulu (ubungakanani bendlela enkulu kune-1 GB). Ngenxa yoko, umhlaseli unokufikelela kwi-10-byte string "//deleted" ebhalwe kwi-offset ye-"-2 GB - 10 bytes" ekhomba indawo ngokukhawuleza eyandulela i-buffer eyabelwe.
Ukuxhaphazwa okulungiselelwe kufuna i-5 GB yememori kunye ne-1 yezigidi ze-inodes zamahhala ukuze zisebenze. I-exploit isebenza ngokufowunela i-mkdir() ukwenza uluhlu lwemiba malunga nesigidi sabalawuli abangaphantsi ukuphumeza ubungakanani bendlela yefayile engaphezu kwe-1 GB. Olu lawulo lunyuswa nge-bind-mount kwindawo yegama lomsebenzisi eyahlukileyo, emva kokuba rmdir () umsebenzi uqhutywa ukuyisusa. Ngokunxuseneyo, kwenziwa intambo elayisha inkqubo encinci ye-eBPF, evalwe kwinqanaba emva kokujonga i-pseudocode ye-eBPF, kodwa ngaphambi kokuhlanganiswa kwayo kweJIT.
Kwisithuba segama lomsebenzisi elingenalungelo, ifayile /proc/self/mountinfo ivuliwe kwaye igama lendlela elide lolawulo olunyusiweyo lufundiwe, okukhokelela ekubhalweni komtya "//kucinywe" kwindawo phambi kokuqala kwebuffer. Isikhundla sokubhala umgca sikhethwa ukwenzela ukuba kubhalwe phezu komyalelo kwiprogram ye-eBPF esele ivavanyiwe kodwa engekaqulunqwa.
Okulandelayo, kwinqanaba leprogram ye-eBPF, ukubhala okungalawulekiyo ngaphandle kwe-buffer kuguqulwa kubuchule obulawulwayo bokufunda nokubhala kwezinye izakhiwo ze-kernel ngokusetyenziswa kwe-btf kunye ne-map_push_elem izakhiwo. Ngenxa yoko, i-exploit imisela indawo ye-modprobe_path[] buffer kwimemori ye-kernel kwaye ibhala ngaphezulu indlela "/ sbin/modprobe" kuyo, ekuvumela ukuba uqalise ukuqaliswa kwayo nayiphi na ifayile ephunyezwayo enamalungelo eengcambu xa kwenzeka a request_module () call, eyenziwayo, umzekelo, xa usenza i-netlink socket.
Abaphandi babonelela ngeendlela ezininzi zokusebenza ezisebenzayo kuphela kwisenzo esithile, kodwa musa ukuyiphelisa ingxaki ngokwayo. Kucetyiswa ukuseta "/proc/sys/kernel/unprivileged_userns_clone" ku-0 ukukhubaza abalawuli abanyuswayo kwindawo ye-ID yomsebenzisi eyahlukileyo, kunye "/proc/sys/kernel/unprivileged_bpf_disabled" ku-1 ukukhubaza ukulayisha iinkqubo ze-eBPF kwi-kernel.
Kuyaphawuleka ukuba ngelixa uhlalutya olunye uhlaselo olubandakanya ukusetyenziswa kwendlela ye-FUSE endaweni yokubopha-induli yokufaka isikhombisi esikhulu, abaphandi badibana nobunye ubungozi (CVE-2021-33910) obuchaphazela umphathi wenkqubo ye-systemd. Kwavela ukuba xa uzama ukukhwela i-directory kunye nobukhulu bendlela edlula i-8 MB nge-FUSE, inkqubo yokuqalisa ulawulo (PID1) iphuma kwimemori ye-stack kunye nokuphahlazeka, okubeka inkqubo "kwi-panic".
Ingxaki kukuba i-systemd ilandelela kwaye yahlula imixholo ye /proc/self/mountinfo, kwaye iqhubekisa indawo nganye yokunyuka kwiyunithi_name_path_escape () umsebenzi, owenza i strdupa () umsebenzi obeka idatha kwisitaki endaweni yenkumbulo eyabiweyo ngokuguquguqukayo. . Ukusukela ukuba ubukhulu besayizi yesitaki buthintelwe nge-RLIMIT_STACK, ukuqhubekekisa indlela enkulu kakhulu ukuya kwindawo yokunyuka kubangela ukuba inkqubo ye-PID1 ingqubene kwaye imise inkqubo. Kuhlaselo, ungasebenzisa eyona imodyuli ilula yeFUSE ngokudityaniswa nokusebenzisa ulawulo olunendlwane kakhulu njengendawo yokunyuka, ubungakanani bendlela obudlula i-8 MB.
Ingxaki ibonakala ukususela kwi-systemd 220 (ngo-Aprili 2015), sele ilungisiwe kwi-systemd repository engundoqo kwaye igxininiswe kwizabelo (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch). Ngokucacileyo, ekukhutshweni kwe-systemd 248 ukuxhaphaza akusebenzi ngenxa yegciwane kwikhowudi ye-systemd ebangela ukuba inkqubo ye/proc/self/mountinfo ingaphumeleli. Kwakhona kunomdla ukuba ngo-2018, kwavela imeko efanayo kwaye xa uzama ukubhala i-exploit ye-CVE-2018-14634 sengozini kwi-Linux kernel, abaphandi be-Qualys bafumana ubuthathaka obuthathu kwi-systemd.
umthombo: opennet.ru