Ubuthathaka (CVE-2021-22555) ichongiwe kwi-Netfilter, i-subsystem ye-Linux kernel esetyenziselwa ukuhluza kunye nokuguqula iipakethi zenethiwekhi, ezivumela umsebenzisi wasekhaya ukuba afumane amalungelo engcambu kwinkqubo, kubandakanywa ngelixa kwisitya esizimeleyo. Iprototype esebenzayo ye-exploit edlula i-KASLR, i-SMAP kunye neendlela zokukhusela ze-SMEP zilungiselelwe ukuvavanywa. Umphandi othe wafumanisa ukuba sesichengeni ufumene umvuzo we-20 yeedola kuGoogle ngokuchonga indlela yokudlula ukubekwa zodwa kwezikhongozeli zeKubernetes kwiqela le-kCTF.
Ingxaki ibisoloko ikhona ukusukela kwi-kernel 2.6.19, yakhutshwa kwiminyaka eyi-15 eyadlulayo, kwaye yenziwa ligciwane kwi IPT_SO_SET_REPLACE kunye ne IP6T_SO_SET_REPLACE iziphangi ezibangela ukuphuphuma kwebuffer xa kuthunyelwa iiparameters ezifomathwe ngokukodwa nge-setsockopt call kwimowudi yecomat. Phantsi kweemeko eziqhelekileyo, ngumsebenzisi wengcambu kuphela onokwenza umnxeba kwi-comat_setsockopt (), kodwa amalungelo afunekayo ukwenza uhlaselo nawo anokufunyanwa ngumsebenzisi ongekho semthethweni kwiinkqubo ezinenkxaso yeendawo zamagama zomsebenzisi ezenziweyo.
Umsebenzisi unokwenza isikhongozeli esinengcambu yomsebenzisi owahlukileyo kwaye asebenzise ukuba sesichengeni ukusuka apho. Umzekelo, "izithuba zamagama zomsebenzisi" zenziwe ngokungagqibekanga ku-Ubuntu kunye ne-Fedora, kodwa ayivulwanga kwi-Debian kunye ne-RHEL. Isiqwenga esilungisa ubuthathaka samkelwa kwi-Linux kernel nge-13 ka-Epreli. Uhlaziyo lwePakeji sele wenziwe yiDebian, Arch Linux kunye neeprojekthi zeFedora. Ku-Ubuntu, i-RHEL kunye ne-SUSE, uhlaziyo luyalungiswa.
Ingxaki yenzeka kumsebenzi we xt_compat_target_from_user () ngenxa yokubalwa okungachanekanga kobungakanani benkumbulo xa ugcina izakhiwo zekernel emva koguqulo ukusuka kwi-32-bit ukuya kwi-64-bit yokumelwa. I-bug ivumela ii-byte ezine ze-null ukuba zibhalwe nakweyiphi na indawo engaphaya kwe-buffer eyabiweyo eboshwe yi-offset 0x4C. Olu phawu luye lwanele ukwenza i-exploit evumela umntu ukuba afumane amalungelo engcambu - ngokucoca i-m_list->isalathisi esilandelayo kulwakhiwo lwe-msg_msg, iimeko zenzelwe ukufikelela kwidatha emva kokukhulula imemori (ukusetyenziswa-emva kwe-free), leyo. yasetyenziswa ukufumana ulwazi malunga needilesi kunye notshintsho kwezinye izakhiwo ngokukhohlisa i msgsnd () umnxeba wendlela.
umthombo: opennet.ru