中危 linux_kernel 安全绕过漏洞

CVE编号

CVE-2010-3850

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2010-12-31

漏洞描述

在2.6.36.2之前，Linux内核中的net/econet/af_econet.c中的ec_dev_ioctl功能不需要CAP_NET_ADMIN功能，这允许本地用户绕预期的访问限制，并通过SIOCSIFADD Rioctl调用配置econet地址。

解决建议

Debian Linux可参考如下供应商提供的安全补丁：Debian linux-headers-2.6.26-2-alpha-legacy_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-alpha-legacy_2.6.26-26lenny1_alpha.debDebian linux-support-2.6.26-2_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-support -2.6.26-2_2.6.26-26lenny1_all.debDebian linux-headers-2.6.26-2-alpha-generic_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-alpha-generic_2.6.26-26lenny1_alpha.debDebian linux-patch-debian-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-d ebian-2.6.26_2.6.26-26lenny1_all.debDebian linux-tree-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-tree-2. 6.26_2.6.26-26lenny1_all.debDebian linux-image-2.6.26-2-alpha-smp_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-alpha-smp_2.6.26-26lenny1_alpha.debDebian linux-headers-2.6.26-2-all_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-all_2.6.26-26lenny1_alpha.debDebian linux-doc-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6 .26_2.6.26-26lenny1_all.debDebian linux-image-2.6.26-2-alpha-generic_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-alpha-generic_2.6.26-26lenny1_alpha.debDebian linux-libc-dev_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-de v_2.6.26-26lenny1_alpha.debDebian linux-headers-2.6.26-2-common_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-common_2.6.26-26lenny1_alpha.debDebian linux-headers-2.6.26-2-all-alpha_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-all-alpha_2.6.26-26lenny1_alpha.debDebian linux-source-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-source- 2.6.26_2.6.26-26lenny1_all.debDebian linux-manual-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual- 2.6.26_2.6.26-26lenny1_all.debDebian linux-headers-2.6.26-2-alpha-smp_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-alpha-smp_2.6.26-26lenny1_alpha.debDebian linux-image-2.6.26-2-alpha-legacy_2.6.26-26lenny1_alpha.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-alpha-legacy_2.6.26-26lenny1_alpha.debDebian Linux 5.0 armelDebian linux-tree-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-tree-2. 6.26_2.6.26-26lenny1_all.debDebian linux-image-2.6.26-2-iop32x_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-iop32x_2.6.26-26lenny1_armel.debDebian linux-patch-debian-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-d ebian-2.6.26_2.6.26-26lenny1_all.debDebian linux-image-2.6.26-2-ixp4xx_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-ixp4xx_2.6.26-26lenny1_armel.debDebian linux-headers-2.6.26-2-common_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-common_2.6.26-26lenny1_armel.debDebian linux-headers-2.6.26-2-iop32x_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-iop32x_2.6.26-26lenny1_armel.debDebian linux-headers-2.6.26-2-ixp4xx_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-ixp4xx_2.6.26-26lenny1_armel.debDebian linux-image-2.6.26-2-versatile_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-versatile_2.6.26-26lenny1_armel.debDebian linux-libc-dev_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-de v_2.6.26-26lenny1_armel.debDebian linux-headers-2.6.26-2-all-armel_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-all-armel_2.6.26-26lenny1_armel.debDebian linux-headers-2.6.26-2-versatile_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-versatile_2.6.26-26lenny1_armel.debDebian linux-doc-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6 .26_2.6.26-26lenny1_all.debDebian linux-headers-2.6.26-2-orion5x_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-orion5x_2.6.26-26lenny1_armel.debDebian linux-headers-2.6.26-2-all_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-all_2.6.26-26lenny1_armel.debDebian linux-source-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-source- 2.6.26_2.6.26-26lenny1_all.debDebian linux-manual-2.6.26_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual- 2.6.26_2.6.26-26lenny1_all.debDebian linux-image-2.6.26-2-orion5x_2.6.26-26lenny1_armel.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-orion5x_2.6.26-26lenny1_armel.debDebian linux-support-2.6.26-2_2.6.26-26lenny1_all.debhttp://security.debian.org/pool/updates/main/l/linux-2.6/linux-support -2.6.26-2_2.6.26-26lenny1_all.deb

参考链接
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0086.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3...
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00002.html
http://openwall.com/lists/oss-security/2010/11/30/1
http://secunia.com/advisories/43056
http://secunia.com/advisories/43291
http://www.debian.org/security/2010/dsa-2126
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36.2
http://www.mandriva.com/security/advisories?name=MDVSA-2010:257
http://www.mandriva.com/security/advisories?name=MDVSA-2011:051
http://www.ubuntu.com/usn/USN-1023-1
http://www.vupen.com/english/advisories/2011/0213
http://www.vupen.com/english/advisories/2011/0298
http://www.vupen.com/english/advisories/2011/0375
https://bugzilla.redhat.com/show_bug.cgi?id=644156

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	系统	canonical	ubuntu_linux	10.04	-
	运行在以下环境
	系统	canonical	ubuntu_linux	10.10	-
	运行在以下环境
	系统	canonical	ubuntu_linux	6.06	-
	运行在以下环境
	系统	canonical	ubuntu_linux	8.04	-
	运行在以下环境
	系统	canonical	ubuntu_linux	9.10	-
	运行在以下环境
	系统	debian	debian_linux	5.0	-
	运行在以下环境
	系统	linux	linux_kernel	*		Up to (excluding) 2.6.36.2
	运行在以下环境
	系统	opensuse_11.2	kernel	*		Up to (excluding) 2.6.31.14-0.8.1
	运行在以下环境
	系统	opensuse_11.3	kernel	*		Up to (excluding) 2.6.34.8-0.2.1
	运行在以下环境
	系统	suse	linux_enterprise_desktop	10	-
	运行在以下环境
	系统	suse	linux_enterprise_real_time_extension	11	-
	运行在以下环境
	系统	suse	linux_enterprise_server	10	-
	运行在以下环境
	系统	suse	linux_enterprise_server	9	-
	运行在以下环境
	系统	suse	linux_enterprise_software_development_kit	10	-
	运行在以下环境
	系统	suse_10	kernel-default	*		Up to (excluding) 2.6.16.60-0.42.11

阿里云评分 5.1

• 攻击路径 本地
• 攻击复杂度 容易
• 权限要求 无需权限
• 影响范围 越权影响
• EXP成熟度 POC 已公开
• 补丁情况 官方补丁
• 数据保密性 无影响
• 数据完整性 无影响
• 服务器危害 无影响
• 全网数量 N/A

CWE-ID	漏洞类型
NVD-CWE-noinfo

Exp相关链接

• https://www.exploit-db.com/exploits/15704
• https://www.exploit-db.com/exploits/17787

- avd.aliyun.com