堆栈冲突漏洞，Linux及其他UNIX操作系统的root访问权拱手让人！

Posted 2021-04-30 twt企业IT社区

日前，多个安全网站提示：Linux、BSD、Solaris和其它开源系统都易受一个本地权限升级漏洞“堆栈冲突 (Stack Clash)”的影响，此漏洞可使攻击者以 Root 权限执行代码。

相关补丁目前已发布。在i386或amd6硬件上运行Linux、OpenBSD、NetBSD、FreeBSD或Solaris的系统都应尽快更新。

该漏洞编号为CVE-2017-1000364，发现该漏洞的研究员指出，如果攻击者已出现在易受影响的系统上，那么就会升级。目前攻击者能够将这个漏洞跟其它重要问题连接在一起，如最近解决的Sudo漏洞，随后以最高权限执行任意代码。

该漏洞存在于堆栈上，即系统上的内存管理区域。该攻击会绕过在2010年在Linux中推出的堆栈防护页面缓解措施。发现该漏洞的研究员来自Qualys公司，该公司指出，PoC利用会导致堆栈溢出，跳过防护措施并进入内存区域，而该区域本不应当用于执行代码。按照设计，这个堆栈内存区域包含一个机制，当程序需要更多的堆栈内存时它就会扩展；然而，这种扩展是一个安全威胁。

Qualys公司在安全公告中指出，如果某进程的堆栈指针能通过攻击在不引发页面出错的情况下转移到另外一个内存区域，那么该进程就会使用这个另外的内存区域，就像是使用堆栈的扩展一样。攻击者能够写入这个堆栈扩展并破坏相邻的内存区域，或者写入另外一个内存区域并破坏堆栈扩展。

防护页面缓解本应当抵御此类现象的发生。但遗憾的是，只有几千字节大小的一个堆栈防护页面根本不够：如果堆栈指针跳过这个防护页面（如果它在未访问这个防护页面的情况下从堆栈转移到另外一个内存区域），那么就不会引发页面出错异常，而堆栈会扩展到其它内存区域。

Qualys公司表示尚未完全排除该漏洞也可被远程利用的可能性，并表示它属于应用层面，目前该公司关注的是本地权限升级层面。

Qualys公司表示其PoC利用代码（研究人员表示已构建7个）遵循四个分配内存的步骤，在这四个步骤完成之前不能释放。这四个步骤是：通过另外一个内存区域冲撞堆栈、将堆栈指针运行到堆栈的开始、跳过堆栈防护页面、破坏堆栈或另一个内存区域。

Qualys公司建议至少将堆栈防护页面的大小增加到1MB，作为更新推出之前的临时解决方案。该公司还建议通过-fstack-check选项重新编译用户区代码，从而阻止堆栈指针移到其它内存区域；不过这种解决方案虽然花费昂贵但更安全。

Qualys认为该漏洞属于高危级别，因为跟其它漏洞结合起来能够快速从远程转到根权限。

-------------------------

A raft of Unix-based operating systems—including Linux, OpenBSD, and FreeBSD—contain flaws that let attackers elevate low-level access on a vulnerable computer to unfettered root. Security experts are advising administrators to install patches or take other protective actions as soon as possible.

Stack Clash, as the vulnerability is being called, is most likely to be chained to other vulnerabilities to make them more effectively execute malicious code, researchers from Qualys, the security firm that discovered the bugs, said in a blog post published Monday. Such local privilege escalation vulnerabilities can also pose a serious threat to server host providers because one customer can exploit the flaw to gain control over other customer processes running on the same server. Qualys said it's also possible that Stack Clash could be exploited in a way that allows it to remotely execute code directly.

"This is a fairly straightforward way to get root after you've already gotten some sort of user-level access," Jimmy Graham, director of product management at Qualys, told Ars. The attack works by causing a region of computer memory known as the stack to collide into separate memory regions that store unrelated code or data. "The concept isn't new, but this specific exploit is definitely new."

Developers of affected OSes are in the process of releasing patches now. An advisory published Monday morning by Linux distributor Red Hat said the mitigations may cause performance issues in the form of "overlapping values in /proc/meminfo," but they're not likely to affect normal operations. Developers may release a fix for these problems later. A Qualys representative told Ars that company researchers worked with developers of FreeBSD, NetBSD, OpenBSD, Solaris, and the main Linux distributions including Red Hat and SuSE, Debian, and Ubuntu. The representative said company researchers didn't research Microsoft or Apple products, but that they did contact both companies beforehand so they could investigate. The effect the vulnerability may have on Google's android mobile OS is not clear.

The OS stack is a dynamic chunk of memory that grows and shrinks depending on the applications and functions that run at a given moment. If the stack expands too much, it may get close enough to other memory regions to let attackers overwrite the stack with a nearby region or vice versa. Stack Clash got its name because the first step in an exploit is bumping the stack into another chunk of memory.

Not closed after all

Stack Clash vulnerabilities have slowly gained widespread awareness, first in 2005 with the findings of security researcher Gaël Delalleau and five years later with the release of a Linux vulnerability by researcher Rafal Wojtczuk. Linux developers introduced a protection that was intended to prevent stack clashes, but today's research demonstrates that it's relatively easy for attackers to bypass that measure.

The primary proof-of-concept attack developed by Qualys exploits a vulnerability indexed as CVE-2017-1000364. Qualys researchers also developed attacks that use Stack Clash to exploit separate vulnerabilities, including CVE-2017-1000365 and CVE-2017-1000367. For example, when combined with CVE-2017-1000367, a recently fixed flaw in Sudo also discovered by Qualys, local users can exploit Sudo to obtain full root privileges on a much wider range of OSes. Qualys has so far been unable to make the exploits remotely execute code. The sole remote application they investigated was the Exim mail server, which coincidentally turned out to be unexploitable. Qualys said it can't rule out the possibility that such remote code-execution exploits exist. Qualys said it will release the proof-of-concept exploits at a later date, once people have had time to protect against the vulnerabilities.

Anyone running a Unix-based OS should check with the developer immediately to find out if a patch or security advisory is available. The best bet is to install a patch if one is available or, as a temporary workaround, set the hard RLIMIT STACK and RLIMIT_AS of local users and remote services to a low value. Much more information is available in this detailed technical advisory from Qualys and this technical analysis from grsecurity.

This post was updated in the fourth paragraph to add details about the effect on various OSes.

（网络综合）