近年来,由于Linux系统中越来越多防御机制(例如NX,ASLR,Canary)的出现,用户态漏洞的利用已经十分困难,而Linux内核漏洞逐渐受到关注.内核内存破坏是一种典型的内核攻击技术,攻击者通过特定的函数调用控制内核内存,进而达到权限提升的目的.SMEP是一种有效抑制内核内存破坏攻击的安全机制,使传统的ret2usr内核攻击方法失效.现有两种绕过SMEP机制的技术途径,分别为ret2dir技术和清除SMEP标志技术,均具有各自的局限性.文中发现了一种绕过SMEP安全机制的异步触发内核漏洞新模型,该模型利用函数的间接寻址原理异步触发漏洞,对于内存破坏的内核漏洞更具有普遍适用性.应用VMware虚拟机测试Ubuntu 16上的netfilter漏洞,并利用内核崩溃分析工具和VMware远程调试工具分析崩溃现场和调试内核,以验证异步触发模型的有效性.实验结果表明,所发现的新模型是一种危害严重的漏洞利用模型.%In recent years,more and more defense mechanisms like NX,ASLR,Canary make it difficult to exploit user vulnerabilities in Linux system. On the contrary,Linux kernel vulnerabilities have been getting attention. Kernel memory corruption is a typical kernel at-tack technique. Attackers can control kernel memory by calling special functions,even privilege escalation. SMEP security is an effective mechanism to suppress kernel memory corruption attacks,making the traditional ret2usr attack useless. Ret2dir and clear SMEP flag are two kinds of technologies to bypass SMEP,however,they both have their limitation. A new model is found to bypass SMEP,which can exploit the kernel vulnerability asynchronously with the principle of indirect addressing,and it is more effective to the kernel vulnerabili-ties of memory corruption. To verify its effectiveness,the netfilter vulnerability of Ubuntu 16 on VMware is tested,then the crash snapshot and debug kernel are analyze with kernel crash and VMware remote debug tools. The experimental results show that it is a serious exploit model.
展开▼
