Linux内核高危漏洞1,一个命令获得root权限--简单防范


Linux内核漏洞最近几乎是一月一爆,在8月15号才爆了一个几乎通杀所有版本所有内核所有架构的内核漏洞;通杀内核2.6 < 2.6.19的所有32位Linux。
redhat已经发布补丁 RHSA-2009:1223 – Security Advisory  
rhel4打到2.6.9-89.0.9内核就没事了,RHEL5没时间验证,基本上yum升级一下可以解决问题。
########################## 
iptables的output链对UDP包做了限制会导致无法成功提权
跟一下这个程序:
$ strace ./a
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
sendto(3, “”…, 1024, MSG_PROXY|MSG_MORE, {sa_family=AF_UNSPEC, sa_data=”202202202202202202202202202202202202202202″}, 16) = 1024
sendto(3, “”…, 1024, 0, {sa_family=AF_UNSPEC, sa_data=”202202202202202202202202202202202202202202″}, 16) = -1 EPERM (Operation not permitted)
对比一下源码:
if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
perror(“[-] socket()”);
return -1;
}
x0x.sa_family=AF_UNSPEC;
memset(x0x.sa_data,0×82,14);
memset((char *)buf,0,sizeof(buf));
sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
if(getuid()==uid){
printf(“[-] exploit failed, try againn”);
return -1;
这段代码建了一个udp的socket,然后sendto(fd,buf,1024,0,&x0x,sizeof(x0x));而iptables如果设了output的UDP限制会导致这条语句返回-1 EPERM (Operation not permitted)
同样如果iptables output规则做的严的话系统不受该漏洞影响
##################
vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p udp --dport 33410 -j DROP
COMMIT
service iptables start