Site updated: 2024-02-03 22:51:44

CVE-2023-0179-Nftables整型溢出/index.html

@@ -276,7 +276,7 @@
 
 
 
-          123 分钟
+          122 分钟
 
       </span>
 
@@ -343,7 +343,8 @@ <h1 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境
 <p>可以看到作者在漏洞利用之前需要创建一些虚拟的网络设备，例如虚拟设备对，<code>vlan</code>接口以及网桥。这是因为想要进入<code>nft_payload_copy_vlan</code>函数的执行流程，需要数据包在<code>vlan</code>上进行传输才可以。代码如下所示：</p>
 <figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-type">void</span> <span class="hljs-title function_">nft_payload_eval</span><span class="hljs-params">(<span class="hljs-type">const</span> <span class="hljs-keyword">struct</span> nft_expr *expr,</span><br><span class="hljs-params">		      <span class="hljs-keyword">struct</span> nft_regs *regs,</span><br><span class="hljs-params">		      <span class="hljs-type">const</span> <span class="hljs-keyword">struct</span> nft_pktinfo *pkt)</span><br>&#123;<br>	<span class="hljs-type">const</span> <span class="hljs-class"><span class="hljs-keyword">struct</span> <span class="hljs-title">nft_payload</span> *<span class="hljs-title">priv</span> =</span> nft_expr_priv(expr);<br>	<span class="hljs-type">const</span> <span class="hljs-class"><span class="hljs-keyword">struct</span> <span class="hljs-title">sk_buff</span> *<span class="hljs-title">skb</span> =</span> pkt-&gt;skb;<br>	u32 *dest = &amp;regs-&gt;data[priv-&gt;dreg];<br>	<span class="hljs-type">int</span> offset;<br><br>	<span class="hljs-keyword">if</span> (priv-&gt;len % NFT_REG32_SIZE)<br>		dest[priv-&gt;len / NFT_REG32_SIZE] = <span class="hljs-number">0</span>;<br><br>	<span class="hljs-keyword">switch</span> (priv-&gt;base) &#123;<br>	<span class="hljs-keyword">case</span> NFT_PAYLOAD_LL_HEADER: <span class="hljs-comment">//数据链路层</span><br>		<span class="hljs-keyword">if</span> (!skb_mac_header_was_set(skb)) <span class="hljs-comment">//判断数据包是否为mac头</span><br>			<span class="hljs-keyword">goto</span> err;<br><br>		<span class="hljs-keyword">if</span> (skb_vlan_tag_present(skb)) &#123; <span class="hljs-comment">//判断数据包是否有vlan标志</span><br>			<span class="hljs-keyword">if</span> (!nft_payload_copy_vlan(dest, skb,<br>						   priv-&gt;offset, priv-&gt;len))<br>				<span class="hljs-keyword">goto</span> err;<br>			<span class="hljs-keyword">return</span>;<br>		&#125;<br>		offset = skb_mac_header(skb) - skb-&gt;data;<br>		<span class="hljs-keyword">break</span>;<br>...<br></code></pre></td></tr></table></figure>
 
-<p>因此为了使得程序进入漏洞函数，需要建设特定的网络环境。而该网络拓扑与<code>Docker</code>的很像，具体内容可以参考<a target="_blank" rel="noopener" href="https://cloud.tencent.com/developer/article/1835299%E3%80%82%E7%BD%91%E7%BB%9C%E6%8B%93%E6%89%91%E5%A4%A7%E8%87%B4%E5%A6%82%E4%B8%8B%EF%BC%8C%E4%BD%BF%E7%94%A8%E8%99%9A%E6%8B%9F%E8%AE%BE%E5%A4%87%E5%AF%B9%E7%9A%84%E4%BD%9C%E7%94%A8%E6%97%B6%EF%BC%8C%E4%B8%80%E7%AB%AF%E6%8E%A5%E5%8F%A3%E4%BD%9C%E4%B8%BA%E6%95%B0%E6%8D%AE%E7%9A%84%E8%BE%93%E5%85%A5%E8%80%8C%E5%8F%A6%E4%B8%80%E7%AB%AF%E6%8E%A5%E5%8F%A3%E4%BD%9C%E4%B8%BA%E6%95%B0%E6%8D%AE%E7%9A%84%E6%B5%81%E5%87%BA%EF%BC%8C%E9%82%A3%E4%B9%88%E5%90%8E%E7%BB%AD%E8%BF%9B%E8%A1%8C%60hook%60%E7%9A%84%E6%97%B6%E5%80%99%E5%8F%AA%E9%9C%80%E8%A6%81%60hook%60%E4%B8%80%E4%B8%AA%E7%82%B9%E5%B0%B1%E8%A1%8C%EF%BC%8C%E8%AE%BE%E7%BD%AE%60vlan%60%E6%8E%A5%E5%8F%A3%E6%98%AF%E5%9B%A0%E4%B8%BA%E5%8F%AA%E6%9C%89%60vlan%60%E7%9A%84%E6%95%B0%E6%8D%AE%E5%8C%85%E6%89%8D%E8%83%BD%E5%A4%9F%E8%BF%9B%E5%85%A5%60nft_payload_copy_vlan%60%E5%87%BD%E6%95%B0%E7%9A%84%E6%B5%81%E7%A8%8B%E5%86%85%EF%BC%8C%E8%80%8C%E5%9C%A8%60vlan.5%60%E4%B8%8A%E5%86%8D%E6%AC%A1%E5%88%9B%E5%BB%BA%E4%B8%80%E4%B8%AA%60vlan%60%E6%8E%A5%E5%8F%A3%E6%98%AF%E5%9B%A0%E4%B8%BA%E4%BD%BF%E5%BE%97%E6%95%B0%E6%8D%AE%E5%8C%85%E8%83%BD%E5%A4%9F%E5%8A%A0%E5%85%A5%E5%8F%8C%E5%B1%82%60vlan">https://cloud.tencent.com/developer/article/1835299。网络拓扑大致如下，使用虚拟设备对的作用时，一端接口作为数据的输入而另一端接口作为数据的流出，那么后续进行`hook`的时候只需要`hook`一个点就行，设置`vlan`接口是因为只有`vlan`的数据包才能够进入`nft_payload_copy_vlan`函数的流程内，而在`vlan.5`上再次创建一个`vlan`接口是因为使得数据包能够加入双层`vlan</a> tag<code>，这样可以通过</code>IEEE 8021AD&#96;协议传输。</p>
+<p>因此为了使得程序进入漏洞函数，需要建设特定的网络环境。而该网络拓扑与<code>Docker</code>的很像，具体内容可以参考<a target="_blank" rel="noopener" href="https://cloud.tencent.com/developer/article/1835299">https://cloud.tencent.com/developer/article/1835299</a></p>
+<p>网络拓扑大致如下，使用虚拟设备对的作用时，一端接口作为数据的输入而另一端接口作为数据的流出，那么后续进行<code>hook</code>的时候只需要<code>hook</code>一个点就行，设置<code>vlan</code>接口是因为只有<code>vlan</code>的数据包才能够进入<code>nft_payload_copy_vlan</code>函数的流程内，而在<code>vlan.5</code>上再次创建一个<code>vlan</code>接口是因为使得数据包能够加入双层<code>vlan tag</code>，这样可以通过<code>IEEE 8021AD</code>协议传输。</p>
 <p><img src="https://s2.loli.net/2023/11/21/9YC8X4a2fgkiVBU.png" srcset="/img/loading.gif" lazyload alt="image-20231025111708016"></p>
 <p>但是我在<code>qemu</code>的环境调试时数据包的协议都不是<code>IEEE 8021AD</code>而是<code>IEEE 8021Q</code>，在查询资料<a target="_blank" rel="noopener" href="https://blog.csdn.net/m0_45406092/article/details/118497597%E5%8F%91%E7%8E%B0%EF%BC%8C%E5%8F%AF%E4%BB%A5%E6%8C%87%E5%AE%9A%60vlan%60%E7%9A%84%E7%B1%BB%E5%9E%8B%E4%B8%BA%60IEEE">https://blog.csdn.net/m0_45406092/article/details/118497597发现，可以指定`vlan`的类型为`IEEE</a> 8021AD&#96;，因此修改了一下脚本。</p>
 <figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs shell"><span class="hljs-meta prompt_">#</span><span class="language-bash">!/bin/sh</span><br><span class="hljs-meta prompt_"></span><br><span class="hljs-meta prompt_"># </span><span class="language-bash">create the peer virtual device</span><br>ip link add eth32 type veth peer name host-enp3s0<br>ip link set host-enp3s0 up<br>ip link set eth32 up<br><span class="hljs-meta prompt_">#</span><span class="language-bash">ip addr add 192.168.137.137/24 dev host-enp3s0</span><br><span class="hljs-meta prompt_"># </span><span class="language-bash">add two vlans on top of it</span><br>ip link add link host-enp3s0 name vlan.5 type vlan id 5<br>ip link add link vlan.5 name vlan.10 type vlan  protocol  802.1ad  id 10 <br><span class="hljs-meta prompt_">#</span><span class="language-bash">ip addr add 192.168.147.137/24 dev vlan.5</span><br>ip link set vlan.5 up<br>ip link set lo up<br>ip link set vlan.10 up<br></code></pre></td></tr></table></figure>
@@ -559,6 +560,12 @@ <h1 id="参考链接"><a href="#参考链接" class="headerlink" title="参考
                   <article class="post-prev col-6">
 
 
+                      <a href="/Fuzzing101-Xpdf/" title="Fuzzing101-Xpdf">
+                        <i class="iconfont icon-arrowleft"></i>
+                        <span class="hidden-mobile">Fuzzing101-Xpdf</span>
+                        <span class="visible-mobile">上一篇</span>
+                      </a>
+
                   </article>
                   <article class="post-next col-6">