all things security

IBM AIX Kernel Memory Leak / Denial Of Service

IBM AIX Kernel Memory Leak / Denial Of Service
Posted May 6, 2014
Authored by Tim Brown | Site portcullis-security.com

IBM AIX versions 5.3, 6.1 and 7.1 releases VIOS 2.2.* suffer from kernel memory leak and denial of service vulnerabilities. It has been identified that the ptrace() system call can be manipulated by an unprivileged user into leaking uninitialized kernel memory and that the method by which this is achieved may also lead to a denial of service condition. This can be achieved by manipulating the parameters that are passed to the ptrace() system call when performing the PT_LDINFO operation. By calling ptrace(PT_LDINFO, childpid, leakbuffer, maximumleak, NULL) with a value of maximumleak that greater than that required for the expected result of the PT_LDINFO operation, the AIX kernel will xmalloc() this space (without initializing it), populate it and then perform a copy operation that returns the result within leakbuffer.

tags | advisory, denial of service, kernel, vulnerability, memory leak
systems | aix
advisories | CVE-2014-0930
MD5 | 4236298d7ba606989f3262b37ad6c132

IBM AIX Kernel Memory Leak / Denial Of Service

Change Mirror Download
Vulnerability title: Kernel Memory Leak And Denial Of Service Condition
in IBM AIX
CVE: CVE-2014-0930
Vendor: IBM
Product: AIX
Affected version: 5.3, 6.1 and 7.1 releases VIOS 2.2.*
Fixed version: Interim version
Reported by: Tim Brown

Details:

It has been identified that the ptrace() system call can be manipulated
by an unprivileged user into leaking uninitialised kernel memory and
that the method by which this is achieved may also lead to a denial of
service condition. This can be achieved by manipulating the parameters
that are passed to the ptrace() system call when performing the
PT_LDINFO operation.

By calling ptrace(PT_LDINFO, childpid, leakbuffer, maximumleak, NULL)
with a value of maximumleak that greater than that required for the
expected result of the PT_LDINFO operation, the AIX kernel will
xmalloc() this space (without initialising it), populate it and then
perform a copy operation that returns the result within leakbuffer.


Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-0930/


Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close