exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

isec-0015-msfilter.txt

isec-0015-msfilter.txt
Posted Apr 20, 2004
Authored by Wojciech Purczynski, Paul Starzetz | Site isec.pl

Linux kernel versions 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 have an integer overflow in setsockopt MCAST_MSFILTER. Proper exploitation of this vulnerability can lead to privilege escalation.

tags | advisory, overflow, kernel
systems | linux
SHA-256 | 836369aad1ed778a870f252f0733e83e6fb921672b010265395c6bb0c30ddc9d

isec-0015-msfilter.txt

Change Mirror Download
Synopsis:  Linux kernel setsockopt MCAST_MSFILTER integer overflow
Product: Linux kernel
Version: 2.4.22 - 2.4.25, 2.6.1 - 2.6.3
Vendor: http://www.kernel.org/
URL: http://isec.pl/vulnerabilities/isec-0015-msfilter.txt
Author: Paul Starzetz <ihaquer@isec.pl>
Wojciech Purczynski <cliph@isec.pl>
Date: April 20, 2004


1. Issue

A critical security vulnerability has been found in the Linux kernel in
the ip_setsockopt() function code.


2. Details

The ip_setsockopt() function code is a subroutine of the setsockopt(2)
system call. This function allows manipulation of various options of
the IP socket. The MCAST_MSFILTER option can be used to provide the
kernel with a list of multicast addresses to be received on the socket.
This code has been introduced with the 2.4.22/2.6.1 kernel releases.

There is an exploitable integer overflow inside the code handling the
MCAST_MSFILTER socket option in the IP_MSFILTER_SIZE macro calculation.

The vulnerable code resides in net/ipv4/ip_sockglue.c file:

case MCAST_MSFILTER:
{
/* ... */
msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);
msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL);
/* ... */
for (i=0; i<gsf->gf_numsrc; ++i) {
psin = (struct sockaddr_in *)&gsf->gf_slist[i];
if (psin->sin_family != AF_INET)
goto mc_msf_out;
msf->imsf_slist[i] = psin->sin_addr.s_addr;
}

whereas the IP_MSFILTER_SIZE macro is defined as follows:

#define IP_MSFILTER_SIZE(numsrc) \
(sizeof(struct ip_msfilter) - sizeof(__u32) \
+ (numsrc) * sizeof(__u32))

Integer overflow during kernel memory space calculation may cause the
kernel buffer to be overflown with arbitrary values within the for loop
code.


3. Impact

Proper exploitation of this vulnerability leads to local privilege
escalation giving an attacker full super-user privileges. Unsuccesfull
exploitation of the vulnerability may lead to a denial-of-service
attack causing machine crash or instant reboot.


4. Solution

This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases. All
users of vulnerable kernels are advised to upgrade to the latest kernel
version. For further information please contact your vendor.


5. Credits:

Paul Starzetz <ihaquer@isec.pl> discovered the vulnerability over half
a year ago. Wojciech Purczynski performed further research and developed
exploit code.


6. Copyright

Copyright (c) 2004 iSEC Security Research
All Rights Reserved.


7. Disclaimer

This document and all the information it contains are provided "as is",
for educational purposes only, without warranty of any kind, whether
express or implied.

All the content presented here my be subject of future modifications
and updates without prior notice.

The authors reserve the right not to be responsible for the topicality
correctness, completeness or quality of the information provided in
this document. Liability claims regarding damage caused by the use of
any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close