Linux Kernel sysctl() Interface Unregistration Error Lets Local Users Deny Service
|
|
SecurityTracker Alert ID: 1015434
|
|
SecurityTracker URL: http://securitytracker.com/id?1015434
|
|
CVE Reference: CVE-2005-2709
(Links to External Site)
|
|
OSVDB Reference: 20676
(Links to External Site)
|
Date: Jan 4 2006
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.6 prior to 2.6.15
|
Description: A vulnerability was reported in Linux Kernel. A local user can cause the kernel to crash.
A local user can exploit an error in the sysctl() interface unregistration process to trigger a kerenl panic.
|
Impact: A local user can cause a kernel panic.
|
Solution: The vendor has issued a fixed version (2.6.15).
|
Vendor URL: www.kernel.org/ (Links to External Site)
|
Cause: State error
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 4 Jan 2006 11:21:36 -0500
Subject: Linux kernel vulnerability
|
[PATCH] Fix sysctl unregistration oops (CVE-2005-2709)
You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table. Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.
So this is at least an Oops and possibly more. It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.
|
|
