SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel setsockopt(2) MCAST_MSFILTER Integer Overflow Allows Local Users to Obtain Root Privileges
SecurityTracker Alert ID:  1009884
SecurityTracker URL:  http://securitytracker.com/id/1009884
CVE Reference:   CVE-2004-0424   (Links to External Site)
Updated:  Apr 23 2004
Original Entry Date:  Apr 20 2004
Impact:   Denial of service via local system, Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.4.22 - 2.4.25, 2.6.1 - 2.6.3
Description:   An integer overflow was reported in the Linux kernel in the setsockopt(2) system call. A local user can gain root privileges on the target system.

Wojciech Purczynski of iSEC reported that a local user can call the ip_setsockopt() function with the MCAST_MSFILTER option to trigger an integer overflow and execute arbitrary code or cause denial of service conditions.

The flaw resides in the 'net/ipv4/ip_sockglue.c' file, where the IP_MSFILTER_SIZE is not properly defined, the report said.

The vulnerable code was reportedly introduced into the kernel in the 2.4.22 and 2.6.1 kernel releases.

Paul Starzetz is credited with discovering the flaw.

The original advisory is available at:

http://isec.pl/vulnerabilities/isec-0015-msfilter.txt

Impact:   A local user can execute arbitrary code on the target system with root privileges.

A local user can cause denial of service conditions (e.g., crash, reboot) on the target system.

Solution:   The vendor has issued a fixed version (2.4.26 and 2.6.4).
Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 27 2004 (Mandrake Issues Fix) Linux Kernel setsockopt(2) MCAST_MSFILTER Integer Overflow Allows Local Users to Obtain Root Privileges
Mandrake has released a fix.
May 1 2004 (Engarde Issues Fix) Linux Kernel setsockopt(2) MCAST_MSFILTER Integer Overflow Allows Local Users to Obtain Root Privileges
Guardian Digital has released a fix for EnGarde.
May 1 2004 (Slackware Issues Fix) Linux Kernel setsockopt(2) MCAST_MSFILTER Integer Overflow Allows Local Users to Obtain Root Privileges
Slackware has released a fix.
May 4 2004 (SuSE Issues Fix) Linux Kernel setsockopt(2) MCAST_MSFILTER Integer Overflow Allows Local Users to Obtain Root Privileges
SuSE has released a fix.



 Source Message Contents

Subject:  [Full-Disclosure] Linux kernel setsockopt MCAST_MSFILTER integer overflow


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:  Linux kernel setsockopt MCAST_MSFILTER integer overflow
Product:   Linux kernel
Version:   2.4.22 - 2.4.25, 2.6.1 - 2.6.3
Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0015-msfilter.txt
Author:    Paul Starzetz <ihaquer@isec.pl>
           Wojciech Purczynski <cliph@isec.pl>
Date:      April 20, 2004


1. Issue

A critical security  vulnerability has been found in the Linux kernel in 
the ip_setsockopt() function code.


2. Details
 
The ip_setsockopt()  function  code is a subroutine of the setsockopt(2)
system call.  This function  allows  manipulation of various  options of 
the IP socket. The  MCAST_MSFILTER  option  can be used to  provide  the 
kernel with a list of multicast  addresses to be received on the socket.
This code has been introduced with the 2.4.22/2.6.1 kernel releases.

There is an exploitable  integer overflow  inside  the code handling the
MCAST_MSFILTER  socket option in the IP_MSFILTER_SIZE macro calculation.

The vulnerable code resides in net/ipv4/ip_sockglue.c file:

case MCAST_MSFILTER:
{
/* ... */
	msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);
	msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL);
/* ... */
	for (i=0; i<gsf->gf_numsrc; ++i) {
		psin = (struct sockaddr_in *)&gsf->gf_slist[i];
		if (psin->sin_family != AF_INET)
			goto mc_msf_out;
		msf->imsf_slist[i] = psin->sin_addr.s_addr;
	}

whereas the IP_MSFILTER_SIZE macro is defined as follows:

#define IP_MSFILTER_SIZE(numsrc) \
	(sizeof(struct ip_msfilter) - sizeof(__u32) \
	+ (numsrc) * sizeof(__u32))

Integer overflow during  kernel memory  space  calculation may cause the
kernel buffer to be overflown  with arbitrary values within the for loop
code.


3. Impact

Proper  exploitation  of  this  vulnerability  leads to local  privilege
escalation  giving an attacker full super-user privileges.  Unsuccesfull
exploitation  of  the  vulnerability  may  lead to  a  denial-of-service
attack causing machine crash or instant reboot.


4. Solution

This  bug has been  fixed in the 2.4.26 and 2.6.4 kernel  releases.  All
users of vulnerable  kernels are advised to upgrade to the latest kernel
version. For further information please contact your vendor.


5. Credits:

Paul Starzetz <ihaquer@isec.pl>  discovered the vulnerability  over half
a year ago. Wojciech Purczynski performed further research and developed
exploit code.


6. Copyright

Copyright (c) 2004 iSEC Security Research
All Rights Reserved.


7. Disclaimer

This document and all  the information it contains are provided "as is",
for educational  purposes only,  without  warranty of any kind,  whether
express or implied.

All the content  presented  here my be  subject of future  modifications
and updates without prior notice.

The authors reserve  the right not to be  responsible for the topicality
correctness,  completeness  or  quality of the  information  provided in
this document.  Liability claims  regarding damage  caused by the use of
any information provided,  including  any kind  of information  which is
incomplete or incorrect, will therefore be rejected.

- -- 
Wojciech Purczynski
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAhQnLC+8U3Z5wpu4RAsK3AKDfsy85JCvStXHqP0K3UQHw8SbU/ACfXyud
ZI/nMA2lEL2mkGpinl/i7hs=
=/ss8
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC