[UNIX] Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL Pointer Dereferences



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL
Pointer Dereferences
------------------------------------------------------------------------


SUMMARY

The Linux Kernel contains an information disclosure vulnerability while
parsing the IOCTL SCTP_HMAC_IDENT. Exploitation of this vulnerability can
allow a local unprivileged attacker to gain access to sensitive data.

Additionally, there are various NULL pointer dereferences in the SCTP-AUTH
API. All of the SCTP-AUTH socket options could cause a kernel panic if the
extension is disabled and the API is envoked. Exploitation of these
vulnerabilities can allow an unprivileged attacker to crash the system
(Denial of Service).

DETAILS

Vulnerable Systems:
* Linux Kernel version 2.6.26.4 and prior

Immune Systems:
* Linux Kernel version 2.6.26.4 patched
* Linux Kernel version 2.6.26.5 or newer

Technical description:
From source code file: net/sctp/socket.c

[...]
SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname,
char __user *optval, int __user *optlen)
{
int retval = 0;
int len;
[...]
if (get_user(len, optlen)) <-- [1]
return -EFAULT;
[...]
case SCTP_HMAC_IDENT:
retval = sctp_getsockopt_hmac_ident(sk, len, optval, optlen); <-- [2]
break;
[...]

[1] The user controlled value of "optlen" is copied into "len" [2] "len"
is used as a parameter for the function "sctp_getsockopt_hmac_ident()"

{...]
static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
char __user *optval, int __user *optlen)
{
struct sctp_hmac_algo_param *hmacs;
__u16 param_len;

hmacs = sctp_sk(sk)->ep->auth_hmacs_list; <-- [3]
param_len = ntohs(hmacs->param_hdr.length); <-- [4]

if (len < param_len) <-- [5]
return -EINVAL;
if (put_user(len, optlen))
return -EFAULT;
if (copy_to_user(optval, hmacs->hmac_ids, len)) <-- [6]
return -EFAULT;

return 0;
}
[...]

If SCTP authentication is disabled (net.sctp.auth_enable=0):

[3] "hmacs" gets NULL
[4] "hmacs->param_hdr.length" leads to a NULL pointer dereference

That's one example of the mentioned NULL pointer dereferences in the
SCTP-AUTH API. For more examples see [1].

If SCTP authentication is enabled (net.sctp.auth_enable=1):
[3] "hmacs" gets a valid value
[4] "param_len" gets a valid value
[5] The length check can be easily passed as "len" is user controlled
[6] "len" is a user controlled value, therefore it is possible to control
the number of bytes that get copied back to the user

As "len" isn't validated at all an unprivileged user can read arbitrary
data from memory.

Solution:
The Linux Kernel maintainers have addressed these vulnerabilities within
version 2.6.26.4. More information can be found from the URLs shown below:
<http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4>
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4


<http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a

History:
2008/08/20 - Initial notification of kernel maintainers
2008/08/20 - Initial response from kernel maintainers
2008/09/08 - Fix provided
2008/09/09 - Public disclosure

References:
[1]
<http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a
[2] <http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4>
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3792>
CVE-2008-3792


ADDITIONAL INFORMATION

The information has been provided by <mailto:tk@xxxxxxxxxx> Tobias Klein.
The original article can be found at:
<http://www.trapkit.de/advisories/TKADV2008-007.txt>
http://www.trapkit.de/advisories/TKADV2008-007.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Remote Format String Vulnerabilities in eXtremail Server (MAIL FROM, Reappearing)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to promote the most advanced vulnerability assessment solutions today. ... int send_sock; ... strncat (buf, "a", 1); ...
    (Securiteam)
  • [UNIX] Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability ...
    (Securiteam)
  • [EXPL] xMule AttachToAlreadyKnown Double Free Vulnerability Exploit Code
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Remote Vulnerabilities> eMule / Lmule / xMule Multiple Remote ... a vulnerability in xMule allows remote attackers to cause ... int gai_errno = 0; ...
    (Securiteam)
  • [NT] SurgeMail 38k4 Format string and Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SurgeMail 38k4 Format string and Buffer Overflow ... affected by a format string vulnerability in the function which builds the ... int putcc; ...
    (Securiteam)
  • [EXPL] Ethereal EIGRP Dissector Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... for the EIGRP Dissector buffer overflow is presented below. ... * This vulnerability was found by: ... static int ...
    (Securiteam)