[VulnWatch] Linux kernel setsockopt MCAST_MSFILTER integer overflow

• Previous message: Aviram Jenik: "[VulnWatch] KPhone STUN DoS (Malformed STUN Packets)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Apr 2004 13:30:14 +0200 (CEST)
To: bugtraq@securityfocus.com, <full-disclosure@lists.netsys.com>, <vulnwatch@vulnwatch.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Synopsis: Linux kernel setsockopt MCAST_MSFILTER integer overflow
Product: Linux kernel
Version: 2.4.22 - 2.4.25, 2.6.1 - 2.6.3
Vendor: http://www.kernel.org/
URL: http://isec.pl/vulnerabilities/isec-0015-msfilter.txt
Author: Paul Starzetz <ihaquer@isec.pl>
           Wojciech Purczynski <cliph@isec.pl>
Date: April 20, 2004

1. Issue

A critical security vulnerability has been found in the Linux kernel in
the ip_setsockopt() function code.

2. Details
 
The ip_setsockopt() function code is a subroutine of the setsockopt(2)
system call. This function allows manipulation of various options of
the IP socket. The MCAST_MSFILTER option can be used to provide the
kernel with a list of multicast addresses to be received on the socket.
This code has been introduced with the 2.4.22/2.6.1 kernel releases.

There is an exploitable integer overflow inside the code handling the
MCAST_MSFILTER socket option in the IP_MSFILTER_SIZE macro calculation.

The vulnerable code resides in net/ipv4/ip_sockglue.c file:

case MCAST_MSFILTER:
{
/* ... */
        msize = IP_MSFILTER_SIZE(gsf->gf_numsrc);
        msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL);
/* ... */
        for (i=0; i<gsf->gf_numsrc; ++i) {
                psin = (struct sockaddr_in *)&gsf->gf_slist[i];
                if (psin->sin_family != AF_INET)
                        goto mc_msf_out;
                msf->imsf_slist[i] = psin->sin_addr.s_addr;
        }

whereas the IP_MSFILTER_SIZE macro is defined as follows:

#define IP_MSFILTER_SIZE(numsrc) \
        (sizeof(struct ip_msfilter) - sizeof(__u32) \
        + (numsrc) * sizeof(__u32))

Integer overflow during kernel memory space calculation may cause the
kernel buffer to be overflown with arbitrary values within the for loop
code.

3. Impact

Proper exploitation of this vulnerability leads to local privilege
escalation giving an attacker full super-user privileges. Unsuccesfull
exploitation of the vulnerability may lead to a denial-of-service
attack causing machine crash or instant reboot.

4. Solution

This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases. All
users of vulnerable kernels are advised to upgrade to the latest kernel
version. For further information please contact your vendor.

5. Credits:

Paul Starzetz <ihaquer@isec.pl> discovered the vulnerability over half
a year ago. Wojciech Purczynski performed further research and developed
exploit code.

6. Copyright

Copyright (c) 2004 iSEC Security Research
All Rights Reserved.

7. Disclaimer

This document and all the information it contains are provided "as is",
for educational purposes only, without warranty of any kind, whether
express or implied.

All the content presented here my be subject of future modifications
and updates without prior notice.

The authors reserve the right not to be responsible for the topicality
correctness, completeness or quality of the information provided in
this document. Liability claims regarding damage caused by the use of
any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected.

- --
Wojciech Purczynski
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAhQnLC+8U3Z5wpu4RAsK3AKDfsy85JCvStXHqP0K3UQHw8SbU/ACfXyud
ZI/nMA2lEL2mkGpinl/i7hs=
=/ss8
-----END PGP SIGNATURE-----

• Previous message: Aviram Jenik: "[VulnWatch] KPhone STUN DoS (Malformed STUN Packets)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]