Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Subscribe











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Security Vulnerability

Vigil@nce: Linux kernel, privilege elevation via sock_sendpage, SOCKOPS_WRAP, proto_ops

August 2009 by Vigil@nce

A local attacker can use some types of sockets, in order to obtain
root privileges.

Severity: 2/4

Consequences: administrator access/rights, denial of service of
computer

Provenance: user shell

Means of attack: 2 attacks

Ability of attacker: beginner (1/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 14/08/2009

IMPACTED PRODUCTS

 Debian Linux
 Fedora
 Linux kernel
 Mandriva Enterprise Server
 Mandriva Linux
 Novell Linux Desktop
 Novell Open Enterprise Server
 OpenSUSE
 Slackware Linux
 SUSE Linux Enterprise Server

DESCRIPTION OF THE VULNERABILITY

Each socket type is associated to a proto_ops structure, which
indicates functions implementing accept(), bind(), etc. When a
socket type does not support a function, it has to point to
sock_no_accept(). The SOCKOPS_WRAP macro initializes these
function pointers. However, the SOCKOPS_WRAP macro does not
initialize the sendpage field of the proto_ops structure. Impacted
protocols are PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25, PF_AX25,
PF_BLUETOOTH, PF_IUCV, PF_INET6 (IPPROTO_SCTP), PF_PPPOX and
PF_ISDN.

Moreover, the sock_sendpage() function does not check if the
pointer is invalid. It thus calls the function at the indicated
null address, which stops the system. However, if the
VIGILANCE-VUL-8861 (https://vigilance.fr/tree/1/8861)
vulnerability is not corrected, an attacker can mmap the memory
address zero and store there a malicious function. This function
then runs with kernel privileges.

A local attacker can thus call a function (such as sendfile())
which calls sock_sendpage() on some types of sockets, in order to
obtain root privileges.

CHARACTERISTICS

Identifiers: 516949, BID-36038, CVE-2009-2692, DSA 1862-1, DSA
1864-1, DSA 1865-1, FEDORA-2009-8647, FEDORA-2009-8649,
MDVSA-2009:205, SSA:2009-230-01, SSA:2009-231-01,
SUSE-SA:2009:045, VIGILANCE-VUL-8950
Pointed by: VIGILANCE-VUL-8861, VIGILANCE-VUL-8950,
VIGILANCE-VUL-8953

http://vigilance.fr/vulnerability/Linux-kernel-privilege-elevation-via-sock-sendpage-SOCKOPS-WRAP-proto-ops-8950


See previous articles

    

See next articles












Security Vulnerability

Toutes nos news en Francais

Alle unsere News auf deutsch

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts

 
News Files Cyber Security Security Vulnerability Malware Update Diary Guide & Podcast TRAINING Jobs CONTACTS Contact About Mentions légales identifier ADMIN

Global Security Mag Copyright 2011