Vigil@nce - Linux kernel: privilege elevation via NETLINK_SOCK_DIAG
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can send a malicious message on a
NETLINK_SOCK_DIAG socket, in order to execute code with kernel
privileges.
Impacted products: Fedora, Linux, openSUSE, RHEL
Severity: 2/4
Creation date: 25/02/2013
DESCRIPTION OF THE VULNERABILITY
A NETLINK_SOCK_DIAG socket is used to obtain network information.
The SOCK_DIAG_BY_FAMILY message filters information depending on
the socket family, which is indicated in the sdiag_family
parameter. The __sock_diag_rcv_msg() function of the
net/core/sock_diag.c file uses this parameter to search an array
containing function pointers.
However, if this parameter is larger than AF_MAX (maximal index
value for the family), the kernel uses a function located outside
the sock_diag_handlers array. If the attacker previously stored
code at this memory address, his code is executed.
A local attacker can therefore send a malicious message on a
NETLINK_SOCK_DIAG socket, in order to execute code with kernel
privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-privilege-elevation-via-NETLINK-SOCK-DIAG-12459