----- Forwarded message from Wojciech Purczynski <cliph@isec.pl> ----- From: Wojciech Purczynski <cliph@isec.pl> Subject: Linux kernel setsockopt MCAST_MSFILTER integer overflow To: bugtraq@securityfocus.com, <full-disclosure@lists.netsys.com>, <vulnwatch@vulnwatch.org> Cc: vendor-sec@lst.de Reply-To: security@isec.pl Date: Tue, 20 Apr 2004 13:30:14 +0200 (CEST) Message-ID: <Pine.LNX.4.44.0404201324411.21010-100000@isec.pl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Synopsis: Linux kernel setsockopt MCAST_MSFILTER integer overflow Product: Linux kernel Version: 2.4.22 - 2.4.25, 2.6.1 - 2.6.3 Vendor: http://www.kernel.org/ URL: http://isec.pl/vulnerabilities/isec-0015-msfilter.txt Author: Paul Starzetz <ihaquer@isec.pl> Wojciech Purczynski <cliph@isec.pl> Date: April 20, 2004 1. Issue A critical security vulnerability has been found in the Linux kernel in the ip_setsockopt() function code. 2. Details The ip_setsockopt() function code is a subroutine of the setsockopt(2) system call. This function allows manipulation of various options of the IP socket. The MCAST_MSFILTER option can be used to provide the kernel with a list of multicast addresses to be received on the socket. This code has been introduced with the 2.4.22/2.6.1 kernel releases. There is an exploitable integer overflow inside the code handling the MCAST_MSFILTER socket option in the IP_MSFILTER_SIZE macro calculation. The vulnerable code resides in net/ipv4/ip_sockglue.c file: case MCAST_MSFILTER: { /* ... */ msize = IP_MSFILTER_SIZE(gsf->gf_numsrc); msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL); /* ... */ for (i=0; i<gsf->gf_numsrc; ++i) { psin = (struct sockaddr_in *)&gsf->gf_slist[i]; if (psin->sin_family != AF_INET) goto mc_msf_out; msf->imsf_slist[i] = psin->sin_addr.s_addr; } whereas the IP_MSFILTER_SIZE macro is defined as follows: #define IP_MSFILTER_SIZE(numsrc) \ (sizeof(struct ip_msfilter) - sizeof(__u32) \ + (numsrc) * sizeof(__u32)) Integer overflow during kernel memory space calculation may cause the kernel buffer to be overflown with arbitrary values within the for loop code. 3. Impact Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. Unsuccesfull exploitation of the vulnerability may lead to a denial-of-service attack causing machine crash or instant reboot. 4. Solution This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases. All users of vulnerable kernels are advised to upgrade to the latest kernel version. For further information please contact your vendor. 5. Credits: Paul Starzetz <ihaquer@isec.pl> discovered the vulnerability over half a year ago. Wojciech Purczynski performed further research and developed exploit code. 6. Copyright Copyright (c) 2004 iSEC Security Research All Rights Reserved. 7. Disclaimer This document and all the information it contains are provided "as is", for educational purposes only, without warranty of any kind, whether express or implied. All the content presented here my be subject of future modifications and updates without prior notice. The authors reserve the right not to be responsible for the topicality correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. - -- Wojciech Purczynski iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAhQnLC+8U3Z5wpu4RAsK3AKDfsy85JCvStXHqP0K3UQHw8SbU/ACfXyud ZI/nMA2lEL2mkGpinl/i7hs= =/ss8 -----END PGP SIGNATURE----- ----- End forwarded message ----- -- David Mirza Ahmad Symantec PGP: 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
