[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux kernel IGMP vulnerabilities

To: security@xxxxxxx
Subject: Re: Linux kernel IGMP vulnerabilities
From: Pekka Savola <pekkas@xxxxxxxxxx>
Date: Tue, 14 Dec 2004 19:16:39 +0200 (EET)

Hi,

On Tue, 14 Dec 2004, Paul Starzetz wrote:


Synopsis:  Linux kernel IGMP vulnerabilities
Product:   Linux kernel
Version:   2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9

[...]

Both parts of the IGMP subsystem have exploitable flaws:

(1) the ip_mc_source() function, that can be called through the user API
(the  IP_(UN)BLOCK_SOURCE,  IP_ADD/DROP_SOURCE_MEMBERSHIP  as  well   as
MCAST_(UN)BLOCK_SOURCE  and  MCAST_JOIN/LEAVE_SOURCE_GROUP socket SOL_IP
level options) suffers from a serious  kernel  hang  and  kernel  memory
overwrite problem.

[...]

Does this also affect earlier 2.4 releases which did not yet incorporate IGMPv3? If so, to which extent? AFAIR, IGMPv3/MLDv2 was added in 2.4.22.

At least the PoC requires *_(UN)BLOCK_SOURCE APIs which were added with IGMPv3.

As far as I can see (a very quick look), 2.4 prior to 2.4.22 should not be (at least similarly) affected.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- Linux kernel IGMP vulnerabilities
  - From: Paul Starzetz

Prev by Date: Re: NetWare Screensaver Authentication Bypass From The Local Console
Next by Date: [Correction For]: Secure Network Operations SNOsoft Research Team [SRT2004-12-14-0322] Symantec LiveUpdate Advisory
Previous by thread: Linux kernel IGMP vulnerabilities
Next by thread: Re: Linux kernel IGMP vulnerabilities
Index(es):
- Date
- Thread