[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [TKADV2008-007] Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL Pointer Dereferences

Please find attached a detailed advisory of the vulnerabilities.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2008-007.txt


ÿþ-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Advisory:               Linux Kernel 
SCTP-AUTH API Information Disclosure 

                        Vulnerability 
and NULL Pointer Dereferences

Advisory ID:            TKADV2008-007

Revision:               1.1

Release Date:           2008/09/09

Last Modified:          2008/09/10

Date Reported:          2008/08/20

Author:                 Tobias Klein 
(tk at trapkit.de)

Affected Software:      Linux Kernel <= 
2.6.26.4

Remotely Exploitable:   No

Locally Exploitable:    Yes

Vendor URL:             
http://www.kernel.org/

Vendor Status:          Vendor has 
released a fixed version

CVE-ID:                 CVE-2008-3792

Patch development time: 1 day





======================

Vulnerability details:

======================



The Linux Kernel contains an 
information disclosure vulnerability 
while 

parsing the IOCTL SCTP_HMAC_IDENT. 
Exploitation of this vulnerability can 

allow a local unprivileged attacker to 
gain access to sensitive data. 



Additionally, there are various NULL 
pointer dereferences in the SCTP-AUTH

API. All of the SCTP-AUTH socket 
options could cause a kernel panic if 
the 

extension is disabled and the API is 
envoked. Exploitation of these

vulnerabilities can allow an 
unprivileged attacker to crash the 
system 

(Denial of Service).





======================

Technical description:

======================

 

From source code file: 
net/sctp/socket.c



[...]

SCTP_STATIC int sctp_getsockopt(struct 
sock *sk, int level, int optname,

                            char __user *optval, 
int __user *optlen)

{

       int retval = 0;

       int len;

[...]

       if (get_user(len, optlen))  <-- [1]

              return -EFAULT;

[...]

       case SCTP_HMAC_IDENT:

              retval = 
sctp_getsockopt_hmac_ident(sk, len, 
optval, optlen);  <-- [2]

              break;

[...]



[1] The user controlled value of 
"optlen" is copied into "len"

[2] "len" is used as a parameter for 
the function 

    "sctp_getsockopt_hmac_ident()"





{...]

static int 
sctp_getsockopt_hmac_ident(struct sock 
*sk, int len,

                                char __user 
*optval, int __user *optlen)

{

       struct sctp_hmac_algo_param *hmacs;

       __u16 param_len;



       hmacs = 
sctp_sk(sk)->ep->auth_hmacs_list;  <-- 
[3]

       param_len = 
ntohs(hmacs->param_hdr.length); <-- [4]



       if (len < param_len)  <-- [5]

              return -EINVAL;

       if (put_user(len, optlen))

              return -EFAULT;

       if (copy_to_user(optval, 
hmacs->hmac_ids, len))  <-- [6]

              return -EFAULT;



       return 0;

}

[...]



If SCTP authentication is disabled 
(net.sctp.auth_enable=0):



[3] "hmacs" gets NULL

[4] "hmacs->param_hdr.length" leads to 
a NULL pointer dereference



That's one example of the mentioned 
NULL pointer dereferences in the 

SCTP-AUTH API. For more examples see 
[1].



If SCTP authentication is enabled 
(net.sctp.auth_enable=1):



[3] "hmacs" gets a valid value

[4] "param_len" gets a valid value

[5] The length check can be easily 
passed as "len" is user controlled

[6] "len" is a user controlled value, 
therefore it is possible to control 

    the number of bytes that get copied 
back to the user



As "len" isn't validated at all an 
unprivileged user can read arbitrary 

data from memory.





=========

Solution:

=========



The Linux Kernel maintainers have 
addressed these vulnerabilities within

version 2.6.26.4. More information can 
be found from the URLs shown below.



http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4



http://git.kernel.org/?p=linux/kernel/git/stable/linux-

2.6.26.y.git;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a





========

History:

========



  2008/08/20 - Initial notification of 
kernel maintainers

  2008/08/20 - Initial response from 
kernel maintainers

  2008/09/08 - Fix provided

  2008/09/09 - Public disclosure





========

Credits:

========



  Vulnerabilities found and advisory 
written by Tobias Klein.





===========

References:

===========



  [1] 
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git

      
;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a

  [2] 
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4

  [3] 
http://www.trapkit.de/advisories/TKADV2008-007.txt





========

Changes:

========



  Revision 0.1 - Initial draft release 
to the vendor

  Revision 1.0 - Public release

  Revision 1.1 - Adjusted patch 
development time (thanks to Eugene Teo

                 for pointing this out) 
and added CVE-ID.





===========

Disclaimer:

===========



The information within this advisory 
may change without notice. Use 

of this information constitutes 
acceptance for use in an AS IS 

condition. There are no warranties, 
implied or express, with regard 

to this information. In no event shall 
the author be liable for any 

direct or indirect damages whatsoever 
arising out of or in connection 

with the use or spread of this 
information. Any use of this 

information is at the user's own risk. 





==================

PGP Signature Key:

==================



  
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc





Copyright 2008 Tobias Klein. All rights 
reserved.





-----BEGIN PGP SIGNATURE-----



wj8DBQFIyDXGkXxgcAIbhEERAkQNAJ9JFcSyfJgzx+aLO0JxfnwM3KT+bwCfSzZt

/gDLzuXwIPURQiynmQbJW6A=

=dOxn

-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/