lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20041215224150.GA25687@newtoncomputing.co.uk>
Date: Wed, 15 Dec 2004 22:41:50 +0000
From: matthew-bugtraq@...toncomputing.co.uk
To: Paul Starzetz <ihaquer@...c.pl>
Cc: stephen joseph butler <stephen.butler@...il.com>,
	security@...c.pl, bugtraq@...urityfocus.com
Subject: Re: Linux kernel IGMP vulnerabilities


On Wed, Dec 15, 2004 at 01:34:33PM +0100, Paul Starzetz wrote:
> On Tue, 14 Dec 2004, stephen joseph butler wrote:
> 
> > > /proc/net/igmp
> > > /proc/net/mcfilter
> > > 
> > > if both exist and are non-empty you are vulnerable!
> > 
> > Just to be clear: if "mcfilter" is empty, then you aren't vulnerable?
> > I have both files, and "igmp" contains data, but "mcfilter" is empty.
> 
> You are not vulnerable to the remote attack described under (3), however 
> your kernel may be still buggy. Note that you need a running process that 
> has manipulated its multicast socket filters. If your kernel is buggy and 
> you have local users such an application can always appear, at a time you 
> don't expect it.

This afternoon I tried the exploit on my machine, which has exactly those
symptoms (data in igmp, mcfilter empty). It froze solid, hard power-cycle
required.

-- 
Matthew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ