lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4246CF87.9010903@nospammail.net>
Date: Sun Mar 27 16:22:16 2005
From: spamproof at nospammail.net (Rob)
Subject: local root security bug in linux >= 2.4.6 <=
	2.4.30-rc1 and 2.6.x.y <= 2.6.11.5

advisories wrote:
> Hi,
> We recently discovered a security bug in the bluetooth stack of the 
> linux kernel.
> This affects most linux kernels (provided that the bluetooth stack is 
> used).
> 
> More information can be found in the attached pdf file.
> 
> Regards,
> The suresec team.

I "discovered" this text in the attachment:

Suresec security advisory 1
Release date: 27th March 2005
CVE ID: CAN-2005-0750

Linux kernel local root vulnerability
About the linux kernel:
The linux kernel is a widely used kernel which is unix based.
Vulnerability summary:
The linux kernel has support for bluetooth. A local root security
vulnerability was found in this bluetooth stack.
Vulnerable code:
static int bluez_sock_create(struct socket *sock, int proto)
{
if (proto >= BLUEZ_MAX_PROTO)
return -EINVAL;
...
return bluez_proto[proto]->create(sock, proto);
}
This code can be reached by either calling socket() or alternativly
calling socketpair(). When passed a negative value for the protocol the
bounds check can be bypassed. Later the protocol number is used as an
index to a function pointer. It is possible to use proto as an index to
some kind of memory that is under a user's control.
Impact:
When properly exploited this yields local root. (exploitation is trivial)
Affected versions:
This vulnerability affects all 2.6.x(.y) <= 2.6.11.5 linux kernels and >=
2.4.6 <= 2.4.30-rc1kernels provided that there is support for bluetooth.
Suggested Recommendations:
Update your kernel to a newer one, or alternativly we've made a
loadable kernel modules which works around the problem by checking
the protocol and domain before the bluetooth socket code is called. It
can be found at:
http://www.suresec.org/tools/bluetooth_workaround.tar.gz

Credits:
Ilja van Sprundel found this vulnerability.

About us:
Suresec Ltd is a global service provider of Internet security solutions
and consultancy with unmatched quality from our world class
consultancy practice.
Our consultants have pioneered in the field of security research and
have closely worked with leading software companies and service
providers to mitigate risks and fix a number of critical vulnerabilities,
suresec also works closely with a number of open source companies
to provide them with a source code auditing and technical consultancy.
We have a strong team consultants spread across Europe, the United
States and Australia specializing in security consulting.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ