lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAHbG5q-VBapiUH0TdDnP3w-JEqpzyQT8qUsJ5rGhsAmt_VTYYg@mail.gmail.com>
Date: Tue, 19 Nov 2013 20:05:20 +0900
From: x90c <geinblues@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: XADV-2013008 Linux Kernel 3.11.7 <=
	sk_attach_filter Kernel Heap Corruption

+-------------------------------------------------------------------------------+
| XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap
Corruption   |
+-------------------------------------------------------------------------------+

Vulnerable versions:
- linux kernel 3.11.7 <=
Testbed: ubuntu
Type: Local
Impact: Medium
Vendor: http://www.kernel.org
Author: x90c <geinblues *nospam* gmail dot com>
Site: x90c.org

=========
ABSTRACT:
=========

The Linux Socket Filtering is derived from the Berkeley Packet Filter.
There are some distinct differences between the BSD and Linux Kernel
Filtering.

Linux Socket Filtering (LSF) allows a user-space program to attach a
filter onto any socket and allow or disallow certain types of data to
come through the socket. LSF follows exactly the same filter code structure
as the BSD Berkeley Packet Filter (BPF).

The linux kernel has a vulnerability to lead the kernel panic via an
Integer overflow, It occured at sk_attach_filter() in /net/core/filter.c
the sk_attach_filter.


* References:
  [1] https://www.kernel.org/doc/Documentation/networking/filter.txt
  [2] http://www.cs.columbia.edu/~nahum/w6998/lectures/vpk-columbia-nsdi-lsf.pdf


=========
DETAILS:
=========

[~/linux-3.11.7/net/core/filter.c]
----
int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
{
    struct sk_filter *fp, *old_fp;
    // XXX user controllable fprog->len, stored count of filter to attach.
    unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
    int err;

    if (sock_flag(sk, SOCK_FILTER_LOCKED))
        return -EPERM;

    /* Make sure new filter is there and in the right amounts. */
    if (fprog->filter == NULL)
        return -EINVAL;

    // XXX Integer overflow (+ sizeof(*fp)) and causing a little allocation.
    fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
    if (!fp)
        return -ENOMEM;

    // XXX kernel heap corruption occured with fsize with larger value.
    if (copy_from_user(fp->insns, fprog->filter, fsize)) {
        sock_kfree_s(sk, fp, fsize+sizeof(*fp));

...

----


===============
EXPLOIT CODES:
===============
-

=============
PATCH CODES:
=============
-


===============
VENDOR STATUS:
===============
2013/11/19 - I discovered the bug.
2013/11/19 - The advisory released on full-disclosure, bugtraq.


============
DISCLAIMER:
============

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any information
provided, including any kind of information which is incomplete or incorrect,
will therefore be rejected.

Content of type "text/html" skipped

View attachment "xadv_2013008_linux_kernel.txt" of type "text/plain" (2799 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ