Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2007-2875 to a friend New vulnerability? New tool? Tell us	CVE-2007-2875 Linux Kernel cpuset tasks Information Disclosure Vulnerability     Credit: The information has been provided by iDefense. The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=541 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2007-2875 Details Check for CVE-2007-2875 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Linux Kernel version 2.6.20 installed with Fedora CORE 6.  * It is suspected that previous versions, at least until 2.6.12, are also vulnerable. This vulnerability specifically exists in the "cpuset_tasks_read" function. This function is responsible for supplying user-land processes with data when they read from the /dev/cpuset/tasks file. The code excerpt below shows the problem area.   1754 if (*ppos + nbytes > ctr->bufsz)   1755 nbytes = ctr->bufsz - *ppos;   1756 if (copy_to_user(buf, ctr->buf + *ppos, nbytes)) By reading from an offset (*ppos) larger than the contents of the file, an attacker can cause an integer underflow to occur in the subtraction on line 1755. This will result in the "copy_to_user" function on line 1756 to be called with a memory address located at a lower address than the start of the intended buffer. This memory could potentially contain sensitive information such as security tokens or passwords. Exploitation of this vulnerability allows attackers to obtain sensitive information from kernel memory. In order to exploit this vulnerability, an attacker would need access to open the /dev/cpuset/tasks file. It is important to note that this file does not exist unless the cpuset file system has been mounted. Additionally, this functionality is not included by default in a vanilla kernel build. Furthermore, because of checks at the VFS layer and in the 'copy_to_user()' function, an attacker cannot use arbitrary values. However, on 32-bit systems it is easily exploitable. Workaround: In order to prevent exploitation of this vulnerability, discontinue use of the cpuset file system. This can be accomplished by un-mounting the file system using the "umount" command. Vendor Status: The Linux kernel team has released versions 2.6.20.13 and 2.6.21.4 to address this vulnerability. More information can be found via the following URLs. http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.13 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4 CVE Information: CVE-2007-2875 Disclosure Timeline:  * 04/27/2007 - Initial vendor notification  * 06/04/2007 - Second vendor notification  * 06/04/2007 - Initial vendor response  * 06/07/2007 - Coordinated public disclosure  Comments on CVE-2007-2875:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®