Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2008-3792 to a friend New vulnerability? New tool? Tell us	CVE-2008-3792 Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL Pointer Dereferences     Credit: The information has been provided by Tobias Klein. The original article can be found at: http://www.trapkit.de/advisories/TKADV2008-007.txt Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2008-3792 Details Check for CVE-2008-3792 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Linux Kernel version 2.6.26.4 and prior Immune Systems:  * Linux Kernel version 2.6.26.4 patched  * Linux Kernel version 2.6.26.5 or newer Technical description: From source code file: net/sctp/socket.c [...] SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname,     char __user *optval, int __user *optlen) {  int retval = 0;  int len; [...]  if (get_user(len, optlen)) <-- [1]   return -EFAULT; [...]  case SCTP_HMAC_IDENT:   retval = sctp_getsockopt_hmac_ident(sk, len, optval, optlen); <-- [2]   break; [...] [1] The user controlled value of "optlen" is copied into "len" [2] "len" is used as a parameter for the function "sctp_getsockopt_hmac_ident()" {...] static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,         char __user *optval, int __user *optlen) {  struct sctp_hmac_algo_param *hmacs;  __u16 param_len;  hmacs = sctp_sk(sk)->ep->auth_hmacs_list; <-- [3]  param_len = ntohs(hmacs->param_hdr.length); <-- [4]  if (len < param_len) <-- [5]   return -EINVAL;  if (put_user(len, optlen))   return -EFAULT;  if (copy_to_user(optval, hmacs->hmac_ids, len)) <-- [6]   return -EFAULT;  return 0; } [...] If SCTP authentication is disabled (net.sctp.auth_enable=0): [3] "hmacs" gets NULL [4] "hmacs->param_hdr.length" leads to a NULL pointer dereference That's one example of the mentioned NULL pointer dereferences in the SCTP-AUTH API. For more examples see [1]. If SCTP authentication is enabled (net.sctp.auth_enable=1): [3] "hmacs" gets a valid value [4] "param_len" gets a valid value [5] The length check can be easily passed as "len" is user controlled [6] "len" is a user controlled value, therefore it is possible to control the number of bytes that get copied back to the user As "len" isn't validated at all an unprivileged user can read arbitrary data from memory. Solution: The Linux Kernel maintainers have addressed these vulnerabilities within version 2.6.26.4. More information can be found from the URLs shown below: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a History: 2008/08/20 - Initial notification of kernel maintainers 2008/08/20 - Initial response from kernel maintainers 2008/09/08 - Fix provided 2008/09/09 - Public disclosure References: [1] http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a [2] http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4 CVE Information: CVE-2008-3792  Comments on CVE-2008-3792:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®