Linux 2.4 kernels up to and including 2.4.19, and Linux 2.5 kernels up to and including 2.5.31, where Netfilter / IPTables is enabled, and where either of the experimental IP queuing modules (ip_queue, ip6_queue) are in use.
* Linux kernels version 2.4.20 (stable) and up
* Linux kernels version 2.5.32 (development) and up
Under Linux 2.4 and 2.5, an experimental IP packet queuing feature is available as part of Netfilter / IPTables. This consists of kernel modules and a userspace library which allow userspace mediation and modification of IPv4 and IPv6 packets.
A userspace mediation process must normally be privileged (requiring NET_ADMIN capability) to process packets from the kernel. To commence mediating packets, a userspace process typically sends a Netlink message to the associated kernel module, specifying queuing parameters. The kernel module captures the UNIX process ID (PID) of the process to ensure reliable queuing and delivery of packets.
If the privileged mediation process exits, an unprivileged process re-using the same PID may be able to receive a limited amount of network traffic.
This would only occur if no network traffic was queued between the exit of the privileged process and the establishment of the unprivileged process, as the kernel module will reset the queuing session upon transmission error to userspace.
The kernel module will only transmit a limited number of packets to the userspace process without acknowledgment. As all transmissions from userspace to the kernel module require NET_ADMIN capability, the unprivileged process will not be able to acknowledge packets. Thus, the maximum number of packets that the unprivileged process can read is limited to the queue length (default 1024 packets). The unprivileged process can also only read packets which have been selected for queuing via IPTables by a privileged process.
This flaw is theorized to be difficult and somewhat invasive to exploit, probably requiring a combined use of DoS attacks. It was discovered by the author of the code, and no exploits are known to exist.
Fixing the flaw involved implementing a reliable mechanism for detecting when the Netlink control socket of a privileged mediation process is closed, and resetting the kernel queuing session state upon such events.