oss-sec mailing list archives
CVE request: kernel: netfilter & econet infoleaks
From: Vasiliy Kulikov <segoon () openwall com>
Date: Fri, 18 Mar 2011 20:10:41 +0300
Hi, "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first bug was introduced before the git epoch; the second is introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have CAP_NET_ADMIN." http://marc.info/?l=netfilter-devel&m=129978081009955&w=2 "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first and the third bugs were introduced before the git epoch; the second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug one should have CAP_NET_ADMIN." http://marc.info/?l=linux-kernel&m=129978077609894&w=2 "'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes. It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user." http://marc.info/?l=netfilter&m=129978077509888&w=2 http://marc.info/?l=netfilter-devel&m=130036157327564&w=2 "Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are copied from userspace. Fields of these structs that are zero-terminated strings are not checked. When they are used as argument to a format string containing "%s" in request_module(), some sensitive information is leaked to userspace via argument of spawned modprobe process. The first bug was introduced before the git epoch; the second was introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have CAP_NET_ADMIN." http://marc.info/?l=linux-kernel&m=129978086410061&w=2 "struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on x86_64. These bytes are not initialized in the variable 'ah' before sending 'ah' to the network. This leads to 4 bytes kernel stack infoleak. This bug was introduced before the git epoch." http://marc.info/?l=linux-netdev&m=130036203528021&w=2 Thanks, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Current thread:
- CVE request: kernel: netfilter & econet infoleaks Vasiliy Kulikov (Mar 18)
- Re: CVE request: kernel: netfilter & econet infoleaks Eugene Teo (Mar 20)
- Re: CVE request: kernel: netfilter & econet infoleaks Eugene Teo (Mar 21)
- Re: CVE request: kernel: netfilter & econet infoleaks Eugene Teo (Mar 20)