|
oss-sec
mailing list archives
Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
From: Mathias Krause <minipli () googlemail com>
Date: Mon, 25 Feb 2013 19:45:01 +0100
On Mon, Feb 25, 2013 at 5:12 PM, Solar Designer <solar () openwall com> wrote:
On Mon, Feb 25, 2013 at 11:41:33AM +0100, Mathias Krause wrote:
But sorry, I won't disclose any further details, to not get into legal
issues. In Germany it's quite hairy to do things like that :/
But I can provide you my PoC in a private email -- for security evaluation.
This is not necessary since we don't use these "too recent" kernels, but
thanks for offering.
Here's a curious tweet:
<_argp> Since full-disclosure has been DDoSed to oblivion, here's huku's sock_diag 1 year-old exploit:
http://pastebin.com/gwn1qErx
So it looks like those guys have been exploiting this bug for quite a
while. Good that it's fixed, now!
The pastebin has:
---
Who the fuck DDoS'ed full-disclosure? ;)
http://sysc.tl/mpougatsa_me_krema_kai_milko.tgz
---------- Forwarded message ----------
From: huku <huku () grhack net>
Date: Mon, 25 Feb 2013 01:18:38 +0200
Subject: CVE-2013-1763 local root exploit
To: full-disclosure () lists grok org uk
Greetings fly to Daphne Rosen, Gianna Michaels and Carmella Bing.
./hk
---
SHA-1:
c5904fdaea3e212bb84592e6e2ce3a640b14308c mpougatsa_me_krema_kai_milko.tgz
Two of the files in the tarball have timestamps of 2012-07-14. Of
course, this is no proof, but it does appear that the bug was privately
known since about July 2012. The README says:
"A trimmed down version of an old exploit for the recently published
`sock_diag_handlers[]' vulnerability :("
The code contains:
printf("Linux kernel >= 3.2 NETLINK_INET_DIAG 0day\n");
printf("by huku <huku _at_ grhack _dot_ net>\n");
Is ">= 3.2" an error (should have been ">= 3.3" as your original posting
in here said)? (The difference may be whether Ubuntu 12.04 is affected.)
Did you even try to run the exploit on a v3.2 kernel? Or even more
simple, looked at the code of a v3.2 kernel? There is no sock_diag
anywhere in the kernel; there is only inet_diag. And inet_diag hadn't
and still does not have the out-of-bounds access issue. So no, this
bug is non-existent on a v3.2 kernel.
Thanks,
Mathias
Alexander
 By Date 
By Thread
Current thread:
Re: CVE Request: kernel - sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Marcus Meissner (Feb 25)
|
