Full Disclosure mailing list archives

[TKADV2008-007] Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL Pointer Dereferences

From: Tobias Klein <tk () trapkit de>
Date: Thu, 11 Sep 2008 09:27:26 +0200

Please find attached a detailed advisory of the vulnerabilities.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2008-007.txt

ÿþ-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Advisory:               Linux Kernel SCTP-AUTH API 
Information Disclosure 

                        Vulnerability and NULL Pointer 
Dereferences

Advisory ID:            TKADV2008-007

Revision:               1.1

Release Date:           2008/09/09

Last Modified:          2008/09/10

Date Reported:          2008/08/20

Author:                 Tobias Klein (tk at trapkit.de)

Affected Software:      Linux Kernel <= 2.6.26.4

Remotely Exploitable:   No

Locally Exploitable:    Yes

Vendor URL:             http://www.kernel.org/

Vendor Status:          Vendor has released a fixed version

CVE-ID:                 CVE-2008-3792

Patch development time: 1 day





======================

Vulnerability details:

======================



The Linux Kernel contains an information disclosure 
vulnerability while 

parsing the IOCTL SCTP_HMAC_IDENT. Exploitation of this 
vulnerability can 

allow a local unprivileged attacker to gain access to 
sensitive data. 



Additionally, there are various NULL pointer dereferences 
in the SCTP-AUTH

API. All of the SCTP-AUTH socket options could cause a 
kernel panic if the 

extension is disabled and the API is envoked. Exploitation 
of these

vulnerabilities can allow an unprivileged attacker to crash 
the system 

(Denial of Service).





======================

Technical description:

======================

 

From source code file: net/sctp/socket.c



[...]

SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, 
int optname,

                            char __user *optval, int __user *optlen)

{

       int retval = 0;

       int len;

[...]

       if (get_user(len, optlen))  <-- [1]

              return -EFAULT;

[...]

       case SCTP_HMAC_IDENT:

              retval = sctp_getsockopt_hmac_ident(sk, len, 
optval, optlen);  <-- [2]

              break;

[...]



[1] The user controlled value of "optlen" is copied into 
"len"

[2] "len" is used as a parameter for the function 

    "sctp_getsockopt_hmac_ident()"





{...]

static int sctp_getsockopt_hmac_ident(struct sock *sk, int 
len,

                                char __user *optval, int __user 
*optlen)

{

       struct sctp_hmac_algo_param *hmacs;

       __u16 param_len;



       hmacs = sctp_sk(sk)->ep->auth_hmacs_list;  <-- [3]

       param_len = ntohs(hmacs->param_hdr.length); <-- [4]



       if (len < param_len)  <-- [5]

              return -EINVAL;

       if (put_user(len, optlen))

              return -EFAULT;

       if (copy_to_user(optval, hmacs->hmac_ids, len))  <-- 
[6]

              return -EFAULT;



       return 0;

}

[...]



If SCTP authentication is disabled 
(net.sctp.auth_enable=0):



[3] "hmacs" gets NULL

[4] "hmacs->param_hdr.length" leads to a NULL pointer 
dereference



That's one example of the mentioned NULL pointer 
dereferences in the 

SCTP-AUTH API. For more examples see [1].



If SCTP authentication is enabled (net.sctp.auth_enable=1):



[3] "hmacs" gets a valid value

[4] "param_len" gets a valid value

[5] The length check can be easily passed as "len" is user 
controlled

[6] "len" is a user controlled value, therefore it is 
possible to control 

    the number of bytes that get copied back to the user



As "len" isn't validated at all an unprivileged user can 
read arbitrary 

data from memory.





=========

Solution:

=========



The Linux Kernel maintainers have addressed these 
vulnerabilities within

version 2.6.26.4. More information can be found from the 
URLs shown below.



http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4



http://git.kernel.org/?p=linux/kernel/git/stable/linux-

2.6.26.y.git;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a





========

History:

========



  2008/08/20 - Initial notification of kernel maintainers

  2008/08/20 - Initial response from kernel maintainers

  2008/09/08 - Fix provided

  2008/09/09 - Public disclosure





========

Credits:

========



  Vulnerabilities found and advisory written by Tobias 
Klein.





===========

References:

===========



  [1] 
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git

      ;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a

  [2] 
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4

  [3] http://www.trapkit.de/advisories/TKADV2008-007.txt





========

Changes:

========



  Revision 0.1 - Initial draft release to the vendor

  Revision 1.0 - Public release

  Revision 1.1 - Adjusted patch development time (thanks to 
Eugene Teo

                 for pointing this out) and added CVE-ID.





===========

Disclaimer:

===========



The information within this advisory may change without 
notice. Use 

of this information constitutes acceptance for use in an AS 
IS 

condition. There are no warranties, implied or express, 
with regard 

to this information. In no event shall the author be liable 
for any 

direct or indirect damages whatsoever arising out of or in 
connection 

with the use or spread of this information. Any use of this 


information is at the user's own risk. 





==================

PGP Signature Key:

==================



  
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc





Copyright 2008 Tobias Klein. All rights reserved.





-----BEGIN PGP SIGNATURE-----



wj8DBQFIyDXGkXxgcAIbhEERAkQNAJ9JFcSyfJgzx+aLO0JxfnwM3KT+bwCfSzZt

/gDLzuXwIPURQiynmQbJW6A=

=dOxn

-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[TKADV2008-007] Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL Pointer Dereferences Tobias Klein (Sep 11)