LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   WARN: Kernel vuln: MCAST_MSFILTER (2.4.22/2.6.1) (https://www.linuxquestions.org/questions/linux-security-4/warn-kernel-vuln-mcast_msfilter-2-4-22-2-6-1-a-173400/)

unSpawn 04-22-2004 01:38 PM
WARN: Kernel vuln: MCAST_MSFILTER (2.4.22/2.6.1)
 
Linux kernel setsockopt MCAST_MSFILTER integer overflow
Reference: http://msgs.securepoint.com/cgi-bin/...q0404/212.html
Bugtraq, iSEC Security Research (Paul Starzetz and Wojciech Purczynski), Apr 21, 05:15


3. Impact
Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. Unsuccesfull exploitation of the vulnerability may lead to a denial-of-service
attack causing machine crash or instant reboot.

4. Solution
This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases. All users of vulnerable kernels are advised to upgrade to the latest kernel version. For further information please contact your vendor.

njbrain 04-26-2004 12:28 PM
Thanks unSpawn, I now upgraded my kernel.
Noah

unSpawn 04-26-2004 07:21 PM
setsockopt MCAST_MSFILTER temporary FIX
 
For those with valid reasons not to upgrade (are there any?) here's my testlog for the fix as presented on Bugtraq by nolife. Test ran in runlevel 1 as root on a 2.4.24-SMP Grsecurity reinforced kernel, without loading Grsec ACL's or sysctl's.

]# wget "http://sigsegv.cc/setsockopt.c" -O /tmp/setsockoptFIX.c
]# flawfinder /tmp/setsockoptFIX.c
No hits found.
]# vi /tmp/setsockoptFIX.c
]# telinit 1
Note I had to compile like this to have it work:
]# gcc -c -O3 -fomit-frame-pointer -I/lib/modules/$(uname -r)/build/include /tmp/setsockoptFIX.c -o /tmp/setsockoptFIX
]# insmod -v -n /tmp/setsockoptFIX
Using /tmp/setsockoptFIX
Symbol version prefix 'smp_'
]# insmod /tmp/setsockoptFIX
]# lsmod|grep setsockoptFIX
setsockoptFIX 1380 0 (unused)
Using Samhain's excellent kern_check:
]# kern_check /boot/System.map
WARNING: (kernel) 0xe09e7060 != 0xc0310740 (map) [sys_socketcall]
]# mount /tmp -o remount,exec && /tmp/setsockoptPOC
Calling setsockopt(), this should crash the box...
setsockopt exploit halted. abused by uid 0 with process setsockoptPOC
Invalid setsockopt: : No buffer space available
]# setsockopt exploit halted. abused by uid 0 with process setsockoptPOC

dominant 04-28-2004 07:26 AM
Is thare any patch for SUSE Distro yet?

unSpawn 05-04-2004 12:27 PM
Is thare any patch for SUSE Distro yet?
I know reading is hard, but in the initial post it sez:
"4. Solution
This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases. All users of vulnerable kernels are advised to upgrade to the latest kernel version."

dominant 05-04-2004 12:41 PM
SuSE released finally a kernel patch that fixes and some other flaws, vulns as well.

Thanks for your response.


All times are GMT -5. The time now is 08:35 PM.