[23938] in bugtraq
Re: remote memory reading through tcp/icmp
daemon@ATHENA.MIT.EDU (Andi Kleen)
Tue Jan 22 14:12:57 2002
To: "Andrew Griffiths" <andrewg@tasmail.com>
Cc: bugtraq@securityfocus.com
From: Andi Kleen <ak@suse.de>
Date: 20 Jan 2002 23:46:12 +0100
In-Reply-To: "Andrew Griffiths"'s message of "20 Jan 2002 23:04:26 +0100"
Message-ID: <p73r8ok7ia3.fsf@oldwotan.suse.de>
"Andrew Griffiths" <andrewg@tasmail.com> writes:
> Greets: (in no particular order)
>
> Marty (and others for their brilliant work with Snort)
> Fyodor (for nmap)
> LBNL Network Research Group
> zen-parse [4] and jaguar for looking over this and suggesting
> improvements.
>
> It is possible to read parts of a remote machines memory. To be specific,
> it would have to be memory recently freed/swapped to disk. Consider this
> for example:
[...] Here is a patch for Linux 2.4 to fix the problem.
>
> AFFECTED:
>
> I assume it would be any OS that includes more than the ipaddresses/ports.
It's only an implementation bug in Linux, likely not a generic problem.
-Andi
--- linux-work/net/ipv4/icmp.c-o Tue Jan 15 11:05:17 2002
+++ linux-work/net/ipv4/icmp.c Sun Jan 20 23:31:29 2002
@@ -495,7 +495,7 @@
icmp_param.data.icmph.checksum=0;
icmp_param.csum=0;
icmp_param.skb=skb_in;
- icmp_param.offset=skb_in->nh.raw - skb_in->data;
+ icmp_param.offset=skb_in->data - skb_in->nh.raw;
icmp_out_count(icmp_param.data.icmph.type);
icmp_socket->sk->protinfo.af_inet.tos = tos;
ipc.addr = iph->saddr;
--- linux-work/net/ipv6/icmp.c-o Thu Sep 20 23:12:56 2001
+++ linux-work/net/ipv6/icmp.c Sun Jan 20 23:40:03 2002
@@ -361,7 +361,7 @@
msg.icmph.icmp6_pointer = htonl(info);
msg.skb = skb;
- msg.offset = skb->nh.raw - skb->data;
+ msg.offset = skb->data - skb->nh.raw;
msg.csum = 0;
msg.daddr = &hdr->saddr;
