[37713] in bugtraq
Re: Linux kernel IGMP vulnerabilities
daemon@ATHENA.MIT.EDU (Pekka Savola)
Tue Dec 14 16:53:06 2004
Date: Tue, 14 Dec 2004 19:16:39 +0200 (EET)
From: Pekka Savola <pekkas@netcore.fi>
To: security@isec.pl
Cc: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.netsys.com
In-Reply-To: <Pine.LNX.4.44.0412141125500.1042-100000@isec.pl>
Message-ID: <Pine.LNX.4.61.0412141909120.27442@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Hi,
On Tue, 14 Dec 2004, Paul Starzetz wrote:
>
> Synopsis: Linux kernel IGMP vulnerabilities
> Product: Linux kernel
> Version: 2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9
[...]
> Both parts of the IGMP subsystem have exploitable flaws:
>
> (1) the ip_mc_source() function, that can be called through the user API
> (the IP_(UN)BLOCK_SOURCE, IP_ADD/DROP_SOURCE_MEMBERSHIP as well as
> MCAST_(UN)BLOCK_SOURCE and MCAST_JOIN/LEAVE_SOURCE_GROUP socket SOL_IP
> level options) suffers from a serious kernel hang and kernel memory
> overwrite problem.
[...]
Does this also affect earlier 2.4 releases which did not yet
incorporate IGMPv3? If so, to which extent? AFAIR, IGMPv3/MLDv2 was
added in 2.4.22.
At least the PoC requires *_(UN)BLOCK_SOURCE APIs which were added
with IGMPv3.
As far as I can see (a very quick look), 2.4 prior to 2.4.22 should
not be (at least similarly) affected.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
