[37750] in bugtraq
Re: Linux kernel IGMP vulnerabilities
daemon@ATHENA.MIT.EDU (matthew-bugtraq@newtoncomputing.co)
Wed Dec 15 19:40:57 2004
Date: Wed, 15 Dec 2004 22:41:50 +0000
From: matthew-bugtraq@newtoncomputing.co.uk
To: Paul Starzetz <ihaquer@isec.pl>
Cc: stephen joseph butler <stephen.butler@gmail.com>, security@isec.pl,
bugtraq@securityfocus.com
Message-ID: <20041215224150.GA25687@newtoncomputing.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0412151331480.1826-100000@isec.pl>
X-SA-Exim-Mail-From: matthew-bugtraq@newtoncomputing.co.uk
On Wed, Dec 15, 2004 at 01:34:33PM +0100, Paul Starzetz wrote:
> On Tue, 14 Dec 2004, stephen joseph butler wrote:
>
> > > /proc/net/igmp
> > > /proc/net/mcfilter
> > >
> > > if both exist and are non-empty you are vulnerable!
> >
> > Just to be clear: if "mcfilter" is empty, then you aren't vulnerable?
> > I have both files, and "igmp" contains data, but "mcfilter" is empty.
>
> You are not vulnerable to the remote attack described under (3), however
> your kernel may be still buggy. Note that you need a running process that
> has manipulated its multicast socket filters. If your kernel is buggy and
> you have local users such an application can always appear, at a time you
> don't expect it.
This afternoon I tried the exploit on my machine, which has exactly those
symptoms (data in igmp, mcfilter empty). It froze solid, hard power-cycle
required.
--
Matthew
