Linux Kernel Random Poolsize SysCTL Handler Integer Overflow Vulnerability
BID:12196
Info
Linux Kernel Random Poolsize SysCTL Handler Integer Overflow Vulnerability
| Bugtraq ID: | 12196 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 07 2005 12:00AM |
| Updated: | Jan 07 2005 12:00AM |
| Credit: | Discovery of this vulnerability is credited to Brad Spengler <[email protected]>. |
| Vulnerable: |
Redhat Fedora Core3 Redhat Fedora Core2 Linux kernel 2.6.10 rc2 Linux kernel 2.6.10 Linux kernel 2.6.9 Linux kernel 2.6.8 rc3 Linux kernel 2.6.8 rc2 Linux kernel 2.6.8 rc1 Linux kernel 2.6.8 Linux kernel 2.6.7 rc1 Linux kernel 2.6.7 Linux kernel 2.6.6 rc1 Linux kernel 2.6.6 Linux kernel 2.6.5 Linux kernel 2.6.4 Linux kernel 2.6.3 Linux kernel 2.6.2 Linux kernel 2.6.1 -rc2 Linux kernel 2.6.1 -rc1 Linux kernel 2.6.1 Linux kernel 2.6 .10 Linux kernel 2.6 -test9-CVS Linux kernel 2.6 -test9 Linux kernel 2.6 -test8 Linux kernel 2.6 -test7 Linux kernel 2.6 -test6 Linux kernel 2.6 -test5 Linux kernel 2.6 -test4 Linux kernel 2.6 -test3 Linux kernel 2.6 -test2 Linux kernel 2.6 -test11 Linux kernel 2.6 -test10 Linux kernel 2.6 -test1 Linux kernel 2.6 Linux kernel 2.4.29 -rc2 Linux kernel 2.4.28 Linux kernel 2.4.27 -pre5 Linux kernel 2.4.27 -pre4 Linux kernel 2.4.27 -pre3 Linux kernel 2.4.27 -pre2 Linux kernel 2.4.27 -pre1 Linux kernel 2.4.27 Linux kernel 2.4.26 Linux kernel 2.4.25 Linux kernel 2.4.24 -ow1 Linux kernel 2.4.24 Linux kernel 2.4.23 -pre9 Linux kernel 2.4.23 -ow2 Linux kernel 2.4.23 Linux kernel 2.4.22 Linux kernel 2.4.21 pre7 Linux kernel 2.4.21 pre4 Linux kernel 2.4.21 pre1 Linux kernel 2.4.21 Linux kernel 2.4.20 Linux kernel 2.4.19 -pre6 Linux kernel 2.4.19 -pre5 Linux kernel 2.4.19 -pre4 Linux kernel 2.4.19 -pre3 Linux kernel 2.4.19 -pre2 Linux kernel 2.4.19 -pre1 Linux kernel 2.4.19 Linux kernel 2.4.18 pre-8 Linux kernel 2.4.18 pre-7 Linux kernel 2.4.18 pre-6 Linux kernel 2.4.18 pre-5 Linux kernel 2.4.18 pre-4 Linux kernel 2.4.18 pre-3 Linux kernel 2.4.18 pre-2 Linux kernel 2.4.18 pre-1 Linux kernel 2.4.18 x86 Linux kernel 2.4.18 Linux kernel 2.4.17 Linux kernel 2.4.16 Linux kernel 2.4.15 Linux kernel 2.4.14 Linux kernel 2.4.13 Linux kernel 2.4.12 Linux kernel 2.4.11 Linux kernel 2.4.10 Linux kernel 2.4.9 Linux kernel 2.4.8 Linux kernel 2.4.7 Linux kernel 2.4.6 Linux kernel 2.4.5 Linux kernel 2.4.4 Linux kernel 2.4.3 Linux kernel 2.4.2 Linux kernel 2.4.1 Linux kernel 2.4 .0-test9 Linux kernel 2.4 .0-test8 Linux kernel 2.4 .0-test7 Linux kernel 2.4 .0-test6 Linux kernel 2.4 .0-test5 Linux kernel 2.4 .0-test4 Linux kernel 2.4 .0-test3 Linux kernel 2.4 .0-test2 Linux kernel 2.4 .0-test12 Linux kernel 2.4 .0-test11 Linux kernel 2.4 .0-test10 Linux kernel 2.4 .0-test1 Linux kernel 2.4 |
| Not Vulnerable: | |
Discussion
Linux Kernel Random Poolsize SysCTL Handler Integer Overflow Vulnerability
The Linux Kernel is reported prone to a local integer overflow vulnerability. The issue occurs in the 'poolsize_strategy' function of the 'random.c' kernel driver.
The vulnerability exists due to a lack of sufficient sanitization performed on integer values before these values are employed as the size argument of a user-land to kernel memory copy operation.
This vulnerability may be leveraged to corrupt kernel memory and ultimately execute arbitrary code with ring-0 privileges. Alternatively, the issue may be exploited to trigger a kernel panic.
It is reported that a user must have UID 0 to exploit this issue, however the user does not require superuser privileges. This may hinder exploitability.
The Linux Kernel is reported prone to a local integer overflow vulnerability. The issue occurs in the 'poolsize_strategy' function of the 'random.c' kernel driver.
The vulnerability exists due to a lack of sufficient sanitization performed on integer values before these values are employed as the size argument of a user-land to kernel memory copy operation.
This vulnerability may be leveraged to corrupt kernel memory and ultimately execute arbitrary code with ring-0 privileges. Alternatively, the issue may be exploited to trigger a kernel panic.
It is reported that a user must have UID 0 to exploit this issue, however the user does not require superuser privileges. This may hinder exploitability.
Exploit / POC
Linux Kernel Random Poolsize SysCTL Handler Integer Overflow Vulnerability
The following proof of concept denial of service exploit is available:
The following proof of concept denial of service exploit is available:
Solution / Fix
Linux Kernel Random Poolsize SysCTL Handler Integer Overflow Vulnerability
Solution:
RedHat has released two advisories called FEDORA-2005-013 and FEDORA-2005-014 to address this, and other issues for Fedora Core 2 and 3. Please see the referenced advisories for further information.
Linux kernel 2.6.9
Solution:
RedHat has released two advisories called FEDORA-2005-013 and FEDORA-2005-014 to address this, and other issues for Fedora Core 2 and 3. Please see the referenced advisories for further information.
Linux kernel 2.6.9
-
Fedora kernel-2.6.10-1.737_FC3.i586.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora kernel-2.6.10-1.737_FC3.i686.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora kernel-2.6.10-1.737_FC3.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora kernel-debuginfo-2.6.10-1.737_FC3.i586.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora kernel-debuginfo-2.6.10-1.737_FC3.i686.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora kernel-debuginfo-2.6.10-1.737_FC3.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora kernel-doc-2.6.10-1.737_FC3.noarch.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora kernel-smp-2.6.10-1.737_FC3.i586.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora kernel-smp-2.6.10-1.737_FC3.i686.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora kernel-smp-2.6.10-1.737_FC3.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
References
Linux Kernel Random Poolsize SysCTL Handler Integer Overflow Vulnerability
References:
References:
- kernel.org Homepage. (Linux Kernel)
- grsecurity 2.1.0 release / 5 Linux kernel advisories ([email protected] (Brad Spengler))