<<< Date Index >>>     <<< Thread Index >>>

[TKADV2008-007] Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL Pointer Dereferences



Please find attached a detailed advisory of the vulnerabilities.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2008-007.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               Linux Kernel SCTP-AUTH API Information Disclosure 
                        Vulnerability and NULL Pointer Dereferences
Advisory ID:            TKADV2008-007
Revision:               1.1
Release Date:           2008/09/09
Last Modified:          2008/09/10
Date Reported:          2008/08/20
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      Linux Kernel <= 2.6.26.4
Remotely Exploitable:   No
Locally Exploitable:    Yes
Vendor URL:             http://www.kernel.org/
Vendor Status:          Vendor has released a fixed version
CVE-ID:                 CVE-2008-3792
Patch development time: 1 day


======================
Vulnerability details:
======================

The Linux Kernel contains an information disclosure vulnerability while 
parsing the IOCTL SCTP_HMAC_IDENT. Exploitation of this vulnerability can 
allow a local unprivileged attacker to gain access to sensitive data. 

Additionally, there are various NULL pointer dereferences in the SCTP-AUTH
API. All of the SCTP-AUTH socket options could cause a kernel panic if the 
extension is disabled and the API is envoked. Exploitation of these
vulnerabilities can allow an unprivileged attacker to crash the system 
(Denial of Service).


======================
Technical description:
======================

- From source code file: net/sctp/socket.c

[...]
SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname,
                                char __user *optval, int __user *optlen)
{
        int retval = 0;
        int len;
[...]
        if (get_user(len, optlen))  <-- [1]
                return -EFAULT;
[...]
        case SCTP_HMAC_IDENT:
                retval = sctp_getsockopt_hmac_ident(sk, len, optval, optlen);  
<-- [2]
                break;
[...]

[1] The user controlled value of "optlen" is copied into "len"
[2] "len" is used as a parameter for the function 
    "sctp_getsockopt_hmac_ident()"


{...]
static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
                                    char __user *optval, int __user *optlen)
{
        struct sctp_hmac_algo_param *hmacs;
        __u16 param_len;

        hmacs = sctp_sk(sk)->ep->auth_hmacs_list;  <-- [3]
        param_len = ntohs(hmacs->param_hdr.length); <-- [4]

        if (len < param_len)  <-- [5]
                return -EINVAL;
        if (put_user(len, optlen))
                return -EFAULT;
        if (copy_to_user(optval, hmacs->hmac_ids, len))  <-- [6]
                return -EFAULT;

        return 0;
}
[...]

If SCTP authentication is disabled (net.sctp.auth_enable=0):

[3] "hmacs" gets NULL
[4] "hmacs->param_hdr.length" leads to a NULL pointer dereference

That's one example of the mentioned NULL pointer dereferences in the 
SCTP-AUTH API. For more examples see [1].

If SCTP authentication is enabled (net.sctp.auth_enable=1):

[3] "hmacs" gets a valid value
[4] "param_len" gets a valid value
[5] The length check can be easily passed as "len" is user controlled
[6] "len" is a user controlled value, therefore it is possible to control 
    the number of bytes that get copied back to the user

As "len" isn't validated at all an unprivileged user can read arbitrary 
data from memory.


=========
Solution:
=========

The Linux Kernel maintainers have addressed these vulnerabilities within
version 2.6.26.4. More information can be found from the URLs shown below.

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4

http://git.kernel.org/?p=linux/kernel/git/stable/linux-
2.6.26.y.git;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a


========
History:
========

  2008/08/20 - Initial notification of kernel maintainers
  2008/08/20 - Initial response from kernel maintainers
  2008/09/08 - Fix provided
  2008/09/09 - Public disclosure


========
Credits:
========

  Vulnerabilities found and advisory written by Tobias Klein.


===========
References:
===========

  [1] http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git
      ;a=commit;h=be9467bd75b522a3db0369c12db739f797cfec6a
  [2] http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4
  [3] http://www.trapkit.de/advisories/TKADV2008-007.txt


========
Changes:
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release
  Revision 1.1 - Adjusted patch development time (thanks to Eugene Teo
                 for pointing this out) and added CVE-ID.


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use 
of this information constitutes acceptance for use in an AS IS 
condition. There are no warranties, implied or express, with regard 
to this information. In no event shall the author be liable for any 
direct or indirect damages whatsoever arising out of or in connection 
with the use or spread of this information. Any use of this 
information is at the user's own risk. 


==================
PGP Signature Key:
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2008 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----

wj8DBQFIyYqYkXxgcAIbhEERAuRXAJ4nWWaP5eHjDX+CG1TvoiPfR7CSoQCeLFtz
Q+QTUjS3QmQmg7E+MiZN+3Y=
=zxgA
-----END PGP SIGNATURE-----