Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Linux Kernel cpuset tasks Information Disclosure Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Linux Kernel cpuset tasks Information Disclosure Vulnerability
Date: 11 Jun 2007 09:57:24 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Linux Kernel cpuset tasks Information Disclosure Vulnerability
------------------------------------------------------------------------


SUMMARY

Linux is "a clone of the UNIX operating system, written from scratch by 
Linus Torvalds with assistance from a loosely-knit team of hackers across 
the Internet. The cpuset functionality allows process to be assigned to 
processors on multi-processor machines".

Local exploitation of an information disclosure vulnerability within the 
Linux Kernel allows attackers to obtain sensitive information from kernel 
memory.

DETAILS

Vulnerable Systems:
 * Linux Kernel version 2.6.20 installed with Fedora CORE 6.
 * It is suspected that previous versions, at least until 2.6.12, are also 
vulnerable.

This vulnerability specifically exists in the "cpuset_tasks_read" 
function. This function is responsible for supplying user-land processes 
with data when they read from the /dev/cpuset/tasks file. The code excerpt 
below shows the problem area.

  1754          if (*ppos + nbytes > ctr->bufsz)
  1755                  nbytes = ctr->bufsz - *ppos;
  1756          if (copy_to_user(buf, ctr->buf + *ppos, nbytes))

By reading from an offset (*ppos) larger than the contents of the file, an 
attacker can cause an integer underflow to occur in the subtraction on 
line 1755. This will result in the "copy_to_user" function on line 1756 to 
be called with a memory address located at a lower address than the start 
of the intended buffer. This memory could potentially contain sensitive 
information such as security tokens or passwords.

Exploitation of this vulnerability allows attackers to obtain sensitive 
information from kernel memory.

In order to exploit this vulnerability, an attacker would need access to 
open the /dev/cpuset/tasks file. It is important to note that this file 
does not exist unless the cpuset file system has been mounted. 
Additionally, this functionality is not included by default in a vanilla 
kernel build.

Furthermore, because of checks at the VFS layer and in the 
'copy_to_user()' function, an attacker cannot use arbitrary values. 
However, on 32-bit systems it is easily exploitable.

Workaround:
In order to prevent exploitation of this vulnerability, discontinue use of 
the cpuset file system. This can be accomplished by un-mounting the file 
system using the "umount" command.

Vendor Status:
The Linux kernel team has released versions 2.6.20.13 and 2.6.21.4 to 
address this vulnerability. More information can be found via the 
following URLs.
 <http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.13> 
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.13
 <http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4> 
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2875> 
CVE-2007-2875

Disclosure Timeline:
 * 04/27/2007 - Initial vendor notification
 * 06/04/2007 - Second vendor notification
 * 06/04/2007 - Initial vendor response
 * 06/07/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
 
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=541> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=541



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Linux Kernel cpuset tasks Information Disclosure Vulnerability, SecuriTeam <=
Previous by Date:  [UNIX] JFFNMS Multiple Vulnerabilities, SecuriTeam
Next by Date:  [UNIX] Packeteer PacketShaper Web Management DoS, SecuriTeam
Previous by Thread:  [UNIX] JFFNMS Multiple Vulnerabilities, SecuriTeam
Next by Thread:  [UNIX] Packeteer PacketShaper Web Management DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]