Synopsis: Linux kernel setsockopt MCAST_MSFILTER integer overflow Product: Linux kernel Version: 2.4.22 - 2.4.25, 2.6.1 - 2.6.3 Vendor: http://www.kernel.org/ URL: http://isec.pl/vulnerabilities/isec-0015-msfilter.txt Author: Paul Starzetz Wojciech Purczynski Date: April 20, 2004 1. Issue A critical security vulnerability has been found in the Linux kernel in the ip_setsockopt() function code. 2. Details The ip_setsockopt() function code is a subroutine of the setsockopt(2) system call. This function allows manipulation of various options of the IP socket. The MCAST_MSFILTER option can be used to provide the kernel with a list of multicast addresses to be received on the socket. This code has been introduced with the 2.4.22/2.6.1 kernel releases. There is an exploitable integer overflow inside the code handling the MCAST_MSFILTER socket option in the IP_MSFILTER_SIZE macro calculation. The vulnerable code resides in net/ipv4/ip_sockglue.c file: case MCAST_MSFILTER: { /* ... */ msize = IP_MSFILTER_SIZE(gsf->gf_numsrc); msf = (struct ip_msfilter *)kmalloc(msize,GFP_KERNEL); /* ... */ for (i=0; igf_numsrc; ++i) { psin = (struct sockaddr_in *)&gsf->gf_slist[i]; if (psin->sin_family != AF_INET) goto mc_msf_out; msf->imsf_slist[i] = psin->sin_addr.s_addr; } whereas the IP_MSFILTER_SIZE macro is defined as follows: #define IP_MSFILTER_SIZE(numsrc) \ (sizeof(struct ip_msfilter) - sizeof(__u32) \ + (numsrc) * sizeof(__u32)) Integer overflow during kernel memory space calculation may cause the kernel buffer to be overflown with arbitrary values within the for loop code. 3. Impact Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. Unsuccesfull exploitation of the vulnerability may lead to a denial-of-service attack causing machine crash or instant reboot. 4. Solution This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases. All users of vulnerable kernels are advised to upgrade to the latest kernel version. For further information please contact your vendor. 5. Credits: Paul Starzetz discovered the vulnerability over half a year ago. Wojciech Purczynski performed further research and developed exploit code. 6. Copyright Copyright (c) 2004 iSEC Security Research All Rights Reserved. 7. Disclaimer This document and all the information it contains are provided "as is", for educational purposes only, without warranty of any kind, whether express or implied. All the content presented here my be subject of future modifications and updates without prior notice. The authors reserve the right not to be responsible for the topicality correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected.