User: Password:
Subscribe / Log in / New account


A survey of recent kernel vulnerabilities

There has been a fairly long list of kernel vulnerabilities over the last few months, but few of them have received much serious attention (outside of the security groups at numerous distributors, who have been duly issuing patches as the issues come up). Here's a selection of recent problems.

The session keyring code had an error path which could fail to release the session management semaphore. As a result, any local user could cause processes to hang.
A keyring which failed to instantiate correctly could leave behind a NULL pointer which would subsequently be dereferenced by the kernel, causing an oops.
CAN-2005-1761 A ptrace() bug on the ia64 architecture enables local denial of service attacks. (Patch)
CAN-2005-1913 The subthread exec code did not properly reparent timers, leading to an oops caused by a local user when signals are delivered to the wrong thread. (Patch)
CAN-2005-2456 2.6.13 The XFRM policy parser had an array overflow, enabling denial of service attacks by local users. (Patch)
CAN-2005-2457 2.6.13 Mounting a malicious compressed ISO filesystem could lead to a kernel oops
2.6.13 Two zlib vulnerabilities which can be used to oops the kernel and create denial of service attacks.
CAN-2005-2490 A race condition with user space allows a local attacker to change the contents of a message passed to the 32-bit version of sendmsg() on 64-bit architectures. The result is a locally exploitable buffer overflow. (Patch)
CAN-2005-2492 An unchecked user-space dereference in sendmsg() can be exploited to oops the system. (Patch)
CAN-2005-2548 2.6.9 A hostile UDP packet could cause the 8021Q VLAN code to oops, leading to remote denial of service attacks.
CAN-2005-2555 2.6.13 The kernel failed to restrict kernel socket policy loading to administrative users. (Patch)
CAN-2005-3044 The 32-bit ioctl() handler on x86-64 was missing an fput() call. This error could be exploited by a local attacker to corrupt kernel data structures. (Patch)
CAN-2005-3053 2.6.13 The set_mempolicy() system call, used to tweak memory behavior on NUMA systems, did not properly check the policy argument. A local attacker could, by supplying a negative value, could cause a kernel oops. (Patch)
CAN-2005-3106 2.6.11 A race condition between core dumps and exec() could enable a local attacker to deadlock the system. (Patch)
CAN-2005-3107 2.6.11 Another local deadlock related to core dumps and ptrace(). (Patch)
CAN-2005-3108 2.6.11 The right sort of I/O mapping could create information leaks and kernel oopses on the x86-64 platform. It is hard to see how this one could be exploited by an unprivileged user. (Patch)
CAN-2005-3109 2.6.11 A maliciously created HFS filesystem could oops the kernel, if the system was configured to allow users to mount such filesystems. (Patch)
CAN-2005-3110 2.6.12 A race condition in the netfilter ebtables module can cause a kernel oops on SMP systems. (Patch).
CAN-2005-3119 A memory leak in the key request code could be used in denial of service attacks. (Patch)
CAN-2005-3180 The orinoco driver can leak information onto the net. (Patch)
CAN-2005-3181 A memory leak in the audit code can be used for denial of service attacks. (Patch)

That is a long list of vulnerabilities. The fact that almost all of them are "only" denial of service problems, and that only one of those is truly remotely exploitable, is of limited consolation.

One may well wonder why the kernel is the source of so many security holes, far more than any other package on the system. The complexity of the kernel and the environment in which it runs, the fact that many often-harmless bugs (such as memory leaks) turn into security issues for the kernel, and the high level of auditing which is done on kernel code are all part of the answer to that question. Unfortunately, the flow of security issues in the kernel is unlikely to stop anytime soon.

Comments (6 posted)

EFF decodes color printer watermarks

It has been known for some time that high-resolution color printers added codes to their output which would enable that output to be traced. The EFF has now found and decoded those marks for a number of popular printers. It turns out that the scheme used is fairly simple - an unencrypted code which includes the printing time and the serial number of the printer. See the EFF's printer list to see if your printer encodes this information, and this page to learn how to find and decode the markings.

The moral of the story is clear: if we do not control our devices, they will not work in our interests. There are plenty of good reasons for wanting to be able to print anonymously, and there is no doubt that this sort of watermarking can be used for the suppression of dissent and the shutting down of whistle-blowers. Thanks to the EFF, we can at least see this particular bit of technological ratware. But, as the EFF says: "Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?"

Comments (5 posted)

Brief items

CERT advisory: Snort Back Orifice buffer overflow

If you are running the Snort intrusion detection system along with the "Back Orifice" preprocessor, you want to read the attached advisory (click below). Back Orifice suffers from a buffer overflow which can be exploited by any remote attacker who can get a UDP packet onto your network. The hole can be closed by upgrading to snort 2.4.3, or by disabling Back Orifice.

Full Story (comments: 1)

New vulnerabilities

curl/wget: NTLM username buffer overflow

Package(s):curl wget CVE #(s):CAN-2005-3185
Created:October 14, 2005 Updated:November 7, 2005
Description: A vulnerability in libcurl's NTLM function can overflow a stack-based buffer if given too long a user name or domain name in NTLM authentication is enabled and either a) pass a user and domain name to libcurl that together are longer than 192 bytes or b) allow (lib)curl to follow HTTP redirects and the new URL contains a URL with a user and domain name that together are longer than 192 bytes. See this iDEFENSE Labs advisory for more details.
Slackware SSA:2005-310-01 curl 2005-11-07
Red Hat RHSA-2005:812-00 wget 2005-11-02
Red Hat RHSA-2005:807-00 curl 2005-11-02
SuSE SUSE-SA:2005:063 curl, 2005-10-24
Gentoo 200510-19 curl 2005-10-22
Fedora FEDORA-2005-1000 curl 2005-10-18
Fedora FEDORA-2005-996 wget 2005-10-17
Ubuntu USN-205-1 curl, wget 2005-10-14
Mandriva MDKSA-2005:183 wget 2005-10-13
Mandriva MDKSA-2005:182 curl 2005-10-13

Comments (none posted)

lynx: stack overflow

Package(s):lynx CVE #(s):CAN-2005-3120
Created:October 17, 2005 Updated:November 7, 2005
Description: Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx.
Slackware SSA:2005-310-03 lynx 2005-11-07
Ubuntu USN-206-2 lynx 2005-10-29
Mandriva MDKSA-2005:186-1 lynx 2005-10-26
Debian DSA-876-1 lynx-ssl 2005-10-27
Debian DSA-874-1 lynx 2005-10-27
Mandriva MDKSA-2005:186 lynx 2005-10-17
Fedora FEDORA-2005-994 lynx 2005-10-17
Fedora FEDORA-2005-993 lynx 2005-10-17
Gentoo 200510-15 lynx 2005-10-17
Ubuntu USN-206-1 lynx 2005-10-17
Red Hat RHSA-2005:803-01 lynx 2005-10-17

Comments (none posted)

netpbm: buffer overflow in "pnmtopng"

Package(s):netpbm-free CVE #(s):CAN-2005-2978
Created:October 18, 2005 Updated:October 28, 2005
Description: A buffer overflow was found in the "pnmtopng" conversion program. By tricking an user (or automated system) to process a specially crafted PNM image with pnmtopng, this could be exploited to execute arbitrary code with the privileges of the user running pnmtopng.
Debian DSA-878-1 netpbm-free 2005-10-28
Mandriva MDKSA-2005:199 netpbm 2005-10-26
SuSE SUSE-SR:2005:024 multi 2005-10-21
Gentoo 200510-18 netpbm 2005-10-20
Red Hat RHSA-2005:793-01 netpbm 2005-10-18
Ubuntu USN-210-1 netpbm-free 2005-10-18

Comments (none posted)

OpenWBEM: arbitrary code execution

Package(s):OpenWBEM CVE #(s):
Created:October 17, 2005 Updated:October 19, 2005
Description: The SUSE Security Team performed a security review of important parts of the OpenWBEM system. During the audit, several integer wrap arounds and buffer overflows have been discovered and fixed. If exploited, they allow remote attackers to execute arbitrary code with root privileges.
SuSE SUSE-SA:2005:060 OpenWBEM 2005-10-17

Comments (none posted)

Perl, Qt-UnixODBC, CMake: RUNPATH issues

Package(s):perl qt-unixodbc CMake CVE #(s):
Created:October 17, 2005 Updated:October 19, 2005
Description: Some packages may introduce insecure paths into the list of directories that are searched for libraries at runtime. Furthermore, packages depending on the MakeMaker Perl module for build configuration may have incorrectly copied the LD_RUN_PATH into the DT_RPATH. A local attacker, who is a member of the "portage" group, could create a malicious shared object in the Portage temporary build directory that would be loaded at runtime by a dependent executable, potentially resulting in privilege escalation.
Gentoo 200510-14 qt-unixodbc 2005-10-17

Comments (none posted)

php: open_basedir directive handling

Package(s):php4 CVE #(s):CAN-2005-3054
Created:October 17, 2005 Updated:October 24, 2005
Description: A bug has been found in the handling of the open_basedir directive. Contrary to the specification, the value of open_basedir was handled as a prefix instead of a proper directory name even if it was terminated by a slash ('/'). For example, this allowed PHP scripts to access the directory /home/user10 when open_basedir was configured to '/home/user1/'.
Trustix TSLSA-2005-0059 apache lynx mod_php4 openssl php4 php squid texinfo wget 2005-10-21
Ubuntu USN-207-1 php4 2005-10-17

Comments (none posted)

phpMyAdmin: arbitrary code execution

Package(s):phpmyadmin CVE #(s):
Created:October 17, 2005 Updated:October 19, 2005
Description: Maksymilian Arciemowicz reported that in libraries/grab_globals.lib.php, the $__redirect parameter was not correctly validated. Systems running PHP in safe mode are not affected. A local attacker may exploit this vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server.
Gentoo 200510-16 phpmyadmin 2005-10-17

Comments (none posted)

w3c-libwww: possible stack overflow

Package(s):w3c-libwww CVE #(s):CVE-2005-3183
Created:October 14, 2005 Updated:May 2, 2007
Description: xtensive testing of libwww's handling of multipart/byteranges content from HTTP/1.1 servers revealed multiple logical flaws and bugs in Library/src/HTBound.c
Red Hat RHSA-2007:0208-02 w3c-libwww 2007-05-01
Ubuntu USN-220-1 w3c-libwww 2005-12-01
Mandriva MDKSA-2005:210 w3c-libwww 2005-11-09
Fedora FEDORA-2005-953 w3c-libwww 2005-10-07
Fedora FEDORA-2005-952 w3c-libwww 2005-10-07

Comments (1 posted)


Metasploit Framework v2.5

Version v2.5 of the Metasploit Framework is out. This release now has three user interfaces, 105 exploits, and 75 different payloads; click below for the full release announcement.

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds