Affected Versions:
Linux kernel 2.6.x
Vulnerability description:
Linux Kernel is the Kernel used by open source Linux.
In Linux Kernel Netfilter, "ipt_CLUSTERIP.c" has a buffer overflow vulnerability. A local attacker can use this vulnerability to execute arbitrary code without the core permission, completely control the affected computer, resulting in a Kernel crash and DOs for legitimate users.
The "buffer" string is copied from the user space. The program does not check whether it ends with zero. Can cause overflow in simple_strtoul. We recommend that you do not copy more bytes than the "size" provided by the user. This is a problem introduced before the git epoch version. By default, the file "ipt_CLUSTERIP/*" is only writable at the root, but in some settings, permissions may be sent to network management users. <* Reference
Vasiliy Kulikov (segoon@openwall.com)
*>
Test method:
Vasiliy Kulikov (segoon@openwall.com) provides the following test methods:
---
Net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++-
1 files changed, 4 insertions (+), 1 deletions (-)
Diff -- git a/net/ipv4/netfilter/ipt_CLUSTERIP.c B/net/ipv4/netfilter/ipt_CLUSTERIP.c
Index 1e26a48 .. af7dec6 100644
--- A/net/ipv4/netfilter/ipt_CLUSTERIP.c
++ B/net/ipv4/netfilter/ipt_CLUSTERIP.c
@-669,8 + 669,11 @ static ssize_t clusterip_proc_write (struct file * file, const char _ user * input,
Char buffer [PROC_WRITELEN + 1];
Unsigned long nodenum;
-If (copy_from_user (buffer, input, PROC_WRITELEN ))
+ If (size> PROC_WRITELEN)
+ Return-EIO;
+ If (copy_from_user (buffer, input, size ))
Return-EFAULT;
+ Buffer [size] = 0;
If (* buffer = + ){
Nodenum = simple_strtoul (buffer + 1, NULL, 10 );
--
1.7.0.4
--
Vendor patch:
Linux
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.kernel.org/