CVE-2009-2692

Sažetak

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Reference

http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git%3Ba=commit%3Bh=c18d0fe535a73b219f960d1af3d0c264555a12e3
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e694958388c50148389b0e9b9e9e8945cf0f1b98
http://grsecurity.net/~spender/wunderbar_emporium.tgz
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
http://rhn.redhat.com/errata/RHSA-2009-1222.html
http://rhn.redhat.com/errata/RHSA-2009-1223.html
http://secunia.com/advisories/36278
http://secunia.com/advisories/36289
http://secunia.com/advisories/36327
http://secunia.com/advisories/36430
http://secunia.com/advisories/37298
http://secunia.com/advisories/37471
http://support.avaya.com/css/P8/documents/100067254
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121
http://www.debian.org/security/2009/dsa-1865
http://www.exploit-db.com/exploits/19933
http://www.exploit-db.com/exploits/9477
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6
http://www.mandriva.com/security/advisories?name=MDVSA-2009:233
http://www.openwall.com/lists/oss-security/2009/08/14/1
http://www.redhat.com/support/errata/RHSA-2009-1233.html
http://www.securityfocus.com/archive/1/505751/100/0/threaded
http://www.securityfocus.com/archive/1/505912/100/0/threaded
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/archive/1/512019/100/0/threaded
http://www.securityfocus.com/bid/36038
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/2272
http://www.vupen.com/english/advisories/2009/3316
http://zenthought.org/content/file/android-root-2009-08-16-source
https://bugzilla.redhat.com/show_bug.cgi?id=516949
https://issues.rpath.com/browse/RPL-3103
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657

CVSS

Base:	7.2
Impact:	10.0
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:L/AC:L/Au:N/C:C/I:C/A:C

Zadnje važnije ažuriranje

08-02-2024 - 23:50

Objavljeno

14-08-2009 - 15:16