lunes, junio 16, 2008

Linux remote null pointer derreference (CVE-2007-2876)

The linux netfilter connection tracking new_state() function has a vulnerability exploitable remotelly.

sctp_new();

newconntrack = new_state(IP_CT_DIR_ORIGINAL, SCTP_CONNTRACK_NONE, sch->type);
if (newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}

Max is not allowed, conntrack_none shouldn't be allowed too.

conntrack->proto.sctp.state = newconntrack;

State will be zero.

sctp_packet() for returning the veredict of the packet, take the state 0:

oldsctpstate = conntrack->proto.sctp.state;
newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);

And then give a null ptr:
nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);

becouse sctp_timeouts[SCTP_CONNTRACK_NONE ] is null, it has not a callback:

static unsigned int * sctp_timeouts[]
= { NULL, /* SCTP_CONNTRACK_NONE */
&nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */
&nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */
&nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */
&nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */
&nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */
&nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */
&nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */
}


To exploit this you have to create:
socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)
and set the sockopt SCTP_STATUS to zero.

Becouse of this option is read only, you will need to construct the raw sctp packet :)

The victym must have a SCTP service, and the oops probably doensnt crash the system.

2 comentarios:

Anónimo dijo...

Muy bueno, no habia visto esto, soy simkin ;)

Anónimo dijo...

muy bueno, no habia visto esto, soy simkin ;)