Vigil@nce: Linux kernel, buffer overflow of sunrpc/transports
November 2008 by Vigil@nce
A local attacker can read /proc/sys/sunrpc/transports in order to
create an overflow in the kernel.
– Gravity: 2/4
– Consequences: administrator access/rights, denial of service of
computer
– Provenance: user shell
– Means of attack: 1 proof of concept
– Ability of attacker: specialist (3/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 28/10/2008
IMPACTED PRODUCTS
– Linux kernel
– OpenSUSE
DESCRIPTION
The /proc/sys/sunrpc/transports file displays the list of RPC
transports and the maximal size of data. For example:
tcp 1048576 (1Mo)
udp 32768 (32ko)
The content of this file is generated on the fly by the
proc_do_xprt() function of the net/sunrpc/sysctl.c file. However,
this function copies generated information without checking their
size, which creates an overflow.
A local attacker can therefore read this file in order to create a
denial of service or to execute code.
CHARACTERISTICS
– Identifiers: BID-31937, CVE-2008-3911, SUSE-SA:2008:053,
VIGILANCE-VUL-8204
– Url: http://vigilance.aql.fr/vulnerability/8204