Vigil@nce: Linux kernel, buffer overflow of sunrpc/transports
November 2008 by Vigil@nce
A local attacker can read /proc/sys/sunrpc/transports in order to create an overflow in the kernel.
Consequences: administrator access/rights, denial of service of computer
Provenance: user shell
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 28/10/2008
The /proc/sys/sunrpc/transports file displays the list of RPC transports and the maximal size of data. For example: tcp 1048576 (1Mo) udp 32768 (32ko)
The content of this file is generated on the fly by the proc_do_xprt() function of the net/sunrpc/sysctl.c file. However, this function copies generated information without checking their size, which creates an overflow.
A local attacker can therefore read this file in order to create a denial of service or to execute code.
Identifiers: BID-31937, CVE-2008-3911, SUSE-SA:2008:053,