Vigil@nce: Linux kernel, denial of service via a Unix socket
October 2009 by Vigil@nce
A local attacker can use a partially closed Unix socket, in order
to lock the system.
– Severity: 1/4
– Consequences: denial of service of computer
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 19/10/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
Unix sockets are for example used by two processes to exchange
data, by connecting to a special file. If the filename starts with
a null byte (’\0’), the file is not stored on the filesystem, but
it uses an abstract space in the kernel.
The shutdown() function is used to close an action (read/write) on
the socket.
When a Unix socket uses the abstract space, and is closed with
shutdown(), a local attacker can connect to this socket, before
the call to close(). However, as it is partially closed, an
infinite loop occurs in the kernel.
A local attacker can therefore use a partially closed Unix socket,
in order to lock the system.
CHARACTERISTICS
– Identifiers: BID-36723, CVE-2009-3621, VIGILANCE-VUL-9102
– Url: http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-a-Unix-socket-9102