Vigil@nce: Linux kernel, denial of service via X.25 Facilities
November 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A remote attacker can send a malicious X.25 packet during a
session, in order to stop a Linux system.
– Severity: 1/4
– Creation date: 04/11/2010
DESCRIPTION OF THE VULNERABILITY
The X.25 network protocol defines Facilities:
– 0xC9 (X25_FAC_CALLED_AE) : Called Address Extension
– 0xCB (X25_FAC_CALLING_AE) : Calling Address Extension
– etc.
These packets are composed of:
– 1 byte indicating the type (0xC9 or 0xCB)
– 1 byte indicating the size (N)
– 1 miscellaneous byte
– N-1 bytes of address
The x25_parse_facilities() function of the
net/x25/x25_facilities.c file copies the address with (simplified):
memcpy(buffer, packet, N-1);
However, if N is set to zero, the memcpy() function tries to copy
a length of -1 (0xFF...F), which corrupts the memory.
A remote attacker can therefore send a malicious X.25 packet
during a session, in order to stop a Linux system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-X-25-Facilities-10098