Vigil@nce: OpenBSD, denial of service via getsockopt
October 2009 by Vigil@nce
A local attacker can use the getsockopt() function, in order to
stop the system.
– Severity: 1/4
– Consequences: denial of service of computer
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 29/10/2009
IMPACTED PRODUCTS
– OpenBSD
DESCRIPTION OF THE VULNERABILITY
The getsockopt() function is used to obtain information associated
to a socket:
– IP/IPV6_AUTH_LEVEL : use the IPSec authentication
– IP/IPV6_ESP_TRANS_LEVEL : encryption in transport mode
– IP/IPV6_ESP_NETWORK_LEVEL : encryption in tunnel mode
– IP/IPV6_IPCOMP_LEVEL : compression
The ip_ctloutput() and ip6_ctloutput() functions of files
sys/netinet/ip_output.c and sys/netinet6/ip6_output.c return these
information.
However, when these functions are called for the 4 fore-mentioned
options, they dereference a uninitialized pointer to a mbuf.
A local attacker can therefore use the getsockopt() function, in
order to stop the system.
CHARACTERISTICS
– Identifiers: BID-36859, VIGILANCE-VUL-9139
– Url: http://vigilance.fr/vulnerability/OpenBSD-denial-of-service-via-getsockopt-9139