ID CVE-2006-1055
Summary The fill_write_buffer function in sysfs/file.c in Linux kernel 2.6.12 up to versions before 2.6.17-rc1 does not zero terminate a buffer when a length of PAGE_SIZE or more is requested, which might allow local users to cause a denial of service (crash) by causing an out-of-bounds read.
References
Vulnerable Configurations
  • Linux Kernel 2.6.12
    cpe:2.3:o:linux:linux_kernel:2.6.12
  • Linux Kernel 2.6.12 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.12:rc1
  • Linux Kernel 2.6.12 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.12:rc4
  • Linux Kernel 2.6.12 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.12:rc5
  • Linux Kernel 2.6.12.1
    cpe:2.3:o:linux:linux_kernel:2.6.12.1
  • Linux Kernel 2.6.12.2
    cpe:2.3:o:linux:linux_kernel:2.6.12.2
  • Linux Kernel 2.6.12.3
    cpe:2.3:o:linux:linux_kernel:2.6.12.3
  • Linux Kernel 2.6.12.4
    cpe:2.3:o:linux:linux_kernel:2.6.12.4
  • Linux Kernel 2.6.12.5
    cpe:2.3:o:linux:linux_kernel:2.6.12.5
  • Linux Kernel 2.6.12.6
    cpe:2.3:o:linux:linux_kernel:2.6.12.6
  • Linux Kernel 2.6.13
    cpe:2.3:o:linux:linux_kernel:2.6.13
  • Linux Kernel 2.6.13 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.13:rc1
  • Linux Kernel 2.6.13 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.13:rc4
  • Linux Kernel 2.6.13 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.13:rc6
  • Linux Kernel 2.6.13 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:2.6.13:rc7
  • Linux Kernel 2.6.13.1
    cpe:2.3:o:linux:linux_kernel:2.6.13.1
  • Linux Kernel 2.6.13.2
    cpe:2.3:o:linux:linux_kernel:2.6.13.2
  • Linux Kernel 2.6.13.3
    cpe:2.3:o:linux:linux_kernel:2.6.13.3
  • Linux Kernel 2.6.13.4
    cpe:2.3:o:linux:linux_kernel:2.6.13.4
  • Linux Kernel 2.6.14
    cpe:2.3:o:linux:linux_kernel:2.6.14
  • Linux Kernel 2.6.14 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.14:rc1
  • Linux Kernel 2.6.14 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.14:rc2
  • Linux Kernel 2.6.14 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.14:rc3
  • Linux Kernel 2.6.14 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.14:rc4
  • Linux Kernel 2.6.14.1
    cpe:2.3:o:linux:linux_kernel:2.6.14.1
  • Linux Kernel 2.6.14.2
    cpe:2.3:o:linux:linux_kernel:2.6.14.2
  • Linux Kernel 2.6.14.3
    cpe:2.3:o:linux:linux_kernel:2.6.14.3
  • Linux Kernel 2.6.14.4
    cpe:2.3:o:linux:linux_kernel:2.6.14.4
  • Linux Kernel 2.6.14.5
    cpe:2.3:o:linux:linux_kernel:2.6.14.5
  • Linux Kernel 2.6.15
    cpe:2.3:o:linux:linux_kernel:2.6.15
  • Linux Kernel 2.6.15 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc1
  • Linux Kernel 2.6.15 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc3
  • Linux Kernel 2.6.15 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc4
  • Linux Kernel 2.6.15 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc5
  • Linux Kernel 2.6.15 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc6
  • Linux Kernel 2.6.15 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:2.6.15:rc7
  • Linux Kernel 2.6.15.1
    cpe:2.3:o:linux:linux_kernel:2.6.15.1
  • Linux Kernel 2.6.15.2
    cpe:2.3:o:linux:linux_kernel:2.6.15.2
  • Linux Kernel 2.6.15.3
    cpe:2.3:o:linux:linux_kernel:2.6.15.3
  • Linux Kernel 2.6.15.4
    cpe:2.3:o:linux:linux_kernel:2.6.15.4
  • Linux Kernel 2.6.15.5
    cpe:2.3:o:linux:linux_kernel:2.6.15.5
  • Linux Kernel 2.6.16 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.16:rc1
  • Linux Kernel 2.6.17
    cpe:2.3:o:linux:linux_kernel:2.6.17
CVSS
Base: 4.9 (as of 05-04-2006 - 17:27)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-281-1.NASL
    description The sys_mbind() function did not properly verify the validity of the 'maxnod' argument. A local user could exploit this to trigger a buffer overflow, which caused a kernel crash. (CVE-2006-0557) The SELinux module did not correctly handle the tracer SID when a process was already being traced. A local attacker could exploit this to cause a kernel crash. (CVE-2006-1052) Al Viro discovered a local Denial of Service in the sysfs write buffer handling. By writing a block with a length exactly equal to the processor's page size to any writable file in /sys, a local attacker could cause a kernel crash. (CVE-2006-1055) John Blackwood discovered a race condition with single-step debugging multiple processes at the same time. A local attacker could exploit this to crash the system. This only affects the amd64 platform. (CVE-2006-1066) Marco Ivaldi discovered a flaw in the handling of the ID number of IP packets. This number was incremented after receiving unsolicited TCP SYN-ACK packets. A remote attacker could exploit this to conduct port scans with the 'Idle scan' method (nmap -sI), which bypassed intended port scan protections. (CVE-2006-1242) Pavel Kankovsky discovered that the getsockopt() function, when called with an SO_ORIGINAL_DST argument, does not properly clear the returned structure, so that a random piece of kernel memory is exposed to the user. This could potentially reveal sensitive data like passwords or encryption keys. (CVE-2006-1343) A buffer overflow was discovered in the USB Gadget RNDIS implementation. While creating a reply message, the driver did not allocate enough memory for the reply structure. A remote attacker could exploit this to cause a kernel crash. (CVE-2006-1368) Alexandra Kossovsky discovered an invalid memory access in the ip_route_input() function. By using the 'ip' command in a particular way to retrieve multicast routes, a local attacker could exploit this to crash the kernel. (CVE-2006-1525). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 21375
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21375
    title Ubuntu 5.04 / 5.10 : linux-source-2.6.10, linux-source-2.6.12 vulnerabilities (USN-281-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2006-423.NASL
    description This update includes a number of security issues that have been fixed upstream over the last week or so. i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056) ip_route_input panic fix (CVE-2006-1525) fix MADV_REMOVE vulnerability (CVE-2006-1524) shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524) Fix MPBL0010 driver insecure sysfs permissions x86_64: When user could have changed RIP always force IRET (CVE-2006-0744) Fix RCU signal handling Keys: Fix oops when adding key to non-keyring (CVE-2006-1522) sysfs: zero terminate sysfs write buffers (CVE-2006-1055) It also includes various other fixes from the -stable tree. Full changelogs are available from : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.9 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.7 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.6 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.5 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.4 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.3 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21253
    published 2006-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21253
    title Fedora Core 4 : kernel-2.6.16-1.2096_FC4 (2006-423)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-302-1.NASL
    description An integer overflow was discovered in the do_replace() function. A local user process with the CAP_NET_ADMIN capability could exploit this to execute arbitrary commands with full root privileges. However, none of Ubuntu's supported packages use this capability with any non-root user, so this only affects you if you use some third party software like the OpenVZ virtualization system. (CVE-2006-0038) On EMT64 CPUs, the kernel did not properly handle uncanonical return addresses. A local user could exploit this to trigger a kernel crash. (CVE-2006-0744) Al Viro discovered a local Denial of Service in the sysfs write buffer handling. By writing a block with a length exactly equal to the processor's page size to any writable file in /sys, a local attacker could cause a kernel crash. (CVE-2006-1055) Jan Beulich discovered an information leak in the handling of registers for the numeric coprocessor when running on AMD processors. This allowed processes to see the coprocessor execution state of other processes, which could reveal sensitive data in the case of cryptographic computations. (CVE-2006-1056) Marcel Holtmann discovered that the sys_add_key() did not check that a new user key is added to a proper keyring. By attempting to add a key to a normal user key (which is not a keyring), a local attacker could exploit this to crash the kernel. (CVE-2006-1522) Ingo Molnar discovered that the SCTP protocol connection tracking module in netfilter got stuck in an infinite loop on certain empty packet chunks. A remote attacker could exploit this to cause the computer to hang. (CVE-2006-1527) The SCSI I/O driver did not correctly handle the VM_IO flag for memory mapped pages used for data transfer. A local user could exploit this to cause a kernel crash. (CVE-2006-1528) The choose_new_parent() contained obsolete debugging code. A local user could exploit this to cause a kernel crash. (CVE-2006-1855) Kostik Belousov discovered that the readv() and writev() functions did not query LSM modules for access permission. This could be exploited to circumvent access restrictions defined by LSM modules such as SELinux or AppArmor. (CVE-2006-1856) The SCTP driver did not properly verify certain parameters when receiving a HB-ACK chunk. By sending a specially crafted packet to an SCTP socket, a remote attacker could exploit this to trigger a buffer overflow, which could lead to a crash or possibly even arbitrary code execution. (CVE-2006-1857) The sctp_walk_params() function in the SCTP driver incorrectly used rounded values for bounds checking instead of the precise values. By sending a specially crafted packet to an SCTP socket, a remote attacker could exploit this to crash the kernel. (CVE-2006-1858) Bjoern Steinbrink reported a memory leak in the __setlease() function. A local attacker could exploit this to exhaust kernel memory and render the computer unusable (Denial of Service). (CVE-2006-1859) Daniel Hokka Zakrisson discovered that the lease_init() did not properly handle locking. A local attacker could exploit this to cause a kernel deadlock (Denial of Service). (CVE-2006-1860) Mark Moseley discovered that the CIFS file system driver did not filter out '..\\' path components. A local attacker could exploit this to break out of a chroot environment on a mounted SMB share. (CVE-2006-1863) The same vulnerability applies to the older smb file system. (CVE-2006-1864) Hugh Dickins discovered that the mprotect() function allowed an user to change a read-only shared memory attachment to become writable, which bypasses IPC (inter-process communication) permissions. (CVE-2006-2071) The SCTP (Stream Control Transmission Protocol) driver triggered a kernel panic on unexpected packets while the session was in the CLOSED state, instead of silently ignoring the packets. A remote attacker could exploit this to crash the computer. (CVE-2006-2271) The SCTP driver did not handle control chunks if they arrived in fragmented packets. By sending specially crafted packets to an SCTP socket, a remote attacker could exploit this to crash the target machine. (CVE-2006-2272) The SCTP driver did not correctly handle packets containing more than one DATA fragment. By sending specially crafted packets to an SCTP socket, a remote attacker could exploit this to crash the target machine. (CVE-2006-2274) The SCTP driver did not correcly buffer incoming packets. By sending a large number of small messages to a receiver application that cannot process the messages quickly enough, a remote attacker could exploit this to cause a deadlock in the target machine (Denial of Service). (CVE-2006-2275) Patrick McHardy discovered that the snmp_trap_decode() function did not correctly handle memory allocation in some error conditions. By sending specially crafted packets to a machine which uses the SNMP network address translation (NAT), a remote attacker could exploit this to crash that machine. (CVE-2006-2444) In addition, the Ubuntu 6.06 LTS update fixes a range of bugs. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27877
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27877
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : linux-source-2.6.10/2.6.12/2.6.15 vulnerabilities (USN-302-1)
refmap via4
bid 17402
confirm
fedora FEDORA-2006-423
osvdb 24443
secunia
  • 19495
  • 19735
  • 19955
  • 20398
  • 20716
suse SUSE-SA:2006:028
trustix 2006-0020
ubuntu
  • USN-281-1
  • USN-302-1
vupen
  • ADV-2006-1273
  • ADV-2006-1475
xf linux-fillwritebuffer-dos(25693)
Last major update 07-03-2011 - 21:31
Published 05-04-2006 - 13:04
Last modified 03-10-2018 - 17:36
Back to Top