ID CVE-2007-0005
Summary Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.
References
Vulnerable Configurations
  • Linux Kernel 2.6.21
    cpe:2.3:o:linux:linux_kernel:2.6.21
  • Linux Kernel 2.6.21 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.21:rc1
  • Linux Kernel 2.6.21 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.21:rc2
  • Linux Kernel 2.6.21.1
    cpe:2.3:o:linux:linux_kernel:2.6.21.1
  • Linux Kernel 2.6.21.2
    cpe:2.3:o:linux:linux_kernel:2.6.21.2
  • Linux Kernel 2.6.21.3
    cpe:2.3:o:linux:linux_kernel:2.6.21.3
  • Linux Kernel 2.6.21.4
    cpe:2.3:o:linux:linux_kernel:2.6.21.4
  • Linux Kernel 2.6.21.5
    cpe:2.3:o:linux:linux_kernel:2.6.21.5
  • Linux Kernel 2.6.21.6
    cpe:2.3:o:linux:linux_kernel:2.6.21.6
  • Linux Kernel 2.6.21.7
    cpe:2.3:o:linux:linux_kernel:2.6.21.7
  • Linux Omnikey Cardman 4040
    cpe:2.3:a:omnikey.aaitg:omnikey_cardman_4040
CVSS
Base: 6.9 (as of 12-03-2007 - 10:00)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Linux Omnikey Cardman 4040 driver Local Buffer Overflow Exploit PoC. CVE-2007-0005. Dos exploit for linux platform
id EDB-ID:3441
last seen 2016-01-31
modified 2007-03-09
published 2007-03-09
reporter Daniel Roethlisberger
source https://www.exploit-db.com/download/3441/
title Linux Omnikey Cardman 4040 Driver - Local Buffer Overflow Exploit PoC
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-335.NASL
    description Rebased to kernel 2.6.20.3-rc1 : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet. This release does not include Xen kernels. CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. The vulnerability is caused due to boundary errors within the 'read()' and 'write()' functions of the Omnikey CardMan 4040 driver. This can be exploited to cause a buffer overflow and may allow the execution of arbitrary code with kernel privileges. CVE-2007-1000: A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information. The vulnerability is due to a NULL pointer dereference within the 'ipv6_getsockopt_sticky()' function in net/ipv6/ipv6_sockglue.c. This can be exploited to crash the kernel or disclose kernel memory. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 24823
    published 2007-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24823
    title Fedora Core 6 : kernel-2.6.20-1.2925.fc6 (2007-335)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-336.NASL
    description Rebased to kernel 2.6.20.3-rc1 : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet. This release does not include Xen kernels. CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. The vulnerability is caused due to boundary errors within the 'read()' and 'write()' functions of the Omnikey CardMan 4040 driver. This can be exploited to cause a buffer overflow and may allow the execution of arbitrary code with kernel privileges. CVE-2007-1000: A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information. The vulnerability is due to a NULL pointer dereference within the 'ipv6_getsockopt_sticky()' function in net/ipv6/ipv6_sockglue.c. This can be exploited to crash the kernel or disclose kernel memory. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 24824
    published 2007-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24824
    title Fedora Core 5 : kernel-2.6.20-1.2300.fc5 (2007-336)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1286.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0005 Daniel Roethlisberger discovered two buffer overflows in the cm4040 driver for the Omnikey CardMan 4040 device. A local user or malicious device could exploit this to execute arbitrary code in kernel space. - CVE-2007-0958 Santosh Eraniose reported a vulnerability that allows local users to read otherwise unreadable files by triggering a core dump while using PT_INTERP. This is related to CVE-2004-1073. - CVE-2007-1357 Jean Delvare reported a vulnerability in the appletalk subsystem. Systems with the appletalk module loaded can be triggered to crash by other systems on the local network via a malformed frame. - CVE-2007-1592 Masayuki Nakagawa discovered that flow labels were inadvertently being shared between listening sockets and child sockets. This defect can be exploited by local users to cause a DoS (Oops).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25153
    published 2007-05-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25153
    title Debian DSA-1286-1 : linux-2.6 - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0099.NASL
    description Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the key serial number collision avoidance algorithm of the keyctl subsystem that allowed a local user to cause a denial of service (CVE-2007-0006, Important) * a flaw in the Omnikey CardMan 4040 driver that allowed a local user to execute arbitrary code with kernel privileges. In order to exploit this issue, the Omnikey CardMan 4040 PCMCIA card must be present and the local user must have access rights to the character device created by the driver. (CVE-2007-0005, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) In addition to the security issues described above, a fix for a kernel panic in the powernow-k8 module, and a fix for a kernel panic when booting the Xen domain-0 on system with large memory installations have been included. Red Hat would like to thank Daniel Roethlisberger for reporting an issue fixed in this erratum. Red Hat Enterprise Linux 5 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25319
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25319
    title RHEL 5 : kernel (RHSA-2007:0099)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-078.NASL
    description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : When SELinux hooks are enabled, the kernel could allow a local user to cause a DoS (crash) via a malformed file stream that triggers a NULL pointer derefernece (CVE-2006-6056). Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges. (CVE-2007-0005) The Linux kernel version 2.6.13 to 2.6.20.1 allowed a remote attacker to cause a DoS (oops) via a crafted NFSACL2 ACCESS request that triggered a free of an incorrect pointer (CVE-2007-0772). A local user could read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump; a variant of CVE-2004-1073 (CVE-2007-0958). The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference. (CVE-2007-1000) Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet. (CVE-2007-1217) The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel 2.6.17, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference. (CVE-2007-1388) net/ipv6/tcp_ipv6.c in Linux kernel 2.4 and 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double-free by opening a listeing IPv6 socket, attaching a flow label, and connecting to that socket. (CVE-2007-1592) The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. In addition to these security fixes, other fixes have been included such as : - Suspend to disk speed improvements - Add nmi watchdog support for core2 - Add atl1 driver - Update KVM - Add acer_acpi - Update asus_acpi - Fix suspend on r8169, i8259A - Fix suspend when using ondemand governor - Add ide acpi support - Add suspend/resume support for sata_nv chipsets. - USB: Let USB-Serial option driver handle anydata devices (#29066) - USB: Add PlayStation 2 Trance Vibrator driver - Fix bogus delay loop in video/aty/mach64_ct.c - Add MCP61 support (#29398) - USB: fix floppy drive SAMSUNG SFD-321U/EP detected 8 times bug - Improve keyboard handling on Apple MacBooks - Add -latest patch - Workaround a possible binutils bug in smp alternatives - Add forcedeth support - Fix potential deadlock in driver core (USB hangs at boot time #24683) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 24944
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24944
    title Mandrake Linux Security Advisory : kernel (MDKSA-2007:078)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-486-1.NASL
    description The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to a variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) A flaw was discovered in the IPv6 stack's handling of type 0 route headers. By sending a specially crafted IPv6 packet, a remote attacker could cause a denial of service between two IPv6 hosts. (CVE-2007-2242) The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453) A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28087
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28087
    title Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-486-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-489-1.NASL
    description A flaw was discovered in dvb ULE decapsulation. A remote attacker could send a specially crafted message and cause a denial of service. (CVE-2006-4623) The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to an variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453) A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw was discovered in the cluster manager. A remote attacker could connect to the DLM port and block further DLM operations. (CVE-2007-3380) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28090
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28090
    title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerability (USN-489-1)
oval via4
accepted 2013-04-29T04:12:36.264-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.
family unix
id oval:org.mitre.oval:def:11238
status accepted
submitted 2010-07-09T03:56:16-04:00
title Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.
version 18
packetstorm via4
data source https://packetstormsecurity.com/files/download/55025/csa-driver.txt
id PACKETSTORM:55025
last seen 2016-12-05
published 2007-03-13
reporter Daniel Roethlisberger
source https://packetstormsecurity.com/files/55025/csa-driver.txt.html
title csa-driver.txt
redhat via4
advisories
rhsa
id RHSA-2007:0099
rpms
  • kernel-0:2.6.18-8.1.1.el5
  • kernel-PAE-0:2.6.18-8.1.1.el5
  • kernel-PAE-devel-0:2.6.18-8.1.1.el5
  • kernel-devel-0:2.6.18-8.1.1.el5
  • kernel-doc-0:2.6.18-8.1.1.el5
  • kernel-headers-0:2.6.18-8.1.1.el5
  • kernel-kdump-0:2.6.18-8.1.1.el5
  • kernel-kdump-devel-0:2.6.18-8.1.1.el5
  • kernel-xen-0:2.6.18-8.1.1.el5
  • kernel-xen-devel-0:2.6.18-8.1.1.el5
refmap via4
bid 22870
bugtraq
  • 20070309 Buffer Overflow in Linux Drivers for Omnikey CardMan 4040 (CVE-2007-0005)
  • 20070615 rPSA-2007-0124-1 kernel xen
confirm
debian DSA-1286
fedora
  • FEDORA-2007-335
  • FEDORA-2007-336
mandriva MDKSA-2007:078
osvdb 33023
secunia
  • 24436
  • 24518
  • 24777
  • 24901
  • 25078
  • 25691
  • 26133
  • 26139
ubuntu
  • USN-486-1
  • USN-489-1
vupen ADV-2007-0872
xf kernel-cardman4040drivers-bo(32880)
Last major update 19-03-2012 - 00:00
Published 09-03-2007 - 19:19
Last modified 16-10-2018 - 12:29
Back to Top