ID CVE-2007-1000
Summary The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.
References
Vulnerable Configurations
  • Linux Kernel 2.6.20.1
    cpe:2.3:o:linux:linux_kernel:2.6.20.1
CVSS
Base: 7.2 (as of 13-03-2007 - 13:54)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Linux Kernel < 2.6.20.2 IPV6_Getsockopt_Sticky Memory Leak PoC. CVE-2007-1000. Local exploit for linux platform
id EDB-ID:4172
last seen 2016-01-31
modified 2007-07-10
published 2007-07-10
reporter dreyer
source https://www.exploit-db.com/download/4172/
title Linux Kernel < 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak PoC
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-3128.NASL
    description This kernel update fixes the following security problems : - CVE-2007-1000 A NULL pointer dereference in the IPv6 sockopt handling can be used by local attackers to read arbitrary kernel memory and so gain access to private information. - CVE-2007-1388 A NULL pointer dereference could be used by local attackers to cause a Oops / crash of the machine. - CVE-2007-1592 A possible double free in the ipv6/flowlabel handling was fixed. - CVE-2007-1357 A remote denial of service attack in the AppleTalk protocol handler was fixed. This attack is only possible on the local subnet, and requires the AppleTalk protocol module to be loaded (which is not done by default). and the following non security bugs : - patches.fixes/visor_write_race.patch: fix race allowing overstepping memory limit in visor_write (Mainline: 2.6.21) - patches.drivers/libata-ide-via-add-PCI-IDs: via82cxxx/pata_via: backport PCI IDs (254158). - libata: implement HDIO_GET_IDENTITY (255413). - sata_sil24: Add Adaptec 1220SA PCI ID. (Mainline: 2.6.21) - ide: backport hpt366 from devel tree (244502). - mm: fix madvise infinine loop (248167). - libata: hardreset on SERR_INTERNAL (241334). - limited WPA support for prism54 (207944) - jmicron: match class instead of function number (224784, 207707) - ahci: RAID mode SATA patch for Intel ICH9M (Mainline: 2.6.21) - libata: blacklist FUJITSU MHT2060BH for NCQ (Mainline: 2.6.21) - libata: add missing PM callbacks. (Mainline: 2.6.20) - patches.fixes/nfs-readdir-timestamp: Set meaningful value for fattr->time_start in readdirplus results. (244967). - patches.fixes/usb_volito.patch: wacom volito tablet not working (#248832). - patches.fixes/965-fix: fix detection of aperture size versus GTT size on G965 (#258013). - patches.fixes/sbp2-MODE_SENSE-fix.diff: use proper MODE SENSE, fixes recognition of device properties (261086) - patches.fixes/ipt_CLUSTERIP_refcnt_fix: ipv4/netfilter/ipt_CLUSTERIP.c - refcnt fix (238646) - patches.fixes/reiserfs-fix-vs-13060.diff: reiserfs: fix corruption with vs-13060 (257735). - patches.drivers/ati-rs400_200-480-disable-msi: pci-quirks: disable MSI on RS400-200 and RS480 (263893). - patches.drivers/libata-ahci-ignore-interr-on-SB600: ahci.c: walkaround for SB600 SATA internal error issue (#264792). Furthermore, CONFIG_USB_DEVICEFS has been re-enabled to allow use of USB in legacy applications like VMware. (#210899).
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 27294
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27294
    title openSUSE 10 Security Update : kernel (kernel-3128)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0169.NASL
    description Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the IPv6 socket option handling that allowed a local user to read arbitrary kernel memory (CVE-2007-1000, Important). * a flaw in the IPv6 socket option handling that allowed a local user to cause a denial of service (CVE-2007-1388, Important). * a flaw in the utrace support that allowed a local user to cause a denial of service (CVE-2007-0771, Important). In addition to the security issues described above, a fix for a memory leak in the audit subsystem and a fix for a data corruption bug on s390 systems have been included. Red Hat Enterprise Linux 5 users are advised to upgrade to these erratum packages, which are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25328
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25328
    title RHEL 5 : kernel (RHSA-2007:0169)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0169.NASL
    description Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the IPv6 socket option handling that allowed a local user to read arbitrary kernel memory (CVE-2007-1000, Important). * a flaw in the IPv6 socket option handling that allowed a local user to cause a denial of service (CVE-2007-1388, Important). * a flaw in the utrace support that allowed a local user to cause a denial of service (CVE-2007-0771, Important). In addition to the security issues described above, a fix for a memory leak in the audit subsystem and a fix for a data corruption bug on s390 systems have been included. Red Hat Enterprise Linux 5 users are advised to upgrade to these erratum packages, which are not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25126
    published 2007-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25126
    title CentOS 5 : Kernel (CESA-2007:0169)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-335.NASL
    description Rebased to kernel 2.6.20.3-rc1 : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet. This release does not include Xen kernels. CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. The vulnerability is caused due to boundary errors within the 'read()' and 'write()' functions of the Omnikey CardMan 4040 driver. This can be exploited to cause a buffer overflow and may allow the execution of arbitrary code with kernel privileges. CVE-2007-1000: A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information. The vulnerability is due to a NULL pointer dereference within the 'ipv6_getsockopt_sticky()' function in net/ipv6/ipv6_sockglue.c. This can be exploited to crash the kernel or disclose kernel memory. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 24823
    published 2007-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24823
    title Fedora Core 6 : kernel-2.6.20-1.2925.fc6 (2007-335)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-336.NASL
    description Rebased to kernel 2.6.20.3-rc1 : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1 (The CVE fix in 2.6.20.1 is already in kernel-2.6.19-1.2911.6.5.fc6.) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.2 Changelog for 2.6.20.3 is not available yet. This release does not include Xen kernels. CVE-2007-0005: A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. The vulnerability is caused due to boundary errors within the 'read()' and 'write()' functions of the Omnikey CardMan 4040 driver. This can be exploited to cause a buffer overflow and may allow the execution of arbitrary code with kernel privileges. CVE-2007-1000: A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information. The vulnerability is due to a NULL pointer dereference within the 'ipv6_getsockopt_sticky()' function in net/ipv6/ipv6_sockglue.c. This can be exploited to crash the kernel or disclose kernel memory. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 24824
    published 2007-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24824
    title Fedora Core 5 : kernel-2.6.20-1.2300.fc5 (2007-336)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-078.NASL
    description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : When SELinux hooks are enabled, the kernel could allow a local user to cause a DoS (crash) via a malformed file stream that triggers a NULL pointer derefernece (CVE-2006-6056). Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges. (CVE-2007-0005) The Linux kernel version 2.6.13 to 2.6.20.1 allowed a remote attacker to cause a DoS (oops) via a crafted NFSACL2 ACCESS request that triggered a free of an incorrect pointer (CVE-2007-0772). A local user could read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump; a variant of CVE-2004-1073 (CVE-2007-0958). The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference. (CVE-2007-1000) Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet. (CVE-2007-1217) The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel 2.6.17, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference. (CVE-2007-1388) net/ipv6/tcp_ipv6.c in Linux kernel 2.4 and 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double-free by opening a listeing IPv6 socket, attaching a flow label, and connecting to that socket. (CVE-2007-1592) The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. In addition to these security fixes, other fixes have been included such as : - Suspend to disk speed improvements - Add nmi watchdog support for core2 - Add atl1 driver - Update KVM - Add acer_acpi - Update asus_acpi - Fix suspend on r8169, i8259A - Fix suspend when using ondemand governor - Add ide acpi support - Add suspend/resume support for sata_nv chipsets. - USB: Let USB-Serial option driver handle anydata devices (#29066) - USB: Add PlayStation 2 Trance Vibrator driver - Fix bogus delay loop in video/aty/mach64_ct.c - Add MCP61 support (#29398) - USB: fix floppy drive SAMSUNG SFD-321U/EP detected 8 times bug - Improve keyboard handling on Apple MacBooks - Add -latest patch - Workaround a possible binutils bug in smp alternatives - Add forcedeth support - Fix potential deadlock in driver core (USB hangs at boot time #24683) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 24944
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24944
    title Mandrake Linux Security Advisory : kernel (MDKSA-2007:078)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-486-1.NASL
    description The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to a variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) A flaw was discovered in the IPv6 stack's handling of type 0 route headers. By sending a specially crafted IPv6 packet, a remote attacker could cause a denial of service between two IPv6 hosts. (CVE-2007-2242) The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453) A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28087
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28087
    title Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-486-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-489-1.NASL
    description A flaw was discovered in dvb ULE decapsulation. A remote attacker could send a specially crafted message and cause a denial of service. (CVE-2006-4623) The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to an variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453) A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw was discovered in the cluster manager. A remote attacker could connect to the DLM port and block further DLM operations. (CVE-2007-3380) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28090
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28090
    title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerability (USN-489-1)
oval via4
accepted 2013-04-29T04:00:22.159-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.
family unix
id oval:org.mitre.oval:def:10015
status accepted
submitted 2010-07-09T03:56:16-04:00
title The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.
version 18
packetstorm via4
data source https://packetstormsecurity.com/files/download/57599/linux-26202.txt
id PACKETSTORM:57599
last seen 2016-12-05
published 2007-07-11
reporter dreyer
source https://packetstormsecurity.com/files/57599/linux-26202.txt.html
title linux-26202.txt
redhat via4
advisories
rhsa
id RHSA-2007:0169
rpms
  • kernel-0:2.6.18-8.1.3.el5
  • kernel-PAE-0:2.6.18-8.1.3.el5
  • kernel-PAE-devel-0:2.6.18-8.1.3.el5
  • kernel-devel-0:2.6.18-8.1.3.el5
  • kernel-doc-0:2.6.18-8.1.3.el5
  • kernel-headers-0:2.6.18-8.1.3.el5
  • kernel-kdump-0:2.6.18-8.1.3.el5
  • kernel-kdump-devel-0:2.6.18-8.1.3.el5
  • kernel-xen-0:2.6.18-8.1.3.el5
  • kernel-xen-devel-0:2.6.18-8.1.3.el5
refmap via4
bid 22904
bugtraq 20070615 rPSA-2007-0124-1 kernel xen
cert-vn VU#920689
confirm
fedora
  • FEDORA-2007-335
  • FEDORA-2007-336
mandriva MDKSA-2007:078
misc http://www.wslabi.com/wabisabilabi/initPublishedBid.do?
osvdb 33025
secunia
  • 24493
  • 24518
  • 24777
  • 24901
  • 25080
  • 25099
  • 25691
  • 26133
  • 26139
suse SUSE-SA:2007:029
ubuntu
  • USN-486-1
  • USN-489-1
vupen ADV-2007-0907
Last major update 07-03-2011 - 21:51
Published 12-03-2007 - 19:19
Last modified 10-10-2017 - 21:31
Back to Top