|
|
BugTraq
Linux kernel IGMP vulnerabilities Dec 14 2004 10:31AM Paul Starzetz (ihaquer isec pl) (2 replies) Re: Linux kernel IGMP vulnerabilities Dec 15 2004 05:14AM stephen joseph butler (stephen butler gmail com) (1 replies) Re: Linux kernel IGMP vulnerabilities Dec 15 2004 12:34PM Paul Starzetz (ihaquer isec pl) (1 replies) Re: Linux kernel IGMP vulnerabilities Dec 15 2004 10:41PM matthew-bugtraq newtoncomputing co uk (1 replies) |
|
Privacy Statement |
Thanks,
D.
> -----Original Message-----
> From: matthew-bugtraq (at) newtoncomputing.co (dot) uk [email concealed]
> [mailto:matthew-bugtraq (at) newtoncomputing.co (dot) uk [email concealed]]
> Sent: Wednesday, December 15, 2004 3:42 PM
> To: Paul Starzetz
> Cc: stephen joseph butler; security (at) isec (dot) pl [email concealed]; bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Re: Linux kernel IGMP vulnerabilities
>
>
> On Wed, Dec 15, 2004 at 01:34:33PM +0100, Paul Starzetz wrote:
> > On Tue, 14 Dec 2004, stephen joseph butler wrote:
> >
> > > > /proc/net/igmp
> > > > /proc/net/mcfilter
> > > >
> > > > if both exist and are non-empty you are vulnerable!
> > >
> > > Just to be clear: if "mcfilter" is empty, then you aren't
> > > vulnerable? I have both files, and "igmp" contains data, but
> > > "mcfilter" is empty.
> >
> > You are not vulnerable to the remote attack described under (3),
> > however
> > your kernel may be still buggy. Note that you need a
> running process that
> > has manipulated its multicast socket filters. If your
> kernel is buggy and
> > you have local users such an application can always appear,
> at a time you
> > don't expect it.
>
> This afternoon I tried the exploit on my machine, which has
> exactly those symptoms (data in igmp, mcfilter empty). It
> froze solid, hard power-cycle required.
>
> --
> Matthew
>
[ reply ]