CVE-2009-2692

HIGH

Description

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

References

http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html

http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=c18d0fe535a73b219f960d1af3d0c264555a12e3

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

http://grsecurity.net/~spender/wunderbar_emporium.tgz

http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html

http://rhn.redhat.com/errata/RHSA-2009-1222.html

http://rhn.redhat.com/errata/RHSA-2009-1223.html

http://secunia.com/advisories/36278

http://secunia.com/advisories/36289

http://secunia.com/advisories/36327

http://secunia.com/advisories/36430

http://secunia.com/advisories/37298

http://secunia.com/advisories/37471

http://support.avaya.com/css/P8/documents/100067254

http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121

http://www.debian.org/security/2009/dsa-1865

http://www.exploit-db.com/exploits/19933

http://www.exploit-db.com/exploits/9477

http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6

http://www.mandriva.com/security/advisories?name=MDVSA-2009:233

http://www.openwall.com/lists/oss-security/2009/08/14/1

http://www.redhat.com/support/errata/RHSA-2009-1233.html

http://www.securityfocus.com/archive/1/505751/100/0/threaded

http://www.securityfocus.com/archive/1/505912/100/0/threaded

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.securityfocus.com/archive/1/512019/100/0/threaded

http://www.securityfocus.com/bid/36038

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.vupen.com/english/advisories/2009/2272

http://www.vupen.com/english/advisories/2009/3316

http://zenthought.org/content/file/android-root-2009-08-16-source

https://bugzilla.redhat.com/show_bug.cgi?id=516949

https://issues.rpath.com/browse/RPL-3103

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657

Details

Source: MITRE

Published: 2009-08-14

Updated: 2018-10-10

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 7.2

Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Impact Score: 10

Exploitability Score: 3.9

Severity: HIGH