ipt_ULOG.c

From: Jaco Kroon
Date: Thu Sep 04 2003 - 15:41:10 EST

Next message: MAtias Alejo Garcia: "[PATCH] ide_cs w/TCQ"
Previous message: Pavel Janík: "ENE Technology's flash reader"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a problem in ipt_ULOG.c on older kernel versions (2.4.18 confirmed).

The problem is with shifting and not shifting of the nl groups. This has already been fixed in later versions (Version 2.4.21 if I'm not mistaken). It is also fixed in the 2.5 and 2.6 series of the kernel.

This problem can be used to execute a DOS attack on vulnerable servers. Vulnerable servers are those that makes use of the ULOG target in netfilter with groups other than 1 (this just happens to work correctly since the group 1 also happens to shift into 1). The other groups causes kernel memory corruption and in just about all my test cases to total system failure. This can be triggered remotely by using hping to send a packet that will be logged by the ULOG target.

Also, not sure whether IPv6 is affected (I don't use it yet, so ...)

Jaco

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: MAtias Alejo Garcia: "[PATCH] ide_cs w/TCQ"
Previous message: Pavel Janík: "ENE Technology's flash reader"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]