CVE-2005-2709
published 2005-11-20CVE-2005-2709: The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by…
PriorityP417medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
0.99%
58.1th percentile
The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.
Affected
99 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.6.14 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2005-11-22
CVE-2005-3180 Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
security flaw
vendor_redhat·2005-11-08·CVSS 4.6
CVE-2005-2709 [MEDIUM] security flaw
security flaw
The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.
GHSA
GHSA-99j2-m6h7-666q: The sysctl functionality (sysctl
ghsa_unreviewed·2022-05-01
CVE-2005-2709 [MEDIUM] GHSA-99j2-m6h7-666q: The sysctl functionality (sysctl
The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.
No detection rules found.
Bugzilla
CVE-2005-2709 security flaw
bugzilla·2018-08-16·CVSS 4.6
CVE-2005-2709 [MEDIUM] CVE-2005-2709 security flaw
CVE-2005-2709 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The sysctl functionality (sysctl.c) in Linux kernel before 2.6.14.1 allows local users to cause a denial of service (kernel oops) and possibly execute code by opening an interface file in /proc/sys/net/ipv4/conf/, waiting until the interface is unregistered, then obtaining and modifying function pointers in memory that was used for the ctl_table.
Bugzilla
CVE-2005-3964 openmotif libUil buffer overflows
bugzilla·2008-01-28·CVSS 7.5
CVE-2005-3964 [HIGH] CVE-2005-3964 openmotif libUil buffer overflows
CVE-2005-3964 openmotif libUil buffer overflows
Common Vulnerabilities and Exposures assigned an identifier CVE-2005-3964 to the following vulnerability:
Multiple buffer overflows in libUil (libUil.so) in OpenMotif 2.2.3, and possibly other versions, allows attackers to execute arbitrary code via the (1) diag_issue_diagnostic function in UilDiags.c and (2) open_source_file function in UilSrcSrc.c.
References:
http://marc.theaimsgroup.com/?l=full-disclosure&m=113349242925897&w=2
http://www.securityfocus.com/archive/1/archive/1/418459/100/0/threaded
http://www.redhat.com/support/errata/RHSA-2006-0272.html
http://www.securityfocus.com/bid/15684
http://www.securityfocus.com/bid/15686
http://www.frsirt.com/english/advisories/2005/2709
http://securitytracker.com/id?1015303
http://xforce.iss.
Bugzilla
CVE-2005-2709 More sysctl flaws
bugzilla·2005-09-21·CVSS 4.6
CVE-2005-2709 [MEDIUM] CVE-2005-2709 More sysctl flaws
CVE-2005-2709 More sysctl flaws
+++ This bug was initially created as a clone of Bug #168924 +++
Al Viro talked to me earlier this week about a sysctl flaw. Below is an edited
extract from his messages. I'm going to assign this "moderate" because it
requires an interface to go away and most likely would lead to DoS. Not sent
upstream.
We have an exploitable hole in sysctl unregistration. There is no exclusion
whatsoever between procfs or sysctl(2) access to ctl_table instances, methods
*and* data and unregister_sysctl_table().
IOW, there's nothing to stop inetdev_destroy() in the middle of access to
/proc/sys/net/ipv4/conf// or in the middle of corresponding
sysctl. In the best case that's an oopsable hole. In the worst... You can
open such file, wait for interface to go away, try to g
Bugzilla
CVE-2005-2709 More sysctl flaws
bugzilla·2005-09-21·CVSS 4.6
CVE-2005-2709 [MEDIUM] CVE-2005-2709 More sysctl flaws
CVE-2005-2709 More sysctl flaws
sysctls go away on network interfaces being removed. Which includes
not only ppp et.al., but all sorts of tunnels, etc. IOW, you can
wait for it to happen - in a lot of setups it will. And in case of
e.g. ipv4 sysctls we are talking about >2Kb allocated on amd64, so
kmalloc() will pick full pages for each (per-interface) set of sysctls...
Discussion:
Thanks for the info, Al. Reassigning.
---
Patch posted 11/23 - security issue - moving to canfix list.
---
A fix for this problem has just been committed to the RHEL3 U7
patch pool this evening (in kernel version 2.4.21-37.12.EL).
---
A fix for this problem has also been committed to the RHEL3 E7
patch pool this evening (in kernel version 2.4.21-37.0.1.EL).
---
An advisory has been issued which should
Bugzilla
CVE-2005-2709 More sysctl flaws
bugzilla·2005-09-21·CVSS 4.6
CVE-2005-2709 [MEDIUM] CVE-2005-2709 More sysctl flaws
CVE-2005-2709 More sysctl flaws
Al Viro talked to me earlier this week about a sysctl flaw. Below is an edited
extract from his messages. I'm going to assign this "moderate" because it
requires an interface to go away and most likely would lead to DoS. Not sent
upstream.
We have an exploitable hole in sysctl unregistration. There is no exclusion
whatsoever between procfs or sysctl(2) access to ctl_table instances, methods
*and* data and unregister_sysctl_table().
IOW, there's nothing to stop inetdev_destroy() in the middle of access to
/proc/sys/net/ipv4/conf// or in the middle of corresponding
sysctl. In the best case that's an oopsable hole. In the worst... You can
open such file, wait for interface to go away, try to grab as much memory as
possible in hope to hit the (kfreed) ctl_tab
Bugzilla
CVE-2005-2709 More sysctl flaws (ipf)
bugzilla·2005-09-21·CVSS 4.6
CVE-2005-2709 [MEDIUM] CVE-2005-2709 More sysctl flaws (ipf)
CVE-2005-2709 More sysctl flaws (ipf)
+++ This bug was initially created as a clone of Bug #168924 +++
Al Viro talked to me earlier this week about a sysctl flaw. Below is an edited
extract from his messages. I'm going to assign this "moderate" because it
requires an interface to go away and most likely would lead to DoS. Not sent
upstream.
We have an exploitable hole in sysctl unregistration. There is no exclusion
whatsoever between procfs or sysctl(2) access to ctl_table instances, methods
*and* data and unregister_sysctl_table().
IOW, there's nothing to stop inetdev_destroy() in the middle of access to
/proc/sys/net/ipv4/conf// or in the middle of corresponding
sysctl. In the best case that's an oopsable hole. In the worst... You can
open such file, wait for interface to go away, tr
Bugzilla
Multiple Kernel vulnerabilities
bugzilla·2005-05-11
[MEDIUM] Multiple Kernel vulnerabilities
Multiple Kernel vulnerabilities
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Mozilla rulez!)
Description of problem:
Paul Starzetz of iSEC has found yet another bug in binfmt_elf.c. It can be abused to crash the kernel, perhaps even to break into the kernel land. See the advisory for details.
Version-Release number of selected component (if applicable):
How reproducible:
Didn't try
Steps to Reproduce:
Additional info:
I've got a quick and dirty patch. I'll submit it ASAP.
Discussion:
Grr...Bugzilla assigned the bug to [email protected] rather than to
[email protected]
---
Created attachment 114264
The patch for CAN-2005-1263
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch can be applied to FL kernel 2.4.20-43:
402e548b02382c015d6f5e5704370a1ba546598b
li
http://secunia.com/advisories/17504http://secunia.com/advisories/17541http://secunia.com/advisories/17648http://secunia.com/advisories/18510http://secunia.com/advisories/18562http://secunia.com/advisories/18684http://secunia.com/advisories/19369http://secunia.com/advisories/19374http://securitytracker.com/id?1015434http://www.debian.org/security/2006/dsa-1017http://www.debian.org/security/2006/dsa-1018http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.14.1http://www.mandriva.com/security/advisories?name=MDKSA-2006:059http://www.osvdb.org/20676http://www.redhat.com/support/errata/RHSA-2006-0101.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0140.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0190.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0191.htmlhttp://www.securityfocus.com/archive/1/427980/100/0/threadedhttp://www.securityfocus.com/archive/1/427981/100/0/threadedhttp://www.securityfocus.com/archive/1/428028/100/0/threadedhttp://www.securityfocus.com/archive/1/428058/100/0/threadedhttp://www.securityfocus.com/bid/15365http://www.vupen.com/english/advisories/2005/2359https://exchange.xforce.ibmcloud.com/vulnerabilities/23040https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10746https://usn.ubuntu.com/219-1/http://secunia.com/advisories/17504http://secunia.com/advisories/17541http://secunia.com/advisories/17648http://secunia.com/advisories/18510http://secunia.com/advisories/18562http://secunia.com/advisories/18684http://secunia.com/advisories/19369http://secunia.com/advisories/19374http://securitytracker.com/id?1015434http://www.debian.org/security/2006/dsa-1017http://www.debian.org/security/2006/dsa-1018http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.14.1http://www.mandriva.com/security/advisories?name=MDKSA-2006:059http://www.osvdb.org/20676http://www.redhat.com/support/errata/RHSA-2006-0101.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0140.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0190.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0191.htmlhttp://www.securityfocus.com/archive/1/427980/100/0/threadedhttp://www.securityfocus.com/archive/1/427981/100/0/threadedhttp://www.securityfocus.com/archive/1/428028/100/0/threadedhttp://www.securityfocus.com/archive/1/428058/100/0/threadedhttp://www.securityfocus.com/bid/15365http://www.vupen.com/english/advisories/2005/2359https://exchange.xforce.ibmcloud.com/vulnerabilities/23040https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10746https://usn.ubuntu.com/219-1/
2005-11-20
Published