CVE-2008-4113
published 2008-09-16CVE-2008-4113: The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before…
PriorityP418medium4.7CVSS 2.0
AVLACMAuNCCINAN
EXPLOIT
EPSS
0.83%
53.0th percentile
The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an untrusted length value to limit copying of data from kernel memory, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
Affected
79 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.6.25.14 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.04.7MEDIUMAV:L/AC:M/Au:N/C:C/I:N/A:N
vendor_ubuntu5.5MEDIUM
vendor_redhat4.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2008-10-27·CVSS 5.5
CVE-2007-6716 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
It was discovered that the direct-IO subsystem did not correctly validate
certain structures. A local attacker could exploit this to cause a system
crash, leading to a denial of service. (CVE-2007-6716)
It was discovered that the disabling of the ZERO_PAGE optimization could
lead to large memory consumption. A local attacker could exploit this to
allocate all available memory, leading to a denial of service.
(CVE-2008-2372)
It was discovered that the Datagram Congestion Control Protocol (DCCP) did
not correctly validate its arguments. If DCCP was in use, a remote attacker
could send specially crafted network traffic and cause a system crash,
leading to a denial of service. (CVE-2008-3276)
It was discovered that
Red Hat
kernel: sctp: fix random memory dereference with SCTP_HMAC_IDENT option
vendor_redhat·2008-08-27·CVSS 4.7
CVE-2008-4445 [MEDIUM] kernel: sctp: fix random memory dereference with SCTP_HMAC_IDENT option
kernel: sctp: fix random memory dereference with SCTP_HMAC_IDENT option
The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not verify that the identifier index is within the bounds established by SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function, a different vulnerability than CVE-2008-4113.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.
Red Hat
kernel: sctp_getsockopt_hmac_ident information disclosure
vendor_redhat·2008-08-21·CVSS 4.7
CVE-2008-4113 [MEDIUM] kernel: sctp_getsockopt_hmac_ident information disclosure
kernel: sctp_getsockopt_hmac_ident information disclosure
The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an untrusted length value to limit copying of data from kernel memory, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.
GHSA
GHSA-qp66-33pv-p2qq: The sctp_auth_ep_set_hmacs function in net/sctp/auth
ghsa_unreviewed·2022-05-02·CVSS 4.7
CVE-2008-4445 [MEDIUM] CWE-200 GHSA-qp66-33pv-p2qq: The sctp_auth_ep_set_hmacs function in net/sctp/auth
The sctp_auth_ep_set_hmacs function in net/sctp/auth.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, does not verify that the identifier index is within the bounds established by SCTP_AUTH_HMAC_ID_MAX, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function, a different vulnerability than CVE-2008-4113.
GHSA
GHSA-6px2-f4fc-3m96: The sctp_getsockopt_hmac_ident function in net/sctp/socket
ghsa_unreviewed·2022-05-02
CVE-2008-4113 [MEDIUM] CWE-200 GHSA-6px2-f4fc-3m96: The sctp_getsockopt_hmac_ident function in net/sctp/socket
The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an untrusted length value to limit copying of data from kernel memory, which allows local users to obtain sensitive information via a crafted SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
No detection rules found.
Exploit-DB
Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)
exploitdb·2014-10-28
CVE-2014-4113 Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)
Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 'Windows TrackPopupMenu Win32k NULL Pointer Dereference',
'Description' => %q{
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability
can be triggered through the use of TrackPopupMenu. Under special conditions, the
NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary
code execution. This module has been tested successfully on Windows XP SP3, Windows
2003 SP2, Windows 7 SP1 and Windows 2008 32bi
Exploit-DB
Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure
exploitdb·2008-12-29·CVSS 4.7
CVE-2008-4113 [MEDIUM] Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure
Linux Kernel
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113
*
* The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream
* Control Transmission Protocol (sctp) implementation in the Linux kernel
* before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an
* untrusted length value to limit copying of data from kernel memory, which
* allows local users to obtain sensitive information via a crafted
* SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
*
* Notes:
*
* If SCTP AUTH is enabled (net.sctp.auth_enable = 1), this exploit allow an
* unprivileged user to dump an arbitrary amount (DUMP_SIZE) of kernel memory
* out to a file (DUMP_FILE). If SCTP AUTH is not enabled, the exploit wi
CWE
Access of Memory Location After End of Buffer
mitre_cwe
CWE-788 Access of Memory Location After End of Buffer
CWE-788: Access of Memory Location After End of Buffer
The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.
This typically occurs when a pointer or its index is incremented to a position after the buffer; or when pointer arithmetic results in a position after the buffer.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Confidentiality. Impact: Read Memory. For an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffer's position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.
Scope: Integrity, Availability. Impact: Modify Memory, DoS:
CWE
Improper Restriction of Operations within the Bounds of a Memory Buffer
mitre_cwe
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Background: Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity, Confidentiality, Availability. Impact: Execute Unauthorized Code or Commands, Modify Memory. If the memory accessible by the attacker can be effec
CWE
Out-of-bounds Read
mitre_cwe
CWE-125 Out-of-bounds Read
CWE-125: Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Confidentiality. Impact: Read Memory. An attacker could get secret values such as cryptographic keys, PII, memory addresses, or other information that could be used in additional attacks.
Scope: Confidentiality. Impact: Bypass Protection Mechanism. Out-of-bounds memory could contain memory addresses or other information that can be used to bypass ASLR and other protection mechanisms in order to improve the reliability of exploiting a separate weakness for code execution.
Scope: Availability. Impact: DoS: Crash, Exit, or Restart. An attacker could cause a segmentation fault or crash by causing memory to
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git%3Ba=commit%3Bh=d97240552cd98c4b07322f30f66fd9c3ba4171dehttp://lists.opensuse.org/opensuse-security-announce/2008-10/msg00010.htmlhttp://secunia.com/advisories/32190http://secunia.com/advisories/32315http://secunia.com/advisories/32393http://securityreason.com/securityalert/4266http://www.debian.org/security/2008/dsa-1655http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4http://www.openwall.com/lists/oss-security/2008/09/26/6http://www.redhat.com/support/errata/RHSA-2008-0857.htmlhttp://www.securityfocus.com/archive/1/496256/100/0/threadedhttp://www.securityfocus.com/bid/31121http://www.securitytracker.com/id?1021000http://www.trapkit.de/advisories/TKADV2008-007.txthttp://www.ubuntu.com/usn/usn-659-1https://exchange.xforce.ibmcloud.com/vulnerabilities/45188https://www.exploit-db.com/exploits/7618http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.26.y.git%3Ba=commit%3Bh=d97240552cd98c4b07322f30f66fd9c3ba4171dehttp://lists.opensuse.org/opensuse-security-announce/2008-10/msg00010.htmlhttp://secunia.com/advisories/32190http://secunia.com/advisories/32315http://secunia.com/advisories/32393http://securityreason.com/securityalert/4266http://www.debian.org/security/2008/dsa-1655http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.4http://www.openwall.com/lists/oss-security/2008/09/26/6http://www.redhat.com/support/errata/RHSA-2008-0857.htmlhttp://www.securityfocus.com/archive/1/496256/100/0/threadedhttp://www.securityfocus.com/bid/31121http://www.securitytracker.com/id?1021000http://www.trapkit.de/advisories/TKADV2008-007.txthttp://www.ubuntu.com/usn/usn-659-1https://exchange.xforce.ibmcloud.com/vulnerabilities/45188https://www.exploit-db.com/exploits/7618
2008-09-16
Published