CVE-2009-1897
published 2009-07-20CVE-2009-1897: The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc…
PriorityP428medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
1.51%
71.2th percentile
The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
vendor_redhat·2009-04-09·CVSS 7.2
CVE-2009-1897 [HIGH] kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.
Statement: The flaw only affects the Red Hat Enterprise Linux 5.4 beta kernel, which includes a backport of the upstream bug fix introducing this flaw (git commit 33dccbb0). This issue did not affect the final released Red Hat Enterprise Linux 5.4 kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only.
This issue does
GHSA
GHSA-7g2j-wp9p-8rcr: The tun_chr_poll function in drivers/net/tun
ghsa_unreviewed·2022-05-02·CVSS 7.2
CVE-2009-1897 [HIGH] CWE-119 GHSA-7g2j-wp9p-8rcr: The tun_chr_poll function in drivers/net/tun
The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.
Exploit-DB
Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Local Privilege Escalation
exploitdb·2009-07-17
CVE-2009-1897 Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Local Privilege Escalation
Linux Kernel 2.6.30
if SELinux is enabled, it allows pulseaudio to map at 0
UPDATE: not just that, SELinux lets any user in unconfined_t map at
0, overriding the mmap_min_addr restriction! pulseaudio is not
needed at all! Having SELinux enabled actually *WEAKENS* system
security for these kinds of exploits!
if SELinux is disabled, use personality SVR4 to auto-map at 0
Turning a vulnerability which is unexploitable from a review of
the source code, where only trojan data can be supplied to a
structure where no function pointers are called into an arbitrary OR
of 0x1 on any byte in memory
Turning this arbitrary OR into arbitrary code execution by ORing
an unused file_op on the device we're exploiting
Abusing this arbitrary code execution to:
* Disable auditing
* Disable SELinux
* Disable App
Exploit-DB
Linux Kernel 2.6.30 - 'tun_chr_pool()' Null Pointer Dereference
exploitdb·2009-06-17
CVE-2009-1897 Linux Kernel 2.6.30 - 'tun_chr_pool()' Null Pointer Dereference
Linux Kernel 2.6.30 - 'tun_chr_pool()' Null Pointer Dereference
---
source: https://www.securityfocus.com/bid/35724/info
The Linux kernel is prone to a local NULL-pointer dereference vulnerability.
A local attacker can exploit this issue to execute arbitrary code with superuser privileges or crash an affected kernel, denying service to legitimate users.
This issue was introduced in Linux kernel 2.6.30.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33088-1.tgz
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33088-2.tgz
Bugzilla
CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
bugzilla·2009-07-17·CVSS 6.9
CVE-2009-1897 [MEDIUM] CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it
Reported by Eugene Kapun:
Fix NULL pointer dereference in tun_chr_pool() introduced by commit 33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued packets per device") and triggered by this code:
int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
Upstream commit:
http://git.kernel.org/linus/3c8a9c63d5fd738c261bd0ceece04d9c8357ca13
References:
http://lkml.org/lkml/2009/7/6/19
https://bugzilla.redhat.com/show_bug.cgi?id=495863
http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069714.html
http://git.kernel.org/linus/33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554
http://article.gmane.org/gmane.linux.network/1249
arXiv
SoK: Sanitizing for Security
arxiv_fulltext·2018-06-12
SoK: Sanitizing for Security
SoK: Sanitizing for Security
Dokyung Song,
Julian Lettner,
Prabhu Rajasekaran,
Yeoul Na,
Stijn Volckaert,
Per Larsen,
Michael Franz
University of California, Irvine
\dokyungs,jlettner,rajasekp,yeouln,stijnv,perl,franz\@uci.edu
2018 IEEE. Personal use of this material is
permitted. Permission from IEEE must be obtained for all other uses, in any
current or future media, including reprinting/republishing this material for
advertising or promotional purposes, creating new collective works, for resale
or redistribution to servers or lists, or reuse of any copyrighted component
of this work in other works.
## Abstract
The C and ++ programming languages are notoriously insecure yet remain
indispensable. Developers therefore resort to a multi-pronged approach to find
security issues before
Trailofbits
Use constexpr for faster, smaller, and safer code
blogs_trailofbits·2019-06-27·CVSS 6.9
CVE-2009-1897 [MEDIUM] Use constexpr for faster, smaller, and safer code
With the release of C++14, the standards committee strengthened one of the coolest modern features of C++: `constexpr`. Now, C++ developers can write constant expressions and force their evaluation at compile-time, rather than at every invocation by users. This results in faster execution, smaller executables and, surprisingly, safer code.
Undefined behavior has been the source of many security bugs, such as Linux kernel privilege escalation (CVE-2009-1897) and myriad poorly implemented integer overflow checks that are removed due to undefined behavior. The C++ standards committee decided that code marked `constexpr` cannot invoke undefined behavior when designing `constexpr`. For a comprehensive analysis, read Shafik Yaghmour’s fantastic blog post titled “Exploring Undefined Behavior Usi
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.htmlhttp://article.gmane.org/gmane.linux.network/124939http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13http://grsecurity.net/~spender/cheddar_bay.tgzhttp://isc.sans.org/diary.html?storyid=6820http://lkml.org/lkml/2009/7/6/19http://secunia.com/advisories/35839http://www.openwall.com/lists/oss-security/2009/07/17/1http://www.vupen.com/english/advisories/2009/1925https://bugzilla.redhat.com/show_bug.cgi?id=512284https://exchange.xforce.ibmcloud.com/vulnerabilities/51803https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizationshttp://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.htmlhttp://article.gmane.org/gmane.linux.network/124939http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13http://grsecurity.net/~spender/cheddar_bay.tgzhttp://isc.sans.org/diary.html?storyid=6820http://lkml.org/lkml/2009/7/6/19http://secunia.com/advisories/35839http://www.openwall.com/lists/oss-security/2009/07/17/1http://www.vupen.com/english/advisories/2009/1925https://bugzilla.redhat.com/show_bug.cgi?id=512284https://exchange.xforce.ibmcloud.com/vulnerabilities/51803https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations
2009-07-20
Published