the Month of Kernel Bugs (MoKB) archive

Sponsors:


FAQ

What's the purpose of the "MoKB" ?
Publish one bug on daily basis for the month of November, 2006. Show tools and procedures useful for testing the strength and quality of kernel code (ex. networking, filesystem handling) in existing operating systems (Mac OS X, FreeBSD, Solaris, GNU/Linux, etc).

Bugs

# Title Description Proof of concept Affected systems References
1 Apple Airport 802.11 Probe Response Kernel Memory Corruption The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw that can lead to arbitrary code execution. Metasploit Exploit Module Mac OS X with Apple Airport 802.11 (Orinoco-based) MOKB-01-11-2006
CVE-2006-5710
2 Linux 2.6.x squashfs double free The squashfs module of the Linux kernel (2.6.x) fails to properly handle corrupted fs structures, leading to a denial of service and possible data corruption condition. MOKB-02-11-2006.img.gz Linux 2.6.x squashfs MOKB-02-11-2006
CVE-2006-5701
3 FreeBSD 6.1 UFS filesystem ffs_mountfs() integer overflow The UFS filesystem handling code of the FreeBSD 6.1 kernel fails to properly handle corrupted data structures, leading to exploitable memory corruption (DoS) issues and possible arbitrary code execution. This particular vulnerability is caused by an integer overflow at ffs_mountfs() function. Check MOKB-08-11-2006 and/or debug information. FreeBSD 6.1 (STABLE) and probably 7 (HEAD) MOKB-03-11-2006
CVE-2006-5679
4 Solaris 10 UFS filesystem alloccgblk denial of service The UFS filesystem handling code of the Solaris 10 kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service issue and potential loss of data or corruption of the local UFS filesystems, due to memory corruption. MOKB-04-11-2006.img.gz SunOS 5.10 Generic_118855-19 and previous (not verified). MOKB-04-11-2006
CVE-2006-5726
5 Linux 2.6.x ISO9660 __find_get_block_slow() denial of service The ISO9660 filesystem handling code of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This particular vulnerability seems to be caused by a race condition and a signedness issue. MOKB-05-11-2006.iso.bz2 Linux kernel 2.6.18 and previous (2.6.x). Probably 2.4.x (not verified). MOKB-05-11-2006
CVE-2006-5757
6 Microsoft Windows kernel GDI local privilege escalation A vulnerability in the handling of GDI kernel structures of Microsoft Windows leads to an exploitable memory corruption condition, causing a denial of service (so-called BSoD) or arbitrary code execution on successful exploitation. GDIKernelPoC.cpp Microsoft Windows 2000 SP0-SP4, XP SP0-SP2. MOKB-06-11-2006
CVE-2006-5758
7 Linux 2.6.x zlib_inflate memory corruption Linux 2.6.x zlib_inflate function can be abused by filesystems that depend on zlib compression, such as cramfs. A failure to handle crafted data, result of a read operation in a corrupted filesystem stream, may lead to memory corruption and potential arbitrary code execution. MOKB-07-11-2006.img.bz2 Linux kernel 2.6.18 and previous (2.6.x). MOKB-07-11-2006
CVE-2006-5823
8 FreeBSD 6.1 UFS filesystem ffs_rdextattr() integer overflow The UFS filesystem handling code of the FreeBSD 6.1 kernel fails to properly handle corrupted data structures, leading to exploitable memory corruption (DoS) issues and possible arbitrary code execution. This particular vulnerability is caused by an integer overflow, similar to MOKB-03-11-2006. MOKB-08-11-2006.img.bz2 FreeBSD 6.1 (STABLE) and probably 7 (HEAD) MOKB-08-11-2006
CVE-2006-5824
9 Mac OS X fpathconf() syscall denial of service Failure to handle unknown file types by the Mac OS X kernel (XNU) fpathconf() syscall causes a kernel panic, leading to an exploitable local denial of service by non-privileged users. Check release page. Mac OS X 10.3.x, 10.4.x (tested x86 and PPC). MOKB-09-11-2006
CVE-2006-5836
10 Linux 2.6.x ext3fs_dirhash denial of service Linux 2.6.x ext3 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue with potential fs corruption, when a read operation is done on a crafted ext3 stream. MOKB-10-11-2006.img.bz2 Linux kernel 2.6.18 and previous (2.6.x). MOKB-10-11-2006
CVE-2006-6053
11 Broadcom Wireless Driver Probe Response SSID Overflow The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field broadcom_wifi_ssid.rb Unpatched BCMWL5.SYS (ex. version 3.50.21.10) MOKB-11-11-2006
CVE-2006-5882
12 Linux 2.6.x ext2_check_page denial of service Linux 2.6.x ext2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when read operation is being done on a crafted fs stream. MOKB-12-11-2006.img.bz2 Linux kernel 2.6.18 and previous (2.6.x). MOKB-12-11-2006
CVE-2006-6054
13 D-Link DWL-G132 Wireless Driver Beacon Rates Overflow The D-Link DWL-G132 wireless adapter (USB) ships with a version of A5AGU.SYS that is vulnerable to a stack-based buffer overflow. This overflow can lead to arbitrary kernel-mode code execution. The overflow occurs when a 802.11 beacon request is received that contains over 36 bytes in the Rates information element (IE). dlink_wifi_rates.rb Unpatched A5AGU.SYS (ex. version 1.0.1.41, DWL-G132 driver) MOKB-13-11-2006
CVE-2006-6055
14 Linux 2.6.x SELinux superblock_doinit denial of service Failure to handle mounting of corrupt filesystem streams may lead to a local denial of service condition when SELinux hooks are enabled. This particular vulnerability is caused by a null pointer dereference in the superblock_doinit function. MOKB-14-11-2006.img.bz2 Linux kernel 2.6.18 and previous (2.6.x). MOKB-14-11-2006
CVE-2006-6056
15 Linux 2.6.x gfs2 init_journal denial of service Linux 2.6.x gfs2 filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when a crafted stream is being mounted. MOKB-15-11-2006.img.bz2 Linux kernel 2.6.18 and previous (2.6.x) with GFS2 support. MOKB-15-11-2006
CVE-2006-6057
16 NetGear WG111v2 Wireless Driver Long Beacon Overflow The NetGear WG111v2 wireless adapter (USB) ships with a version of WG111v2.SYS that is vulnerable to a stack-based buffer overflow. This overflow can lead to arbitrary kernel-mode code execution. The overflow occurs when a 802.11 beacon request is received that contains over 1100 bytes of information elements. netgear_wg111_beacon.rb NetGear WG111v2 wireless adapter (USB) driver (WG111v2.SYS), tested version 5.1213.6.316. MOKB-16-11-2006
CVE-2006-5972
17 Linux 2.6.x minix_bmap denial of service Linux 2.6.x minix filesystem code fails to properly handle corrupted data structures, leading to an exploitable denial of service issue when a crafted fs stream is being mounted. MOKB-17-11-2006.img.bz2 Linux kernel 2.6.18 and previous (2.6.x). MOKB-17-11-2006
CVE-2006-6058
18 NetGear MA521 Wireless Driver Long Rates Overflow The NetGear MA521 wireless adapter (CARDBUS) ships with a version of MA521nd5.SYS that is vulnerable to a memory corruption condition. This issue may lead to arbitrary kernel-mode code execution. netgear_ma521_rates.rb NetGear MA521 wireless adapter (CARDBUS) driver (MA521nd5.SYS), tested version 5.148.724.2003. MOKB-18-11-2006
CVE-2006-6059
19 Linux 2.6.x NTFS __find_get_block_slow() denial of service The NTFS filesystem module of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This issue is similar to that explained in MOKB-05-11-2006. MOKB-19-11-2006.img.bz2 Linux kernel 2.6.18 and previous (2.6.x). MOKB-19-11-2006
CVE-2006-6060
20 Mac OS X Apple UDIF Disk Image Kernel Memory Corruption (1) Mac OS X com.apple.AppleDiskImageController fails to properly handle corrupted DMG image structures, leading to an exploitable memory corruption condition with potential kernel-mode arbitrary code execution by unprivileged users. MOKB-20-11-2006.dmg.bz2 Mac OS X 10.3.x, 10.4.x (tested x86 and PPC) MOKB-20-11-2006
CVE-2006-6061
21 Mac OS X Apple UDTO HFS+ Disk Image Denial of Service (1) Mac OS X fails to properly handle corrupted UDTO HFS+ image structures (ex. bad sectors), leading to an exploitable denial of service condition. Although it hasn't been checked further, memory corruption is present under certain conditions (in this particular case, unlikely to allow arbitrary code execution). MOKB-21-11-2006.dmg.bz2 Mac OS X 10.3.x, 10.4.x (tested x86 and PPC), code present in FreeBSD (details in future release). MOKB-21-11-2006
CVE-2006-6062
22 NetGear WG311v1 Wireless Driver Long SSID Overflow The NetGear WG311v1 wireless adapter (PCI) ships with a version of WG311ND5.SYS that is vulnerable to a heap-based buffer overflow condition. This issue may lead to arbitrary kernel-mode code execution. netgear_wg311pci.rb NetGear WG311v1 wireless adapter (PCI) driver (WG311ND5.SYS), tested version 2.3.1.10. MOKB-22-11-2006
CVE-2006-6125
23 Mac OS X Mach-O Binary Loading Memory Corruption Mac OS X fails to properly handle corrupted Mach-O binaries, leading to an exploitable memory corruption condition. This is triggered by execution of a Mach-O binary with a valid mach_header structure and corrupted load_command data structures. MOKB-23-11-2006.bz2 Mac OS X 10.3.x, 10.4.x (tested x86). MOKB-23-11-2006
CVE-2006-6126
24 Mac OS X kqueue Local Denial of Service Inconsistent handling of kqueue and kevent interfaces in the Mac OS X kernel, allows local unprivileged users to cause a denial of service condition. MOKB-24-11-2006.c.bz2 Mac OS X 10.3.x, 10.4.x (tested x86 and PPC). MOKB-24-11-2006
CVE-2006-6127
25 Linux 2.6.x ReiserFS Sync Memory Corruption The ReiserFS support code of Linux 2.6.x fails to properly handle crafted data structures, leading to an exploitable memory corruption condition when a sync is being done in a corrupted ReiserFS filesystem. MOKB-25-11-2006.img.bz2 Linux kernel 2.6.18 and previous (2.6.x, tested on up-to-date Fedora Core 6). MOKB-25-11-2006
CVE-2006-6128
26 Mac OS X Universal Binary Loading Memory Corruption Mac OS X fails to properly handle corrupted Universal Binaries, leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution. MOKB-26-11-2006.bz2 Mac OS X 10.3.x, 10.4.x (tested x86). MOKB-26-11-2006
CVE-2006-6129
27 Mac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in the AIOCREGLOCALZN ioctl command. MOKB-27-11-2006.c Mac OS X 10.3.x, 10.4.x (tested x86). MOKB-27-11-2006
CVE-2006-6130
28 Mac OS X shared_region_make_private_np() Memory Corruption Mac OS X shared_region_make_private_np() system call fails to handle crafted user input, leading to an exploitable memory corruption condition. Unprivileged local users can abuse this issue in order to escalate privileges (via arbitrary code execution) or cause a denial of service. MOKB-28-11-2006.c Mac OS X 10.3.x, 10.4.x (tested x86). MOKB-27-11-2006
CVE-NO-NAME
29 Linux 2.6.7-18.3 get_fdb_entries() integer overflow Linux 2.6.7-18.3 get_fdb_entries() function is vulnerable to an integer overflow condition. This could be abused to force memory allocation of an attacker controlled size. Successful exploitation could allow arbitrary code execution. N/A, check advisory. Linux 2.6.7 - 2.6.18.3. MOKB-29-11-2006
CVE-2006-5751
30 Apple Airport Extreme Beacon Frame Denial of Service Apple Airport Extreme driver fails to handle certain beacon frames, leading to an out of bounds memory access, resulting in a so-called kernel panic. This issue is being coordinated with Apple, and under common agreement it's been decided to keep the details private until a fix has been made available to end-users. N/A, check advisory. Won't be released until Apple provides a fix. Mac OS X 10.3.x, 10.4.x (tested x86). MOKB-30-11-2006
CVE-NO-NAME

Press

The following is a (not complete, not necessarily up-to-date) list of articles and other related media coverage about the MoKB:

Links