Vulnerabilities > CVE-2009-0036 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libvirt 0.5.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
libvirt
CWE-119
nessus
exploit available
NVD
Published: 2009-02-11
Updated: 2023-02-13

Summary

Buffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check.

Vulnerable Configurations

Part Description Count
Application
Libvirt
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionlibvirt_proxy <= 0.5.1 Local Privilege Escalation Exploit. CVE-2009-0036. Local exploit for linux platform
idEDB-ID:8534
last seen2016-02-01
modified2009-04-27
published2009-04-27
reporterJon Oberheide
sourcehttps://www.exploit-db.com/download/8534/
titlelibvirt_proxy <= 0.5.1 - Local Privilege Escalation Exploit

Nessus

  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20090319_LIBVIRT_ON_SL5_X.NASL
    descriptionThe libvirtd daemon was discovered to not properly check user connection permissions before performing certain privileged actions, such as requesting migration of an unprivileged guest domain to another system. A local user able to establish a read-only connection to libvirtd could use this flaw to perform actions that should be restricted to read-write connections. (CVE-2008-5086) libvirt_proxy, a setuid helper application allowing non-privileged users to communicate with the hypervisor, was discovered to not properly validate user requests. Local users could use this flaw to cause a stack-based buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary code with root privileges. (CVE-2009-0036) After installing the update, libvirtd must be restarted manually (for example, by issuing a
    last seen2020-06-01
    modified2020-06-02
    plugin id60551
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60551
    titleScientific Linux Security Update : libvirt on SL5.x i386/x86_64
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-0382.NASL
    descriptionFrom Red Hat Security Advisory 2009:0382 : Updated libvirt packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 5th May 2011] After installing this update and restarting the libvirtd service, the
    last seen2020-06-01
    modified2020-06-02
    plugin id67832
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67832
    titleOracle Linux 5 : libvirt (ELSA-2009-0382)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-0382.NASL
    descriptionUpdated libvirt packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 5th May 2011] After installing this update and restarting the libvirtd service, the
    last seen2020-06-01
    modified2020-06-02
    plugin id63878
    published2013-01-24
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63878
    titleRHEL 5 : libvirt (RHSA-2009:0382)

Oval

accepted2013-04-29T04:02:00.328-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionBuffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check.
familyunix
idoval:org.mitre.oval:def:10127
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleBuffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check.
version18

Redhat

advisories
bugzilla
id484947
titleCVE-2009-0036 libvirt: libvirt_proxy buffer overflow
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentlibvirt-devel is earlier than 0:0.3.3-14.el5_3.1
          ovaloval:com.redhat.rhsa:tst:20090382001
        • commentlibvirt-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20090382002
      • AND
        • commentlibvirt is earlier than 0:0.3.3-14.el5_3.1
          ovaloval:com.redhat.rhsa:tst:20090382003
        • commentlibvirt is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20090382004
      • AND
        • commentlibvirt-python is earlier than 0:0.3.3-14.el5_3.1
          ovaloval:com.redhat.rhsa:tst:20090382005
        • commentlibvirt-python is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20090382006
rhsa
idRHSA-2009:0382
released2009-03-19
severityModerate
titleRHSA-2009:0382: libvirt security update (Moderate)
rpms
  • libvirt-0:0.3.3-14.el5_3.1
  • libvirt-debuginfo-0:0.3.3-14.el5_3.1
  • libvirt-devel-0:0.3.3-14.el5_3.1
  • libvirt-python-0:0.3.3-14.el5_3.1

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:66486
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-66486
    titlelibvirt_proxy <= 0.5.1 - Local Privilege Escalation Exploit
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:11100
    last seen2017-11-19
    modified2009-04-28
    published2009-04-28
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-11100
    titlelibvirt_proxy &lt;= 0.5.1 Local Privilege Escalation Exploit
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 33724 CVE(CAN) ID: CVE-2009-0036 libvirt是一套免费、开源的C函数库,支持Linux下的主流虚拟化工具。 libvirt库的proxy/libvirt_proxy.c文件中的proxyReadClientSocket()函数没有正确地验证报文头,如果本地攻击者发送了特制的代理请求的话就可以触发栈溢出,导致以root用户权限执行任意代码。 libvirt 0.5.1 厂商补丁: libvirt ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=https://www.redhat.com/archives/libvir-list/2009-January/msg00699.html target=_blank rel=external nofollow>https://www.redhat.com/archives/libvir-list/2009-January/msg00699.html</a>
    idSSV:4754
    last seen2017-11-19
    modified2009-02-13
    published2009-02-13
    reporterRoot
    titlelibvirt libvirt_proxy.c文件本地栈溢出漏洞

References