Vulnerabilities > CVE-2009-0036 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libvirt 0.5.1
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Buffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description | libvirt_proxy <= 0.5.1 Local Privilege Escalation Exploit. CVE-2009-0036. Local exploit for linux platform |
id | EDB-ID:8534 |
last seen | 2016-02-01 |
modified | 2009-04-27 |
published | 2009-04-27 |
reporter | Jon Oberheide |
source | https://www.exploit-db.com/download/8534/ |
title | libvirt_proxy <= 0.5.1 - Local Privilege Escalation Exploit |
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20090319_LIBVIRT_ON_SL5_X.NASL description The libvirtd daemon was discovered to not properly check user connection permissions before performing certain privileged actions, such as requesting migration of an unprivileged guest domain to another system. A local user able to establish a read-only connection to libvirtd could use this flaw to perform actions that should be restricted to read-write connections. (CVE-2008-5086) libvirt_proxy, a setuid helper application allowing non-privileged users to communicate with the hypervisor, was discovered to not properly validate user requests. Local users could use this flaw to cause a stack-based buffer overflow in libvirt_proxy, possibly allowing them to run arbitrary code with root privileges. (CVE-2009-0036) After installing the update, libvirtd must be restarted manually (for example, by issuing a last seen 2020-06-01 modified 2020-06-02 plugin id 60551 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60551 title Scientific Linux Security Update : libvirt on SL5.x i386/x86_64 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0382.NASL description From Red Hat Security Advisory 2009:0382 : Updated libvirt packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 5th May 2011] After installing this update and restarting the libvirtd service, the last seen 2020-06-01 modified 2020-06-02 plugin id 67832 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67832 title Oracle Linux 5 : libvirt (ELSA-2009-0382) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0382.NASL description Updated libvirt packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 5th May 2011] After installing this update and restarting the libvirtd service, the last seen 2020-06-01 modified 2020-06-02 plugin id 63878 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63878 title RHEL 5 : libvirt (RHSA-2009:0382)
Oval
accepted | 2013-04-29T04:02:00.328-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
definition_extensions |
| ||||||||||||
description | Buffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check. | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:10127 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
title | Buffer overflow in the proxyReadClientSocket function in proxy/libvirt_proxy.c in libvirt_proxy 0.5.1 might allow local users to gain privileges by sending a portion of the header of a virProxyPacket packet, and then sending the remainder of the packet with crafted values in the header, related to use of uninitialized memory in a validation check. | ||||||||||||
version | 18 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:66486 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-66486 title libvirt_proxy <= 0.5.1 - Local Privilege Escalation Exploit bulletinFamily exploit description No description provided by source. id SSV:11100 last seen 2017-11-19 modified 2009-04-28 published 2009-04-28 reporter Root source https://www.seebug.org/vuldb/ssvid-11100 title libvirt_proxy <= 0.5.1 Local Privilege Escalation Exploit bulletinFamily exploit description BUGTRAQ ID: 33724 CVE(CAN) ID: CVE-2009-0036 libvirt是一套免费、开源的C函数库,支持Linux下的主流虚拟化工具。 libvirt库的proxy/libvirt_proxy.c文件中的proxyReadClientSocket()函数没有正确地验证报文头,如果本地攻击者发送了特制的代理请求的话就可以触发栈溢出,导致以root用户权限执行任意代码。 libvirt 0.5.1 厂商补丁: libvirt ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=https://www.redhat.com/archives/libvir-list/2009-January/msg00699.html target=_blank rel=external nofollow>https://www.redhat.com/archives/libvir-list/2009-January/msg00699.html</a> id SSV:4754 last seen 2017-11-19 modified 2009-02-13 published 2009-02-13 reporter Root title libvirt libvirt_proxy.c文件本地栈溢出漏洞
References
- https://www.redhat.com/archives/libvir-list/2009-January/msg00728.html
- http://openwall.com/lists/oss-security/2009/02/10/8
- https://www.redhat.com/archives/libvir-list/2009-January/msg00726.html
- http://www.securityfocus.com/bid/33724
- https://www.redhat.com/archives/libvir-list/2009-January/msg00699.html
- https://bugzilla.redhat.com/show_bug.cgi?id=484947
- http://www.redhat.com/support/errata/RHSA-2009-0382.html
- http://secunia.com/advisories/34397
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10127
- http://git.et.redhat.com/?p=libvirt.git%3Ba=commitdiff%3Bh=2bb0657e28