CVE-2004-2013

Vulnerability

An integer overflow vulnerability exists in the SCTP_SOCKOPT_DEBUG_NAME socket option within socket.c of the Linux kernel versions 2.4.23-pre5 up to and including 2.4.25. By passing an optlen value of -1, a local user can cause kmalloc to allocate 0 bytes of memory, leading to a heap-based buffer overflow [1].

Exploitation

An attacker must have local access to the system and the ability to invoke the vulnerable SCTP socket option. The exploit involves sending a specially crafted socket option call with an optlen argument of -1. This triggers the integer overflow, resulting in allocation of zero bytes and subsequent memory corruption [1].

Impact

Successful exploitation allows a local user to overwrite kernel memory, potentially leading to arbitrary code execution with elevated privileges (local root). The attacker can gain full control of the affected system [1].

Mitigation

The vulnerability is fixed in Linux kernel versions after 2.4.25. Users of Trustix Secure Linux 2.0, 2.1, and Trustix Secure Enterprise Linux 2 should apply the kernel update provided in advisory TSLSA-2004-0029 [1]. Distributions beyond Trustix also issued patches shortly after disclosure. No workaround exists other than upgrading the kernel.