[ISN] Root privileges through Linux kernel bug - Update

From: InfoSec News <alerts_at_private>
Date: Fri, 20 Aug 2010 02:06:51 -0500 (CDT)
http://www.h-online.com/open/news/item/Root-privileges-through-Linux-kernel-bug-Update-1061563.html

The H Open Source
18 August 2010

According to a report (PDF) written by Rafal Wojtczuk, a conceptual 
problem in the memory management area of Linux allows local attackers to 
execute code at root level. The Linux issue is caused by potential 
overlaps between the memory areas of the stack and shared memory 
segments.

As a potential attack scenario, Wojtczuk describes the X Server, where 
the distance between the boundaries of the heap and stack can be made 
very small by filling the memory with data such as pixmaps. A subsequent 
request for a shared memory segment by the attacker will result in the 
segment being added to the end of the heap. If the attacker then manages 
to make the X Server call a recursive function, the stack will grow into 
the shared memory segment. By writing into the requested shared memory 
at the same moment, the attacker will also make changes to the content 
of the stack, for example, to return addresses. This allows code to be 
executed at root privilege level. Developer Brad Spengler, who works for 
grsecurity, has released an exploit which demonstrates a problem – 
although it only causes the X Server to crash.

Security expert Joanna Rutkowska says that the vulnerability has been 
present in the kernel for years, probably since the release of version 
2.6 in December 2003. To solve the problem, Wojtczuk's paper suggests 
the introduction of a guaranteed minimum of one memory page (guard page) 
between the stack and other memory areas. This function has already been 
implemented in kernel versions 2.6.32.19, 2.6.34.4 and 2.6.35.2, but 
without the problem being explicitly pointed out. In addition, processes 
whose stack touches the boundaries of other memory areas are now 
terminated via SIGBUS. Another update is being prepared for inclusion in 
2.6.27.52. User who don't run the kernel released by kernel.org should 
wait for their Linux distributors to provide an update for their 
specific distribution. Red Hat has already responded by releasing a 
dedicated bug report.

The vulnerability can be exploited in all older versions if an X Server 
is running on the system. To compromise a system remotely, an attacker 
would first have to exploit another hole to inject code and execute it 
on the system. As a second step, the attacker would then use the 
procedure described above to obtain root privileges. Kernel developer 
Greg Kroah-Hartman has sent a clear message to the Linux community: "All 
users [of the affected kernel series] must upgrade".

[...]


_______________________________________________________      
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn
Received on Fri Aug 20 2010 - 00:06:51 PDT

This archive was generated by hypermail 2.2.0 : Fri Aug 20 2010 - 00:21:59 PDT