Slashdot Mirror

← Back to Stories (view on slashdot.org)

Local Privilege Escalation On All Linux Kernels

Posted by timothy on from the uriah-deems-it-scary dept.

QuesarVII writes "Tavis Ormandy and Julien Tinnes have discovered a severe security flaw in all 2.4 and 2.6 kernels since 2001 on all architectures. 'Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.'"

4 of 595 comments (clear)

  1. (from the blog) by An+anonymous+Frank · · Score: 5, Informative

    In the Linux kernel, each socket has an associated struct of operations
    called proto_ops which contain pointers to functions implementing various
    features, such as accept, bind, shutdown, and so on.
    If an operation on a particular socket is unimplemented, they are expected
    to point the associated function pointer to predefined stubs, for example if
    the "accept" operation is undefined it would point to sock_no_accept(). However,
    we have found that this is not always the case and some of these pointers are
    left uninitialized.
    This is not always a security issue, as the kernel validates the pointers at
    the call site, such as this example from sock_splice_read:
    [snip]
    But we have found an example where this is not the case; the sock_sendpage()
    routine does not validate the function pointer is valid before dereferencing
    it, and therefore relies on the correct initialization of the proto_ops
    structure.
    We have identified several examples where the initialization is incomplete:
    [snip]

  2. Re:Security through Obscurity? by amorsen · · Score: 5, Informative

    Generally people don't care about local privilege escalation on Windows. Like this vulnerability.

    --
    Finally! A year of moderation! Ready for 2019?
  3. It's from April? Really? by winkydink · · Score: 5, Informative

    Then why did Linus check in a patch today to fix it?

    http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  4. Some distros less vulnerable by default by Bandman · · Score: 5, Informative

    From http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html:

    -------------------
    Mitigation
    -----------------------
    Recent kernels with mmap_min_addr support may prevent exploitation if
    the sysctl vm.mmap_min_addr is set above zero. However, administrators
    should be aware that LSM based mandatory access control systems, such
    as SELinux, may alter this functionality.
    It should also be noted that all kernels up to 2.6.30.2 are vulnerable to
    published attacks against mmap_min_addr.

    I have checked my default Ubuntu and CentOS/RHEL boxes, and both of them are set well above 0:

    root@Ubuntu:/proc/sys/vm# cat mmap_min_addr
    65536

    [root@CentOS /proc/sys/vm] cat mmap_min_addr
    65536

    [root@RHEL /proc/sys/vm] cat mmap_min_addr
    65536

    --
    Check out my sysadmin blog!