Saturday, January 08, 2005

Fault in Linux Kernel 2.4 => 2.4.29-rc2, 2.6 => 2.6.10

According to Paul Starzetz, there is a nasty privilege escalation bug in the linux kernel where unprivileged local users can gain elevated (root!) privileges.

Picked from the Article :

Locally exploitable flaws have been found in the Linux binary format loaders' uselib() functions that allow local users to gain root privileges.


Paul further describes the level of this vulnerability:

We have found at least three different ways to exploit this vulnerability. The race condition an be easily won by consuming a big amount of memory. The code attached uses a similar technique like the do_brk exploit and uses a LDT call gate to gain CPL0 privileges. However another exploitation vectors exist: through page reference counters and 'ghost PTEs'.

Paul was kind enough to provide an exploit as well, which is available on the same page.

Time to tighten up the user environment on your linux box but remmeber you can take it easy if you trust your internal users. :-)

UPDATE: 2.6.10-ac has been patched. 2.4.29 to be fixed shortly.

The linux community just rocks!



Post a Comment

<< Home