Security News > 2010 > August > Root privileges through Linux kernel bug - Update
http://www.h-online.com/open/news/item/Root-privileges-through-Linux-kernel-bug-Update-1061563.html The H Open Source 18 August 2010 According to a report (PDF) written by Rafal Wojtczuk, a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments. As a potential attack scenario, Wojtczuk describes the X Server, where the distance between the boundaries of the heap and stack can be made very small by filling the memory with data such as pixmaps. A subsequent request for a shared memory segment by the attacker will result in the segment being added to the end of the heap. If the attacker then manages to make the X Server call a recursive function, the stack will grow into the shared memory segment. By writing into the requested shared memory at the same moment, the attacker will also make changes to the content of the stack, for example, to return addresses. This allows code to be executed at root privilege level. Developer Brad Spengler, who works for grsecurity, has released an exploit which demonstrates a problem â although it only causes the X Server to crash. Security expert Joanna Rutkowska says that the vulnerability has been present in the kernel for years, probably since the release of version 2.6 in December 2003. To solve the problem, Wojtczuk's paper suggests the introduction of a guaranteed minimum of one memory page (guard page) between the stack and other memory areas. This function has already been implemented in kernel versions 2.6.32.19, 2.6.34.4 and 2.6.35.2, but without the problem being explicitly pointed out. In addition, processes whose stack touches the boundaries of other memory areas are now terminated via SIGBUS. Another update is being prepared for inclusion in 2.6.27.52. User who don't run the kernel released by kernel.org should wait for their Linux distributors to provide an update for their specific distribution. Red Hat has already responded by releasing a dedicated bug report. The vulnerability can be exploited in all older versions if an X Server is running on the system. To compromise a system remotely, an attacker would first have to exploit another hole to inject code and execute it on the system. As a second step, the attacker would then use the procedure described above to obtain root privileges. Kernel developer Greg Kroah-Hartman has sent a clear message to the Linux community: "All users [of the affected kernel series] must upgrade". [...]
News URL
http://www.h-online.com/open/news/item/Root-privileges-through-Linux-kernel-bug-Update-1061563.html