SecurityTracker.com Archives - (SmoothWall Issues Fix) Linux Kernel do_mremap() Fails to Check do_munmap() Return Values, Allowing a Local User to Gain Root Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Device (Firewall) > SmoothWall

Vendors: SmoothWall Team

(SmoothWall Issues Fix) Linux Kernel do_mremap() Fails to Check do_munmap() Return Values, Allowing a Local User to Gain Root Privileges

SecurityTracker Alert ID: 1009309

CVE Reference: CAN-2004-0077 (Links to External Site)

Date: Mar 3 2004

Impact: Execution of arbitrary code via local system, Root access via local system

Fix Available: Yes Vendor Confirmed: Yes

Version(s): Prior to SmoothWall Corporate Server 3.0 fixes 8, SmoothWall Corporate Guardian 3.0 fixes 3

Description: Another vulnerability was reported in the Linux kernel do_mremap() function. A local user can execute arbitrary code with root privileges.

Paul Starzetz discovered and reported that there is a missing return value check within the mremap(2) system call.

When resizing or moving virtual memory areas, the function reportedly does not test the return value of the do_munmap() function. Cases where the function fails (for example, due to the number of virtual memory areas being exceeded by the calling process) will not be properly detected, according to the report. As a result, the kernel may move memory belonging to one process into memory space that is allocated to another process.

Some other calls to the do_munmap() function are also not checked, the report said.

A local user can gain root privileges on the target system.

The original advisory is available at:

http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt

Impact: A local user can gain root privileges on the target system.

Solution: SmoothWall has issued the following fixes:

SmoothWall Corporate Server 3.0 fixes 8:

http://smoothwall.net/u/corpserv/3.0/fixes8.html

SmoothWall Corporate Guardian 3.0 fixes 3

http://smoothwall.net/u/corpguardian/3.0/fixes3.html

Vendor URL: www.smoothwall.net/support/advisories/SWL-2004.002.html (Links to External Site)

Cause: Boundary error

Reported By: William Anderson <neuro@smoothwall.org>

Message History: This archive entry is a follow-up to the message listed below.

Feb 18 2004

Linux Kernel do_mremap() Fails to Check do_munmap() Return Values, Allowing a Local User to Gain Root Privileges

Source Message Contents

Date: Wed, 03 Mar 2004 15:33:18 +0000
From: William Anderson <neuro@smoothwall.org>
Subject: [Full-Disclosure] SmoothWall Limited Product Advisory SWL-2004:002

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------
~ SmoothWall Limited Product Advisory SWL-2004:002
- -------------------------------------------------------------

~    Summary: Updates for SmoothWall Corporate Server and
~             Corporate Guardian to correct local
~             vulnerabilities in Linux kernel.
~ Importance: Severe
~      Issue: Possible local vulnerabilities
~  CVE Names: CAN-2004-0077
~   Released: 2004-03-03
SW-specific: no

Affected Products:

~  SmoothWall Corporate Server 3.0 (fixes7)
~  SmoothWall Corporate Guardian 3.0 (fixes2)

The products shown must be updated to the fix level as
shown above before applying any updates mentioned in this
advisory.

- -------------------------------------------------------------
~ Description
- -------------------------------------------------------------

Critical security vulnerabilities have been found in the
Linux kernel in the following areas:

- - Locally exploitable vulnerabilities in memory management
~  code (mremap system calls)

These vulnerabilities can result in privilege escalation or
unwanted availability of sensitive information.

- -------------------------------------------------------------
~ Corrective Actions
- -------------------------------------------------------------

You should download and install the required update for
your product(s).  The updates can be downloaded from the
web links below, along with installation instructions and
any further caveats or updates.

SmoothWall Corporate Server 3.0 fixes 8
- - http://smoothwall.net/u/corpserv/3.0/fixes8.html
SmoothWall Corporate Server 3.0 fixes 3
- - http://smoothwall.net/u/corpserv/3.0/fixes3.html

- -------------------------------------------------------------
~ Further Information
- -------------------------------------------------------------

CVE Candidate CAN-2004-0077
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077
Linux kernel do_mremap VMA limit local privilege escalation
- - http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
Linux Kernel 2.4.25 Changelog
- - http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.25

____ smoothwall - delivering versatile, affordable security _

- --
_ __/|  William Anderson            | Martin: Alright, I'll give it a shot.
\`O_o'  neuro at smoothwall dot org | Oatman: No, no, don't give it a shot!
=(_ _)= http://smoothwall.org/team/ |         Don't shoot anything!
~   U  - Thhbt! GPG 0x7C4D858F       |  -- Grosse Pointe Blank (1997)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFARfq++2Hw2nxNhY8RAlSGAJ4zRQHrC6TedQanIPGV33boqXEuzQCfXBJ1
c7+mKN5YbrOTjVDWeME67rk=
=YsGz
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC