SecurityTracker.com Archives - Linux Kernel Datagram Serialization Error May Let Local Users Gain Elevated Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: OS (Linux) > Linux Kernel

Vendors: kernel.org

Linux Kernel Datagram Serialization Error May Let Local Users Gain Elevated Privileges

SecurityTracker Alert ID: 1012363

SecurityTracker URL: http://securitytracker.com/id?1012363

CVE Reference: CAN-2004-1068 (Links to External Site)

Date: Nov 30 2004

Impact: Modification of system information, Root access via local system, User access via local system

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 2.4.28

Description: A vulnerability was reported in the Linux kernel in the serialization of datagrams. A local user may be able to gain elevated privileges.

It is reported that the kernel does not properly serialize received datagrams. Paul Starzetz reports that a local user can exploit this flaw modify kernel space memory and potentially obtain elevated privileges.

Impact: A local user may be able to obtain elevated privileges.

Solution: A fix is available in 2.4.28 and via BitKeeper at:

http://linux.bkbits.net:8080/linux-2.4/cset@4199284dnTPrPLR-yhP_rOBHXJlltA

Vendor URL: kernel.org/ (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Caldera/SCO), Linux (Conectiva), Linux (Debian), Linux (EnGarde), Linux (Gentoo), Linux (HP Secure OS), Linux (Immunix), Linux (Mandrake), Linux (Progeny Debian), Linux (Red Hat Enterprise), Linux (Red Hat Fedora), Linux (Red Hat Linux), Linux (SGI), Linux (Slackware), Linux (Sun), Linux (SuSE), Linux (Trustix), Linux (Turbo Linux), Linux (Xandros)

Reported By: Paul Starzetz <ihaquer@isec.pl>

Message History: None.

Source Message Contents

Date: Fri, 19 Nov 2004 20:26:21 +0100 (CET)
From: Paul Starzetz <ihaquer@isec.pl>
Subject: [Full-Disclosure] Addendum, recent Linux <= 2.4.27 vulnerabilities

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

while looking at the changelog for 2.4.28, I've found, that a bug I 
independently came over some days ago has been fixed in that release:

David S. Miller:
  o [AF_UNIX]: Serialize dgram read using semaphore just like stream

That fixes missing serialization in unix_dgram_recvmsg().

I was slightly suprised reading the 2.4.27 code and I strongly believe 
that the flaw is fully exploitable to gain elevated privileges. 

There is a subtle race condition finally permitting a non-root user to 
increment (up to 256 times) any arbitrary location(s) in kernel space.

The condition is not easy to exploit since an attacker must trick 
kmalloc() to sleep on allocation of a special chunk of memory and then 
convince the scheduler to execute another thread. But it is feasible.

Conclusion: update as quick as possible to 2.4.28.

- -- 
Paul Starzetz
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBnkjiC+8U3Z5wpu4RAiCJAKCpqAD3jD/Ih6CSVxOUW0wnkXVY8QCgs584
x03r/RbphAViQPJrM8Fqj28=
=Adi4
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC