(Debian Issues Fix) Linux 2.4 Kernel do_brk() Input Validation Flaw Lets Local Users Grab Root Privileges
|
|
SecurityTracker Alert ID: 1008345 |
|
SecurityTracker URL: http://securitytracker.com/id/1008345
|
|
CVE Reference:
CAN-2003-0961
(Links to External Site)
|
Updated: Dec 3 2003
|
Original Entry Date: Dec 1 2003
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Debian 3.0
|
Description:
An input validation vulnerability was reported in the Linux 2.4 kernel. A local user can gain root level privileges.
It is reported that the do_brk() function does not perform proper bounds checking. A local user can run a userland application to cause the kernel to grant the local user access to the full kernel address space. The userland application can create an arbitrary and large virtual memory area, exceeding user accessible memory limits (TASK_SIZE).
Red Hat reports that an exploit for this flaw has been found in the wild.
|
Impact:
A local user can gain root privileges.
|
Solution:
Debian has issued a fix in version 2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386 kernel images, and version 2.4.18-11 of the alpha kernel images.
Debian 3.0 (stable):
Source archives:
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.tar.gz
Size/MD5 checksum: 69746 a4b642e03732748d6820524746ba2265
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18.orig.tar.gz
Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-11.dsc
Size/MD5 checksum: 874 6fe1a9a759850570f1609b77502c13bc
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-11.tar.gz
Size/MD5 checksum: 24210 11373e2cf7e659f5a69c33f3f143fcaf
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.dsc
Size/MD5 checksum: 798 14840782d3ae928fd453a7dba225bb7f
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.dsc
Size/MD5 checksum: 1325 a77acb0743f3d3a16c00fa1cd4520e89
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.diff.gz
Size/MD5 checksum: 66878 916d16dd46c59dd4314c45e48f33f043
Architecture independent packages:
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-doc-2.4.18_2.4.18-14_all.deb
Size/MD5 checksum: 1710438 5e6cb496150391a93558652c97fb214b
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14_all.deb
Size/MD5 checksum: 23903282 9d5cb5159bf76451dd32e75467ca6240
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-smp_2.4.18-11_alpha.deb
Size/MD5 checksum: 3514858 ec88046377537587469e5527f3633c65
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1_2.4.18-11_alpha.deb
Size/MD5 checksum: 3362836 f91eb5ef18c3413ae200c5b1679264cc
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-generic_2.4.18-11_alpha.deb
Size/MD5 checksum: 3512244 a46de1359655b3a05c99cd8211edd41f
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-smp_2.4.18-11_alpha.deb
Size/MD5 checksum: 12799424 966ecceeb16c5bf87cc31b9178d6add9
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-generic_2.4.18-11_alpha.deb
Size/MD5 checksum: 12425696 27b4defd9326ed5bac3a765977437354
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k7_2.4.18-12_i386.deb
Size/MD5 checksum: 8863312 17a9c0323f06ed3eda1d17bdaf443d50
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k7_2.4.18-12_i386.deb
Size/MD5 checksum: 230194 9e347c03ffaf24762ec8ad86f3c3c482
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-386_2.4.18-12_i386.deb
Size/MD5 checksum: 8797832 00ab7c9bf64614112684e60595e1fe30
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686-smp_2.4.18-12_i386.deb
Size/MD5 checksum: 230960 8ba2a811fb753a4b5083254c5ab402c2
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686_2.4.18-12_i386.deb
Size/MD5 checksum: 227302 63e4524d17cb0dcf34774637293d2700
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-586tsc_2.4.18-12_i386.deb
Size/MD5 checksum: 3525452 7f0208aa3bc2e9974590839d141c4ca3
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686-smp_2.4.18-12_i386.deb
Size/MD5 checksum: 3527346 6b321ce7efdc5d1f641ca4e14db1807e
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-386_2.4.18-12_i386.deb
Size/MD5 checksum: 228266 e05c768db8f79e76db1dbf39200075cc
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-586tsc_2.4.18-12_i386.deb
Size/MD5 checksum: 227834 3799038b55f03ea7fcacef73e50a7b02
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-586tsc_2.4.18-12_i386.deb
Size/MD5 checksum: 8704448 f8531f0d6173228a2f952e4ca80ee618
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-386_2.4.18-12_i386.deb
Size/MD5 checksum: 3524656 c40e3230e071e5917f3c82ef8d8a3b79
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k6_2.4.18-12_i386.deb
Size/MD5 checksum: 8661138 121c4860a88e6e0ef84941b044e655ee
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k6_2.4.18-12_i386.deb
Size/MD5 checksum: 226934 f29016331da939466d99fde7e6dbf0c4
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1_2.4.18-12_i386.deb
Size/MD5 checksum: 3431968 37d14ba3820e331c7701c6dbc65440c7
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686_2.4.18-12_i386.deb
Size/MD5 checksum: 3525938 0b4f3c22d96777bd95673e8c6ceb45a9
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k7_2.4.18-12_i386.deb
Size/MD5 checksum: 3525194 89b06e76e46487a2708317a7d2643519
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686-smp_2.4.18-12_i386.deb
Size/MD5 checksum: 8960026 e01cd0b938c75a247cc111855632934c
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k6_2.4.18-12_i386.deb
Size/MD5 checksum: 3524794 43c7a34c6428e7d79fb660b4a434aaae
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686_2.4.18-12_i386.deb
Size/MD5 checksum: 8703034 a6d0829412575a9f7e6c227c5275a47b
|
Vendor URL: www.kernel.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 1 Dec 2003 21:17:12 +0100
Subject: [Full-Disclosure] [SECURITY] [DSA-403-1] userland can access Linux kernel memory
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-403-1 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
December 1, 2003
- ------------------------------------------------------------------------
Package : kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-source-2.4.18
Vulnerability : userland can access full kernel memory
Problem type : local
Debian-specific: no
CVE Id(s) : CAN-2003-0961
Recently multiple servers of the Debian project were compromised using a
Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed to
decrypt the binary which revealed a kernel exploit. Study of the exploit
by the RedHat and SuSE kernel and security teams quickly revealed that
the exploit used an integer overflow in the brk system call. Using
this bug it is possible for a userland program to trick the kernel into
giving access to the full kernel address space. This problem was found
in September by Andrew Morton, but unfortunately that was too late for
the 2.4.22 kernel release.
This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and
2.6.0-test6 kernel tree. For Debian it has been fixed in version
2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386
kernel images and version 2.4.18-11 of the alpha kernel images.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 3.0 (stable)
- -------------------
Source archives:
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.tar.gz
Size/MD5 checksum: 69746 a4b642e03732748d6820524746ba2265
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18.orig.tar.gz
Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-11.dsc
Size/MD5 checksum: 874 6fe1a9a759850570f1609b77502c13bc
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-11.tar.gz
Size/MD5 checksum: 24210 11373e2cf7e659f5a69c33f3f143fcaf
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.dsc
Size/MD5 checksum: 798 14840782d3ae928fd453a7dba225bb7f
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-12.dsc
Size/MD5 checksum: 1325 a77acb0743f3d3a16c00fa1cd4520e89
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14.diff.gz
Size/MD5 checksum: 66878 916d16dd46c59dd4314c45e48f33f043
Architecture independent packages:
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-doc-2.4.18_2.4.18-14_all.deb
Size/MD5 checksum: 1710438 5e6cb496150391a93558652c97fb214b
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-14_all.deb
Size/MD5 checksum: 23903282 9d5cb5159bf76451dd32e75467ca6240
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-smp_2.4.18-11_alpha.deb
Size/MD5 checksum: 3514858 ec88046377537587469e5527f3633c65
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1_2.4.18-11_alpha.deb
Size/MD5 checksum: 3362836 f91eb5ef18c3413ae200c5b1679264cc
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-headers-2.4.18-1-generic_2.4.18-11_alpha.deb
Size/MD5 checksum: 3512244 a46de1359655b3a05c99cd8211edd41f
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-smp_2.4.18-11_alpha.deb
Size/MD5 checksum: 12799424 966ecceeb16c5bf87cc31b9178d6add9
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-generic_2.4.18-11_alpha.deb
Size/MD5 checksum: 12425696 27b4defd9326ed5bac3a765977437354
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k7_2.4.18-12_i386.deb
Size/MD5 checksum: 8863312 17a9c0323f06ed3eda1d17bdaf443d50
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k7_2.4.18-12_i386.deb
Size/MD5 checksum: 230194 9e347c03ffaf24762ec8ad86f3c3c482
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-386_2.4.18-12_i386.deb
Size/MD5 checksum: 8797832 00ab7c9bf64614112684e60595e1fe30
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686-smp_2.4.18-12_i386.deb
Size/MD5 checksum: 230960 8ba2a811fb753a4b5083254c5ab402c2
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-686_2.4.18-12_i386.deb
Size/MD5 checksum: 227302 63e4524d17cb0dcf34774637293d2700
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-586tsc_2.4.18-12_i386.deb
Size/MD5 checksum: 3525452 7f0208aa3bc2e9974590839d141c4ca3
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686-smp_2.4.18-12_i386.deb
Size/MD5 checksum: 3527346 6b321ce7efdc5d1f641ca4e14db1807e
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-386_2.4.18-12_i386.deb
Size/MD5 checksum: 228266 e05c768db8f79e76db1dbf39200075cc
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-586tsc_2.4.18-12_i386.deb
Size/MD5 checksum: 227834 3799038b55f03ea7fcacef73e50a7b02
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-586tsc_2.4.18-12_i386.deb
Size/MD5 checksum: 8704448 f8531f0d6173228a2f952e4ca80ee618
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-386_2.4.18-12_i386.deb
Size/MD5 checksum: 3524656 c40e3230e071e5917f3c82ef8d8a3b79
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-k6_2.4.18-12_i386.deb
Size/MD5 checksum: 8661138 121c4860a88e6e0ef84941b044e655ee
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-pcmcia-modules-2.4.18-1-k6_2.4.18-12_i386.deb
Size/MD5 checksum: 226934 f29016331da939466d99fde7e6dbf0c4
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1_2.4.18-12_i386.deb
Size/MD5 checksum: 3431968 37d14ba3820e331c7701c6dbc65440c7
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-686_2.4.18-12_i386.deb
Size/MD5 checksum: 3525938 0b4f3c22d96777bd95673e8c6ceb45a9
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k7_2.4.18-12_i386.deb
Size/MD5 checksum: 3525194 89b06e76e46487a2708317a7d2643519
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686-smp_2.4.18-12_i386.deb
Size/MD5 checksum: 8960026 e01cd0b938c75a247cc111855632934c
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-headers-2.4.18-1-k6_2.4.18-12_i386.deb
Size/MD5 checksum: 3524794 43c7a34c6428e7d79fb660b4a434aaae
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-686_2.4.18-12_i386.deb
Size/MD5 checksum: 8703034 a6d0829412575a9f7e6c227c5275a47b
- --
- ----------------------------------------------------------------------------
Debian Security team <team@security.debian.org>
http://www.debian.org/security/
Mailing-List: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/y6HGPLiSUC+jvC0RAnd9AKCKvn969KiqvmErdGNv1iJSgzTVxwCbBkWB
IZdDr8fKKloX6PSe+tPOW68=
=nGzM
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
