Linux Kernel Datagram Serialization Error May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1012363|
SecurityTracker URL: http://securitytracker.com/id/1012363
(Links to External Site)
Date: Nov 30 2004
Modification of system information, Root access via local system, User access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 2.4.28|
A vulnerability was reported in the Linux kernel in the serialization of datagrams. A local user may be able to gain elevated privileges.|
It is reported that the kernel does not properly serialize received datagrams. Paul Starzetz reports that a local user can exploit this flaw modify kernel space memory and potentially obtain elevated privileges.
A local user may be able to obtain elevated privileges.|
A fix is available in 2.4.28 and via BitKeeper at:|
Vendor URL: kernel.org/ (Links to External Site)
Access control error|
Source Message Contents
Subject: [Full-Disclosure] Addendum, recent Linux <= 2.4.27 vulnerabilities|
-----BEGIN PGP SIGNED MESSAGE-----
while looking at the changelog for 2.4.28, I've found, that a bug I
independently came over some days ago has been fixed in that release:
David S. Miller:
o [AF_UNIX]: Serialize dgram read using semaphore just like stream
That fixes missing serialization in unix_dgram_recvmsg().
I was slightly suprised reading the 2.4.27 code and I strongly believe
that the flaw is fully exploitable to gain elevated privileges.
There is a subtle race condition finally permitting a non-root user to
increment (up to 256 times) any arbitrary location(s) in kernel space.
The condition is not easy to exploit since an attacker must trick
kmalloc() to sleep on allocation of a special chunk of memory and then
convince the scheduler to execute another thread. But it is feasible.
Conclusion: update as quick as possible to 2.4.28.
iSEC Security Research
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.