SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel Datagram Serialization Error May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1012363
SecurityTracker URL:  http://securitytracker.com/id/1012363
CVE Reference:   CAN-2004-1068   (Links to External Site)
Date:  Nov 30 2004
Impact:   Modification of system information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.4.28
Description:   A vulnerability was reported in the Linux kernel in the serialization of datagrams. A local user may be able to gain elevated privileges.

It is reported that the kernel does not properly serialize received datagrams. Paul Starzetz reports that a local user can exploit this flaw modify kernel space memory and potentially obtain elevated privileges.

Impact:   A local user may be able to obtain elevated privileges.
Solution:   A fix is available in 2.4.28 and via BitKeeper at:

http://linux.bkbits.net:8080/linux-2.4/cset@4199284dnTPrPLR-yhP_rOBHXJlltA

Vendor URL:  kernel.org/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Addendum, recent Linux <= 2.4.27 vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

while looking at the changelog for 2.4.28, I've found, that a bug I 
independently came over some days ago has been fixed in that release:

David S. Miller:
  o [AF_UNIX]: Serialize dgram read using semaphore just like stream

That fixes missing serialization in unix_dgram_recvmsg().

I was slightly suprised reading the 2.4.27 code and I strongly believe 
that the flaw is fully exploitable to gain elevated privileges. 

There is a subtle race condition finally permitting a non-root user to 
increment (up to 256 times) any arbitrary location(s) in kernel space.

The condition is not easy to exploit since an attacker must trick 
kmalloc() to sleep on allocation of a special chunk of memory and then 
convince the scheduler to execute another thread. But it is feasible.

Conclusion: update as quick as possible to 2.4.28.

- -- 
Paul Starzetz
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBnkjiC+8U3Z5wpu4RAiCJAKCpqAD3jD/Ih6CSVxOUW0wnkXVY8QCgs584
x03r/RbphAViQPJrM8Fqj28=
=Adi4
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC